Log management is one of those necessary tasks that every company should do, but that few companies do consistently well. Collecting and analyzing computer and device logs can pay off in many areas, including information security, operations management, application monitoring, system troubleshooting, and compliance auditing. A good log management solution can help with any -- or all -- of these efforts.
Security auditing may be the No. 1 reason why many companies first investigate log management tools. Verizon's "2008 Data Breach Investigations Report" [PDF], which is quickly becoming one of the most respected sources on computer crime statistics, said it best: "Evidence of events leading up to 82 percent of data breaches was available to the organization prior to actual compromise. Regardless of the particular type of event monitoring in use, the result was the same: Information regarding the attack was neither noticed nor acted upon."
This review covers seven different hardware and software solutions for log management: ArcSight Logger 4.0, GFI EventsManager v.8.2, LogLogic MX3020 v.4.9.1, LogRhythm LR2000-XM v.5.0, NitroSecurity NitroView ESM and ELM v.8.4, Splunk 4.1.2, and Trustwave SIEM.
The goal of this review is to expose readers to a general cross-section of log management features and functionality, including what features set the different solutions apart. It's important to note that while we rank each product across a common set of evaluation criteria (on a scale of 1 to 10, 10 being the highest), the products are often dissimilar to one another -- they are often different classes of products.
For example, ArcSight's single-appliance Logger is strictly a log management solution and therefore lacks a number of features found in NitroSecurity's two-appliance SIEM (security information and event management) solution. My evaluation of both products -- and all the others in this review -- focused only on log management capabilities, and the product scorecards reflect only their log management features. I did not evaluate real-time event correlation -- the hallmark of the SIEM solution -- though I do note in the reviews and the product comparison table where those features are present. It's usually a good thing when a solution offers more capabilities at a given price point.
The product features and functions I did evaluate are those related to collecting, storing, and reviewing the wide variety of event logs a company might want to watch closely. While you won't need a complete and detailed understanding of log management to follow this product review, you might keep in mind the several distinct phases of the log management lifecycle: policy definition, configuration, collection, normalization, indexing, storage, correlation, baselining, alerting, and reporting. (You'll find summaries of these phases in the sidebar, "Living the log management lifecycle," and a more thorough treatment in my downloadable report, "Log Analysis Deep Dive: Finding Gold in Log Files.") The specific product features I examined, and the most important differences among products in this category, are explored in the remainder of this article.
Testing was done in a small private lab with 15 to 20 computers (some physical, some virtual), mimicking a small-business network with Windows, Linux, BSD, routers, and wireless clients. At times, some of the functionality was viewed when the product was running on larger, real production networks or on a remote lab created by the vendor, when more clients better demonstrated a particular feature.
Alerting and reporting (20.0%)
User interface (20.0%)
Overall Score (100%)
|ArcSight Logger 4.0||10.0||9.0||8.0||8.0|
|GFI EventsManager 8.2||7.0||8.0||8.0||8.0|
|LogLogic MX3020 (version 4.9.1)||8.0||8.0||8.0||9.0|
|LogRhythm LR2000-XM (version 5.0)||9.0||9.0||9.0||9.0|
|NitroSecurity NitroView ESM 5750 and ELM 2250||10.0||9.0||9.0||8.0|
Having trouble installing and setting up Win10? You aren’t alone. Here are many of the most common...
It's all about knowing how to build an open source community -- plus experience running applications in...
Win7 Update scans got you fuming? Here’s how to make the most of Microsoft’s 'magic' speed-up patch
Sponsored by Hewlett Packard Enterprise
Sponsored by Intel
Sponsored by Intel
From blockchain to SDN to container management, these rookies made big waves in open source
Working with functional programming requires a shift in your thinking, but has benefits in productivity...
Enterprises know the ability to adapt quickly is essential, but can that agility extend to the core,...
Crypto experts agree it's time to ditch SHA-1 if you haven't already, but also to know where the real...