Overall Satisfaction with AlienVault Unified Security Management
We deployed AlienVault to be used by our technical operations groups to log mainly infrastructure components of the company. This includes servers, firewalls, routers, switches, etc. and aggregating logs, then doing some cursory built-in correlation and alarms. Now that we've adapted to the product and my team is expanding, I'm looking to move to providing logging as a service to the rest of the company, such as application and debug-level logging for production and QA dev environments.
- Centralizing and aggregating logs from sources of all types
- Searching through real-time and long-term events
- Flexibility and customization (Linux OS with open source tools, open for whatever hacking you desire)
- Performance is not great at more than 300 EPS; bottleneck appears to be the MySQL disk I/O
- Dashboards are decent to customize, but are lacking
- UI and services aren't always stable or predictable; when adding a new plugin it sometimes takes things like a reconfig command at CLI in order for the change to stick
I looked into Splunk, QRadar, but they were way too expensive and the reviews weren't always great. I used McAfee ESM extensively at my prior job and the product is probably the worst in the SIEM space. We moved to AlienVault from ELK which, while a cool product, didn't do any security event correlation and has a terrible search and log review and export. AlienVault is the only major SIEM comprised of over 200 open source tools I'd want to use anyway, so it does more than any SIEM with its HIDS agents, vulnerability scanning, asset discovery, etc. The included Open Threat Exchange subscription is also a major plus.
I've only used AlienVault in an environment monitoring around 1,000 nodes and with the all-in-one appliance. My first thoughts are that this product is great for companies our size and smaller, but with the advanced configurations of branched out sensors and servers (higher cost), it may be scalable for larger companies as well. It does what other SIEMs do but is more hackable and friendly to the power analysts needing to correlate lots of data.