Plaso
Plaso (log2timeline) Plaso is the timeline maestro that ingests massive log files from Windows, Linux, and Mac, supercharging them into a single, searchable chronology for spotting incident patterns like lateral movement or data exfil. Run it via CLI on your forensic image to parse artifacts from event logs to browser history, outputting PSORT timelines for easy navigation. Open-source and artifact-rich, it's the chronologist's dream for reconstructing attacks from scattered logs without the manual grind.
Explore →ELK Stack
ELK Stack (Elasticsearch, Logstash, Kibana) ELK Stack is the open-source trio that transforms raw logs into interactive dashboards, with Logstash parsing streams, Elasticsearch indexing for lightning queries, and Kibana visualizing anomalies like failed logins or unusual IPs. Set it up locally with Docker for personal IR, filtering massive datasets to correlate events across hosts in minutes. Free and scalable, it's the versatile canvas for solo analysts painting incident stories from log chaos.
Explore →Splunk
Splunk Splunk is the powerhouse log aggregator that chews through terabytes of events, using SPL queries to uncover threats like insider exfil or brute-force spikes with machine learning correlations. Spin up a free developer license on your machine to ingest syslogs or firewall feeds, building custom alerts and timelines for rapid triage. Enterprise-grade yet accessible, it's the intuitive interrogator for individuals decoding complex incidents solo.
Explore →Graylog
Graylog Graylog is the streamlined log manager that centralizes streams from diverse sources, applying rules to flag anomalies like privilege abuses while serving up searchable archives for forensic deep dives. Deploy it via Docker for local testing, extracting IOCs from alerts with ease and exporting for reports. Open-source core with pro add-ons, it's the efficient curator for pentesters sifting signal from log noise.
Explore →Sigma
Sigma Sigma is the rule-based detective kit for crafting generic log queries that translate to SIEMs like Splunk or ELK, hunting patterns from credential dumps to beaconing without vendor lock-in. Write or pull community rules for your logs, test via converters, and deploy for cross-tool detection. Open-source and universal, it's the blueprint builder for analysts standardizing hunts across environments.
Explore →TheHive
TheHive TheHive is the incident response hub that ingests logs via Cortex analyzers, correlating events into cases with timelines and IOC extractions for collaborative forensics. Run it standalone for personal IR, tagging observables and running playbooks to automate enrichment from your feeds. Open-source and extensible, it's the case-file organizer for lone wolves turning log floods into focused narratives.
Explore →Velociraptor
Velociraptor Velociraptor is the endpoint hunter that queries live logs and artifacts with VQL, pulling timelines from event logs to reconstruct breaches across your fleet in real-time. Deploy agents or hunt offline dumps, visualizing hunts in notebooks for shareable insights. Open-source and query-flexible, it's the nimble tracker for individuals chasing ghosts through distributed log trails.
Explore →GRR Rapid Response
GRR Rapid Response GRR is the remote forensics framework that flows logs from endpoints to a central server, enabling timeline queries and artifact collection for distributed incident scoping. Install the agent on targets and run flows from the GUI for log pulls, correlating across hosts without heavy lifting. Open-source from Google, it's the scalable scout for analysts monitoring logs in scaled environments.
Explore →Sguil
Sguil Sguil is the sensor-driven analyst console that aggregates Snort logs into real-time alerts, letting you drill into packet details and transcripts for signature-based threat hunting. Set up with Barnyard2 for log fusion, filtering events in the GUI for quick pivots to full captures. Open-source and alert-centric, it's the focused filter for pentesters parsing IDS noise into actionable intel.
Explore →Xplico