tankerkiller125 Be careful with ElasticSearch. The spec requirements are outrageous, and it only works properly if setup in a cluster. Most on-prem installs of this type typically fail at the first hurdle owing to cost, backup, and availability. In my role as Head of IT and CISO, this is one of the many things I need to worry about. It’s why I chose Alien Vault.
Not cheap, but worth every penny / dime (dependant on location 🙂).
There are numerous ways to sell any SIEM product - mostly it’s around accountability, traceability, forensics, and so on. Imagine having to tell senior management you can’t tell whom entered your network without authorisation 6 months ago as you have no log retention…. 🤮