Service Bus Proposal
I see Apache ALOIS as a "best of breeds" pot. Therefor, ALOIS contains a core which is (or at least kind of) a message bus. This message bus is the interface for all of these tools to work together. I am not talking of a general message bus (but we might take one as a base), but one which is specially for this case and can and will contain some application logic. To have a fully functional SIEM without legal incompatiblity there is for every interface an own tool, which implements the basic functionality. These tools could be the actual moduls of ALOIS.
I see the following basic functionality (and therefor interfaces):
- Collectors or agents, which collect the logs of a system or application
- Data server, which collects all logs from agents, stores it and does maybe some filtering
- Data mining, which correlates the data
- Reporting
- Frontend for display
This basic functionality should be implemented independently and therefor such a tool (or group of tools) can be replaced rather easy, if there is found a better one. To allow this independence we need a message bus. I propose to take a good open source service bus and configure it for our needs. I would prefer well-defined interfaces to an open, generalized one.
As a starting point I see the following architecture:
To me, REST as the main transfer language seems state of the art.