6 Replies Latest reply on Apr 4, 2016 3:18 PM by andy777

    ELM without ESM

    bytecod3r

      Hi,

       

      We have a customer who wants a log management solution only, Is there anyway to fix up ELM and ERC only without buying ESM? I know all the ELM management tasks will be done in ESM. Is there is any commands or scripts that we can configure ELM and add devices to it without using ESM?

       

      Thank you so much.

      -Saeid

        • 1. Re: ELM without ESM
          arek.macak

          Hi,

           

          I as know it's not possible since you will not have ability to manage ELM - it doesn't have any interface. You really need ELM just to store raw data ? Maybe you should consider "ELK"?

           

          --

          Arek

          • 2. Re: ELM without ESM
            bytecod3r

            Hi,

             

            We want to propose ELM because its EPS is much higher than an ELM combo box, also the customer has limited budget and they can't buy separate ELM and ESM. and what they exactly want is a log management and not SIEM, since mcafee does not have Log management solution, We wanted to use ELM.

            BTW What is ELK?

             

            Thanks

            -Saeid

            • 3. Re: ELM without ESM
              arek.macak

              Hi Saeid,

               

              ELK is trio of Elastic Logstash Kibana, it's also quite powerful solution.

               

              --
              Arek

              • 4. Re: ELM without ESM
                bytecod3r

                Hi Arek,

                 

                I know Elastic Search, but i have no idea how to integrate it with ELM, Do you have any resources? Can it be done?

                 

                Thanks

                • 5. Re: ELM without ESM
                  arek.macak

                  No no, I didn't think about integration ELK with ELM but rather starting only with ELK. I think it's also quite powerfull solution, especially when customer want's to store only rawdata without correlation.

                  • 6. Re: ELM without ESM
                    andy777

                    It is not possible to operate an ELM without an ESM and Receiver. The reason the ELM operates at a higher EPS is that all of the analysis takes place on the Receiver, ACE and ESM so the ELM just archives and searches files. The work still needs to be done, the EPS is going to vary based upon the resources/appliances we can divide the work between.

                     

                    ELK (Elastic/Logstash/Kibana) are 3 open source tools that work together to provide a full-text search engine that can be used for logs. Elastic is the underlying data storage and is similar to a NOSQL database. Logstash operates like a Receiver and is used to move the logs from the data sources. Kibana is the lightweight interface.

                     

                    It's helpful to start at the customer's requirements (compliance, auditing, operations, etc), determine what use cases support those requirements than look for the tool that can technical support the use cases. If all of the use cases can be met with a "log management" product, you might be able to meet the need with just a syslog server and few scripts.

                     

                    Beyond that it becomes a question of volume and how that data is managed. If there is a greater need for query and visualization but not a requirement for correlation or analysis, then something like ELK might be a good fit. It definitely requires some up front customization and work as well.

                     

                    And the next step is correlation and other types of data analysis and now you're back to a SIEM.

                     

                    While it doesn't seem to be a factor in this situation due to the customer's request, it's worth noting that the ELM is undergoing some big changes that will extend the functionality to be very similar to that of an ELK stack, but I believe an ESM will continue to be a necessary part of the solution.