Logs and event data enter an ALM system through an ALM agent. For reasons of log data integrity, efficiency and resilience, the preferred option is to install agents on the hosts that create the logs, but agentless deployment is available through installation of one or more strategically located agents (for example just on the ALM server[s]) and having them collect logs remotely.
ALM’s architecture allows collection and management of almost any log or data type, including binary logs, not just simple text files as with many SIEM solutions.
Customers can add additional log sources to meet their unique needs via the optional Assuria Log Source Development Kit
ALM Agents typically collect logs directly from their local system, on the basis of getting as close to the source of the log data as possible. However, in some cases it is not practical or desirable to install an agent, for example:
Many network devices, such as routers, switches and firewalls, can forward events via the RFC 3164 Syslog protocol. Any ALM agent can be configured to receive such events. Alternatively, ALM agents can collect logs received by various third-party Syslog servers.
However, Syslog has substantial intrinsic problems and Assuria strongly discourages its use where any degree of confidence is required in the integrity of the collected log data. For further details please see the white paper “In Syslog we Trust?”.
CheckPoint devices use the OPSEC LEA protocol to export events; Windows, Solaris (SPARC) and 32-bit Linux agents can be configured to receive such events.
Cisco IPS devices export intrusion events via the Cisco Intrusion Detection Event Exchange (CIDEE) protocol.
Sourcefire appliances export events via the eStreamer protocol or via a remote JDBC connection.
Most ALM agents can query a remote database via ODBC.
ALM has several data sources that query remote web services such as Amazon Web Services and the VMware vSphere web service API. These can be added as required.
64-bit Linux agents have a network tap. This has been applied to collect a variety of data not available via other means, such as decrypting SSL/TLS sessions to retrieve HTTPS traffic without modifying the server.
ALM supports remote collection of Windows event logs via WMI. However, for various reasons beyond the scope of this paper we would discourage this in favour of locally-installed agents.
The ALM SDK enables partners and customers to create new data sources programmatically: ALM can therefore be extended to collect anything that can be represented as a file.