Do you use Eventia?

[Marchew]

Hi all,

I have been asked by our IT manager to get a monitoring/alerting/reporting tool for the firewall put in place. He wants to know a whole range of things like when a VPN user gets their password wrong or if we are potentially being hacked, all the things that keep him warm and fuzzy inside.

Currently we run R62 on SPLAT. Now the question is do you recommend or even use Eventia? If not what other applications can do this job?

Much Appreciated.

March

[Thorpuse]

Eventia Analyser is pretty good at that, provided your log volumes aren't too large. Eventia Reporter is IMHO not worth the money, unless you like the canned reports it gives you (because you can't get anything else out of it!). There are much more flexible options that cost a LOT less for historical log analysis.

[chillyjim]

I'm a bit biased but I think the Eventia Suite is your best option for VPN-1.
None of the 3rd party analyzers seem to be even close. As for the reporter side, all the really good 3rd party ones I've seen have been just as expensive as reporter. The fact it doesn't have an ad-hoc reporting system still bugs me, but I really haven't found any activity based log reporting I wanted that I couldn't get.

Call you Check Point sales folks and ask for an eval of the suite. They should have no problem giving you a 30 day license or two to try it.

[Marchew]

Thanks guys.

I will get an eval an test as recommended. Since it's not my budget the costing isnt an issue :).

Cheers

[cciesec2006]

"I'm a bit biased but I think the Eventia Suite is your best option for VPN-1."

I have to disagree. If cost is not an issue, you should definitely look
at ArcSight or NetForensics. It has a complete solution since it can
take logs from a lot more devices than Eventia Suite. From a security
perspective, this device should take logs from firewalls, IDS/IPS, Unix/Linux
servers, windows servers, Cisco routers, switches, VPN devices.
Once it accepts the logs, it can do event correlation.

I tried Eventia Suite NGx R60 about 1.5 years ago. I have to say
that that product is horrendous. The checkpoint SE guy spent
two days help me setup this product and at the end of the
day, eventia Suite couldn't get logs from Pix 7.x code and Juniper
IDP logs. After 2 days, Checkpoint SE and I gave up. I like
ArcSight and NetForensics. They are expensive but worth the money.

[Thorpuse]

I agree that Eventia Analyser isn't great at correlating logs from multiple devices, but the flipside of this is that the volume of logs from Firewalls (particularly Check Point) can quickly dwarf all of the other logs on an ArcSight or NetForensics system, meaning that you need a dedicated system just for the Firewall logs anyway....

Having said that, Eventia is quite good with Check Point events. If correleation is important, I'd suggest that the Analyser could be used as a filter point, and the Events from this can be an output to an ArcSight or equivalent solution. I certainly would not recommend Eventia as a correlation tool for everything, but in the Check Point firewall space, it's improved quite a bit in the later versions.

[lammbo]

The bottom line always comes down to what you're trying to do of course, but I'm running R65 Eventia Suite (analyzer and reporter).

There has been some discussion above regarding consolidation rates. I have seen my Analyzer server process over 30,000 logs per minute (that's the highest that I've seen, but I don't keep my eyes glued to the console all day either). Right now, as I type, I am processing about 2000 - 5000 logs per minute and the main office doesn't open for another hour. Consolidation rate on Eventia is not an issue that I've seen firsthand.

I use correlation for the following items to generate events:
FW-1 Logs
Cisco Syslog (switches and routers)
Windows Event logs

With the exception that the consolidation sessions like to stop when I push policy sometimes, I'd say that overall I'm happy with it. I do not have requirements to run any highly complex reports on a normal basis, but the few times I've needed to generate something, I was able to generate the appropriate information.

[fireverse]

Quote:

Originally Posted by cciesec2006

"I'm a bit biased but I think the Eventia Suite is your best option for VPN-1."

I have to disagree. If cost is not an issue, you should definitely look
at ArcSight or NetForensics. It has a complete solution since it can
take logs from a lot more devices than Eventia Suite. From a security
perspective, this device should take logs from firewalls, IDS/IPS, Unix/Linux
servers, windows servers, Cisco routers, switches, VPN devices.
Once it accepts the logs, it can do event correlation.

I tried Eventia Suite NGx R60 about 1.5 years ago. I have to say
that that product is horrendous. The checkpoint SE guy spent
two days help me setup this product and at the end of the
day, eventia Suite couldn't get logs from Pix 7.x code and Juniper
IDP logs. After 2 days, Checkpoint SE and I gave up. I like
ArcSight and NetForensics. They are expensive but worth the money.

First of all Eventia R65 is a lot easier to setup for Smart Center and P1. There is also a lot more functionality and a greatly expanded library for 3rd party devices. You will find support for Cisco, Juniper, Linux, and other devices. There is also a new log parsing tool (Jan 08) to help create your own signatures for events. Analyzer has always done correlation, and has a modular design for high performance environments.

Regarding Arcsight or NetForensics, cost may not be an issue for you, but what about time and effort? Arcsight, Netforensics, and Intellitactics are not only notoriously expensive, but also very difficult to setup and maintain. If you go down this road I highly recommend buying their professional services.

I ran a department in a Fortune 50 that spent $1.5 million+, dedicated FTE, on-site professional services, and three years of effort to get this thing running. It was very complicated and required learning a bastardized version of PERL. The interface was written in Java and although very pretty, would take five minutes or more to display anything.

We installed a demo of Eventia Suite R65 and were finding Analyzer events within seconds of them happening. Eventia was pulling info from a CMA that had 800+ rules, 1000+ NAT rules, and over 2 Gig of log files a day. We also discovered that Intellitactics (tuned and installed by Intellitactics) was missing a lot of defined events that it was supposed to be seeing. Analyzer was keeping Intellitactics honest.

Eventia requires much less effort to install. Takes maybe 10 minutes; 12 for P1 ;). In most cases does not require a dedicated FTE to maintain. The interface is very fast and will display events in near real time. The TCO on Eventia is going to be a lot less than a third party product.

If you haven't worked with Eventia in its R65 release, I would recommend you take another look.