Main menu

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive
 

Here, I'm going to write about building an Enterprise OSSIM/LogStash build out. This should include, but not be limited by:

  • Geo Location Redundancy
    • Data should be active/active or active/passive depending on the abilities of the systems
    • If possible, queries should be able to be run from the local site, IE: Site A web front end should Query from Site A and Site B from Site B.
  • Geo Location Collection points
    • These should be single points for end devices to talk too
    • Should distribute the data to the final information gathering points
  • Use of all Opensource tools should be strived for. Tools with enterprise class support should be consideredprimarily.
  • Caching of data should happen should any point fail
  • Compression and bursting could be implemented.

To begin, I've desired on the following Data Flow:

Client End Point -> Local Geo Collection Point -> Central Collection Point -> Split to OSSIM and LogStash
-> LogStash -> ElasticSearch (Cluster) -> LogStash Front End
-> OSSIM Cluster

My build out will begin with the Elastic Search Cluster  then work backwards to the client end points. I will then Tack on the LogStash Front End, and add OSSIM to the Central Collection Point. 

Since the LogStash system can push data cleanly, the collection points will be based on LogStash - Alternate would be a SysLog forwarder.