CorreLog SIEM Correlation Server
Strengths: Probably the easiest product of its type to deploy, very comprehensive feature set and a good price point – even if you need to add the cost of a physical server in-house.
Weaknesses: None that we found.
Verdict: We like this a lot, especially for SMBs, although larger organisations certainly should not rule it out as too small. It’s not. For its value and feature set, as well as the efforts to improve and keep the product ahead of the curve, we make this our Best Buy.
One of our great rewards here in the SC Labs is seeing vendors take our reviews seriously enough to respond with better products, at least in part due to our review. Last year, we reviewed the CorreLog SIEM and, while we liked it a lot, we took it to task for its documentation. We are happy to report that the documentation has gotten better this year.
With the very small exception of a lack of clarity in a single piece of the installation process, this product installed faster and easier than any product of similar complexity that we've seen in our many years of doing product reviews. We probably could have given it to Dillon, the Lab Dog, and gotten similarly good results. We installed the server on a virtual MS Server 2008 R2 and stuck a Windows agent on a virtual Windows 7 machine. No sooner had we completed the agent install than the Correlation Server had started communicating with it.
The dashboard is simplicity itself. The home page - this a web page, the landing page actually is called out in the menu as "Home" - has something that we never have seen: the page consists of links to a variety of supplementary information and downloads. For example, it's easy to download the agent for the device you want to monitor. Simply browse to the Correlation Server from the device you want to monitor, in our case the Win7 VM, and download the agent. Once the file is on your device, all you need to do is execute it. The rest is automatic.
Once we had our test rig set up, we ran a few simple scans against the Win7 VM and got a response very quickly. There is a large list of operating systems that are supported directly and just about any device that produces a syslog is supported as well. It can take data from many databases, as well as anti-malware, access management, network management and wireless systems. Of course, it supports the usual firewalls and IDS/IPS products.
The main menu sports a series of dashboards, including a top-level view, a specific dashboard for PCI DSS, an overview of threats, and several others, including a way for you to create custom dashboards. These, like any dashboard, provide an overview with drilldown. However, there is tab for message as well. The messages segment provides details about events that may be evident from the dashboards. Similarly, there is an alerts tab that gives details on alerts.
Generally, we found this an easy to use and very comprehensive product. It is supplied as software, which means that you will need a server - physical or virtual - to house it. However, access to the Correlation Server is via the web, so once it is installed you can access it from any browser that can reach the server over the enterprise. Even with the extra cost of a physical server, the overall cost of ownership is very reasonable.
The tool has its own ticketing system and reporting is extensive. In addition to supplied reports, there are templates so that you can create your reports. The included reports contain the usual compliance reports and there is an interesting capability for creating pivot log analysers much like a spreadsheet pivot table. And, in fact, reports can be put out in Skel format, a feature that we like because Excel format allows us to do some post-processing with other tools, such as link analysers that consume that format.
Support is very good with a year of basic support included and a fee-based program as well. Documentation is extensive and much improved over our last look at this tool. The website is clear with such things as a support portal.