CorreLog Enterprise Server v5.2.0
Strengths: Easy to install and full of features
Weaknesses: Macro writing requires specialisation often unavailable in small organisations
Verdict: Interesting approach to SIEM
CorreLog Enterprise Server combines real-time log management with correlation, auto-learning functions, high-speed search, ticketing and reporting services. This software solution can be installed in minutes on a Windows host platform with at least 512Mb of memory and sufficient disk space to store log files.
This tool has the capability to work either independently of, or alongside, other SIEM technologies to improve threat management and incident response capabilities. It is designed to be as simple as possible to install and operate, and is an excellent entry point into SIEMs for small- to mid-sized enterprises, as it includes the basic elements of an enterprise-class SIEM.
CorreLog has a fairly unique automated workflow - from event message to correlation to alerts to tickets. The alert functions are auto-learning and intuitive thresholds for simplicity and tracking. Logs/messages are encrypted and hashed to help ensure the data is authentic. Another winning feature is the full scripting facility to launch functions and third-party applications. CorreLog provides auditing and forensic capabilities for organisations concerned with meeting SIEM requirements set forth by PCI DSS, HIPAA, SOX, FISMA, GLBA, and others.
CorreLog freely distributes versions of its Window Agent and Windows Tool Kit (WTS) to instrument Microsoft 200x, XP, Vista and Windows 7 platforms with standard syslog capability. This non-intrusive, feature-rich, standards-based agent is distributed free of charge to all interested organisations to help advance the state of the art for SIEM and systems management.
A number of printed documents, as well as a collection of 33 PDFs that covered installation, configuration and operations were provided. These gave excellent insight into the philosophy and methodology employed by the company in the development of its CorreLog Enterprise Server.
Installation took less than a minute to get the system up and running. Agents were deployed by logging into the target systems and launching the URL that was created on the CorreLog server.
The default graphics and messages demonstrated the tool's simplicity and effectiveness. As each tab was selected, more and more features were uncovered, providing a complete view of the power of the CorreLog solution. For example, after selecting the top-level option, titled 'messages', a layer of new tabs appeared. After selecting 'severities', three more layers were exposed, each providing more information. Ultimately, a correlation was performed and the incidents were addressed. Active word parsing provided details of all activity by the respective user ID. Following the new message list there was a singular warning event.
Selection of the 'view catalogue statistics' link provided a completely different display that included critical alert threshold hints, standard deviations from average and more. For the analytical user, this is an excellent resource. Ticketing makes use of groups that can be populated by IP addresses or via correlation list macro. The macro function allows for editing or creation of user-defined macros. There is no doubt this takes a completely different approach than most other SIEM solutions, but is worth looking into.
CorreLog offers basic, no-cost 24/7 support services for one year. After the first year, the company offers two pay-per-service options: standard and premium, providing phone and email services. Assistance is available on the company's website, including a knowledgebase and FAQs.
As an entry into the SIEM market for small enterprises, CorreLog Enterprise Server is a cost effective way to begin to get a hold of threat management and incident response.