|
⇤ ← Revision 1 as of 2011-01-07 15:27:06
Size: 1579
Comment: initial proposal
|
← Revision 2 as of 2011-01-08 13:14:11 ⇥
Size: 1520
Comment: Image added
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 16: | Line 16: |
| {{attachment:/home/urs/Dokumente/@work/incubator/Apache ALOIS Service Bus.png|/home/urs/Dokumente/@work/incubator/Apache ALOIS Service Bus.png}} | {{http://incubator.apache.org/alois/images/Apache%20ALOIS%20Service%20Bus_small.png}} |
Service Bus Proposal
I see Apache ALOIS as a "best of breeds" pot. Therefor, ALOIS contains a core which is (or at least kind of) a message bus. This message bus is the interface for all of these tools to work together. I am not talking of a general message bus (but we might take one as a base), but one which is specially for this case and can and will contain some application logic. To have a fully functional SIEM without legal incompatiblity there is for every interface an own tool, which implements the basic functionality. These tools could be the actual moduls of ALOIS.
I see the following basic functionality (and therefor interfaces):
- Collectors or agents, which collect the logs of a system or application
- Data server, which collects all logs from agents, stores it and does maybe some filtering
- Data mining, which correlates the data
- Reporting
- Frontend for display
This basic functionality should be implemented independently and therefor such a tool (or group of tools) can be replaced rather easy, if there is found a better one. To allow this independence we need a message bus. I propose to take a good open source service bus and configure it for our needs. I would prefer well-defined interfaces to an open, generalized one.
As a starting point I see the following architecture:
To me, REST as the main transfer language seems state of the art.