CorreLog Enterprise Server v5.2.0
Strengths: Easy to install and full of features.
Weaknesses: Macro writing requires specialization often unavailable in small organizations.
Verdict: Interesting approach to SIEM.
CorreLog Enterprise Server combines real-time log management with correlation, auto-learning functions, high-speed search, ticketing and reporting services. This software solution can be installed in minutes on a Windows host platform with at least 512 Mb of memory and sufficient disk space to store log files. CorreLog has the capability to work either independently of, or alongside other SIEM technologies to improve threat management and incident response capabilities. The tool is designed to be as simple as possible to install and operate, and is an excellent entry point into SIEMs for small to midsized enterprises as it includes the basic elements of an enterprise-class SIEM.
CorreLog has a fairly unique automated workflow - from event message to correlation to alerts to tickets. The alert functions are auto-learning and intuitive thresholds for simplicity and tracking. Logs/messages are encrypted and hashed to help ensure the data is authentic. Another winning feature is the full scripting facility to launch functions and third-party applications. CorreLog provides auditing and forensic capabilities for organizations concerned with meeting SIEM requirements set forth by PCI-DSS, HIPAA, SOX, FISMA, GLBA, National Credit Union Administration (NCUA), and others.
CorreLog freely distributes versions of its Window Agent and Windows Tool Kit (WTS) to instrument Microsoft 200x, XP, Vista and Windows 7 platforms with standard syslog capability. This non-intrusive, feature-rich, standards-based agent is distributed free of charge to all interested organizations to help advance the state of the art for SIEM and systems management.
CorreLog provided a number of printed documents, as well as a collection of 33 PDF documents that covered installation, configuration and operations. Other material provided excellent insight into the philosophy and methodology employed by the company in the development of its CorreLog Enterprise Server. Installation took less than a minute to get the system up and running. Agents were deployed by logging into the target systems and launching the URL that was created on the CorreLog server.
Selection of the "View Catalog Statistics" link provided a display that included critical alert threshold hints, standard deviations from average and more. For the analytical user, this is an excellent resource. Ticketing makes use of groups that can be populated by IP addresses or via correlation list macro. The macro function allows for editing or creation of user-defined macros. There is no doubt this product takes a completely different approach than most other SIEM solutions, but this is a tool that is worth looking into.
CorreLog offers basic, no-cost 24/7 support services for one year. After the first year, the company offers two pay-per service options, standard and premium. Standard (Monday to Friday, 6 a.m. to 6 p.m. EST) is 20 percent of the then-current product price, while premium (24/7) is 25 percent. Support includes phone and email service. CorreLog also provides assistance on the company's website, including a knowledge base and a FAQ. As an entry into the SIEM market for small enterprises, CorreLog is a cost-effective way to begin to get a hold of threat management and incident response.