http://static.usenix.org/events/lisa10/tech/full_papers/Krizak.pdf

http://sagan.quadrantsec.com/
https://www.openhub.net/p/palantir3

https://github.com/beave/sagan-rules/blob/master/README

http://www.logalyze.com/

http://nxlog.org/

http://baudlabs.com/top-free-and-open-source-log-management-software/

https://isc.sans.edu/diary/SAGAN%3A+An+open-source+event+correlation+system+-+Part+1%3A+Installation/9184

http://www.securitywarriorconsulting.com/logtools/

http://www.opennms.org/wiki/Drools_Correlation_Engine

opennms

http://blog.profitbricks.com/top-47-log-management-tools/

https://www.usenix.org/conference/lisa12/technical-sessions/presentation/lang_david

http://comments.gmane.org/gmane.comp.log.sec.user/1345

Networks create lots of events. Sometimes thousands per minute.

Events can be SNMP traps generated by a server rebooting, syslog messages, Microsoft Windows event logs etc.

How do you know which events are important? The ones telling you something important?

That is where event correlation tools come in handy. You feed all of the events into the tool, as well as a description of the structure of your systems, and its job is to flag up the important ones.

1. Simple Event Correlator (SEC) – SEC is a lightweight, platform independent event correlation tool written in Perl. Project registered with Sourceforge on 14th Dec 2001.
2. RiverMuse – correlate events, alerts and alarms from multiple sources into a single pain of glass. Open core with a closed enterprise product cousin.
3. Drools – a suite of tools written in Java including Drools Guvnor – a business rules manager, Drools Expert – rule engine, jBPM 5– process / workflow, Drools Fusion – event processing / temporal reasoning and OptaPlanner – automated planning.
4. OpenNMS – whilst not a dedicated event correlation tool, OpenNMS does contain an event correlation engine based upon the Drools engine mentioned above.
5. Esper (and Nesper) – Esper is a Java based components (Nesper is a .NET based version of Esper) for complex event processing.

If you want a survey of event correlation techniques and tools, you could do a lot worse than read Andreas Müller’s master’s thesis titledEvent Correlation Engine. It is a few years old, but is still pretty current.