ArcSight, LogRhythm, and NitroSecurity ace mining event logs for security alerting, compliance auditing, and other uses
Log management is one of those necessary tasks that every company should do, but that few companies do consistently well. Collecting and analyzing computer and device logs can pay off in many areas, including information security, operations management, application monitoring, system troubleshooting, and compliance auditing. A good log management solution can help with any -- or all -- of these efforts.
Security auditing may be the No. 1 reason why many companies first investigate log management tools. Verizon's "2008 Data Breach Investigations Report" [PDF], which is quickly becoming one of the most respected sources on computer crime statistics, said it best: "Evidence of events leading up to 82 percent of data breaches was available to the organization prior to actual compromise. Regardless of the particular type of event monitoring in use, the result was the same: Information regarding the attack was neither noticed nor acted upon."
This review covers seven different hardware and software solutions for log management: ArcSight Logger 4.0, GFI EventsManager v.8.2, LogLogic MX3020 v.4.9.1, LogRhythm LR2000-XM v.5.0, NitroSecurity NitroView ESM and ELM v.8.4, Splunk 4.1.2, and Trustwave SIEM.
The goal of this review is to expose readers to a general cross-section of log management features and functionality, including what features set the different solutions apart. It's important to note that while we rank each product across a common set of evaluation criteria (on a scale of 1 to 10, 10 being the highest), the products are often dissimilar to one another -- they are often different classes of products.
For example, ArcSight's single-appliance Logger is strictly a log management solution and therefore lacks a number of features found in NitroSecurity's two-appliance SIEM (security information and event management) solution. My evaluation of both products -- and all the others in this review -- focused only on log management capabilities, and the product scorecards reflect only their log management features. I did not evaluate real-time event correlation -- the hallmark of the SIEM solution -- though I do note in the reviews and the product comparison table where those features are present. It's usually a good thing when a solution offers more capabilities at a given price point.
The product features and functions I did evaluate are those related to collecting, storing, and reviewing the wide variety of event logs a company might want to watch closely. While you won't need a complete and detailed understanding of log management to follow this product review, you might keep in mind the several distinct phases of the log management lifecycle: policy definition, configuration, collection, normalization, indexing, storage, correlation, baselining, alerting, and reporting. (You'll find summaries of these phases in the sidebar, "Living the log management lifecycle," and a more thorough treatment in my downloadable report, "Log Analysis Deep Dive: Finding Gold in Log Files.") The specific product features I examined, and the most important differences among products in this category, are explored in the remainder of this article.
Testing was done in a small private lab with 15 to 20 computers (some physical, some virtual), mimicking a small-business network with Windows, Linux, BSD, routers, and wireless clients. At times, some of the functionality was viewed when the product was running on larger, real production networks or on a remote lab created by the vendor, when more clients better demonstrated a particular feature.
Alerting and reporting (20.0%)
User interface (20.0%)
Overall Score (100%)
|ArcSight Logger 4.0||10.0||9.0||8.0||8.0|
|GFI EventsManager 8.2||7.0||8.0||8.0||8.0|
|LogLogic MX3020 (version 4.9.1)||8.0||8.0||8.0||9.0|
|LogRhythm LR2000-XM (version 5.0)||9.0||9.0||9.0||9.0|
|NitroSecurity NitroView ESM 5750 and ELM 2250||10.0||9.0||9.0||8.0|
ARM's Mbed OS will be free for use on ARM chips when it's released next year
Google fires back at Microsoft, which last week cut prices of some Azure services
The software you'll install on your PC is an early stage version of the OS that'll have bugs and...
The larger design is very welcome, but there's much more to the iPhone 6 than a bigger screen
Get the scoop on the security threat billed as the biggest since Heartbleed
The company is expected to unveil a preview of the Windows 8 successor on Tuesday
Modularity, JSON, smart compilation -- Java's future offers compelling features to look forward to
Remember that incredibly stupid thing you did a decade or two ago? You wouldn't want to live it down
The reality distortion field wasn’t merely clever PR: Jobs used the three tools of classic rhetoric to
Brick 2.0 creates customizable Web UI elements via features in HTML5