System administrators looking to extend their logging capabilities, or security professionals needing to gain deeper insights into their computing environments, might start their search with the CorreLog Server. Coming in at a lower price point than other SIEM solutions, this product isn't as flashy as some other tools, but we found it works quite well.
The product was delivered to us as a self-extracting zip file. Upon running the executable, the product was extracted to a folder and several Windows services were registered. The product is completely contained within the initial extraction folder. We did have to manually create firewall rules to allow TCP port 80 and UDP port 514 traffic in - as the product did not create those rules during installation - but, outside of that, installation was extremely simple. Once installation was complete, we pointed several log sources toward it and message information began appearing within the product's web interface.
A pure software solution, the tool's system requirements scale with the number of messages it receives. Each server can handle more than 2,000 messages per second, with support for bursts of up to 5,000 messages per second with no hard upper limit on the number of devices sending it data. It can easily function as a log collection agent - gathering data, filtering and forwarding that data to an upstream collector - making the product almost infinitely scalable. Besides accepting syslog data, the product will also accept SNMP traps, and it attempts to translate those messages into a more readable form making them easier to understand. Additionally, the offering extends the syslog protocol itself. It allows users to define their own facility codes or override existing codes enabling users to, for example, assign a higher severity code to a particular message than the original product vendor intended.
The solution comes with the redistributable Windows Tool Set, which adds syslog functionality to Windows servers. This enables the product to capture data from Windows Event Logs, as well as any streaming Windows log file - for example, IIS logs. Configurable alerting and customizable actions can be set up using several built-in functions, such as relaying data to an upstream collector or creating a ticket in the product's built-in ticketing system. Also, custom scripts can be triggered or executables launched, providing endless flexibility in creating automatic responses to captured log messages. Several flexible reporting options are also available.
CorreLog provides good documentation for its product. A number of guides are available, including quick-start, administration and advanced correlation features guides, as well as a separate manual documenting the Windows Tool Set. Each document is distributed as a PDF, which is well detailed and organized with bookmarks, screen shots and diagrams where appropriate.
CorreLog Server starts at $5,000. One year of standard support (phone, email and web aid Monday through Friday, 6 a.m. to 6 p.m. EST) is included, and is priced at 20 percent of the current list price afterwards. The premium upgrade (24/7 assistance) is 25 percent of the current list price.