CorreLog SIEM Correlation Server
Strengths: Excellent price point for a very flexible SIEM/log correlator with lots of features.
Weaknesses: The documentation, while extensive, needs a lot of work to make it more user-friendly.
Verdict: Depending on the use to which you intend to put it, this one certainly requires your consideration. There is a full-featured, 30-day downloadable trial and we highly recommend getting it and seeing if the product fits in your environment.
This one is a bit of an odd beast. First, it comes only as software. However, the software is a walk in the park to install and set up. Second, it leads two lives: a SIEM in its own right or a tool that can work alongside other, perhaps larger, SIEMs. We thought that position was pretty clever so we were keen to install it and fire it up.
It likes Windows Server 2008 and beyond (as well as most other modern Windows versions) and we just happen to have one of those in our test bed so we started the deployment expecting a lot of the same difficulties we often experience with a bare software install. Not so. The product comes with a 14-page installation guide. That was all we needed to get us started. Things were looking promising when we got to the main landing page menu. There we were guided through a password change - do this! The default password is trivial. Once we had the password changed we could add users or add devices and agents. Some devices require agents. However, devices that generate syslogs simply can supply the syslog to the product.
Extensive documentation is available on the CorreLog website and we recommend that you browse through the User Reference Manual before you start installing. It's not so much that you won't be able to install if you don't. It's more that this tool can do a lot depending on how you set it up and a little planning goes a very long way. If we have a complaint about this documentation, it would be that there are no screen shots - endless tables, but no screen shots. Also, if you are going to be the one administering the tool, you also will need the Advanced Correlation System User Guide. We have the same lack-of-screen-shot complaint for this manual as well.
Once we were up and running we set up to do some pretty basic SIEM functions and we were pleased to see how easy the setup was and how well the system performed. The landing page or, as CorreLog refers to it, the Home page, is clear and easy to use. Tabs are nicely nested and everything you need is right at your fingertips. When used for log correlation it can handle IDS/IPS, Syslog, Windows event logs, NetFlow and several other types of logs. It can perform sophisticated threat correlation, which leads to good incident management and forensics. Since it supports McAfee ePO, there is a special deployment manual for that as well.
There is a raft of plugins for special purposes - over 100 web-based applications, as well as lots of adapters and add-ins - and these are downloadable once you buy the product. So, building up the base system to match your environment is quite simple. Supporting the documentation sets there is an excellent collection of white papers that address ways to use SIEMs in general and this one in particular. That suggests that smaller organizations just beginning down the SIEM path are a significant market for the CorreLog product.
Next-generation capabilities include some sophisticated analysis and auto-correlation and machine learning. There is an emphasis on regulatory compliance with easy support for HIPAA and several others. Reports are, likewise, extensive. One thing that we really liked was specific documentation on the website that addresses PCI-DSS and SOX compliance.
Support is good - standard support of 5/12 is included with the first year and can be purchased, while it will cost 20 percent of the price of the then-current product after that. Premium support 24/7 is available at 25 percent of the then-current price of the product. The website is very complete.