ArcSight, LogRhythm, and NitroSecurity ace mining event logs for security alerting, compliance auditing, and other uses
Log management is one of those necessary tasks that every company should do, but that few companies do consistently well. Collecting and analyzing computer and device logs can pay off in many areas, including information security, operations management, application monitoring, system troubleshooting, and compliance auditing. A good log management solution can help with any -- or all -- of these efforts.
Security auditing may be the No. 1 reason why many companies first investigate log management tools. Verizon's "2008 Data Breach Investigations Report" [PDF], which is quickly becoming one of the most respected sources on computer crime statistics, said it best: "Evidence of events leading up to 82 percent of data breaches was available to the organization prior to actual compromise. Regardless of the particular type of event monitoring in use, the result was the same: Information regarding the attack was neither noticed nor acted upon."
This review covers seven different hardware and software solutions for log management: ArcSight Logger 4.0, GFI EventsManager v.8.2, LogLogic MX3020 v.4.9.1, LogRhythm LR2000-XM v.5.0, NitroSecurity NitroView ESM and ELM v.8.4, Splunk 4.1.2, and Trustwave SIEM.
The goal of this review is to expose readers to a general cross-section of log management features and functionality, including what features set the different solutions apart. It's important to note that while we rank each product across a common set of evaluation criteria (on a scale of 1 to 10, 10 being the highest), the products are often dissimilar to one another -- they are often different classes of products.
For example, ArcSight's single-appliance Logger is strictly a log management solution and therefore lacks a number of features found in NitroSecurity's two-appliance SIEM (security information and event management) solution. My evaluation of both products -- and all the others in this review -- focused only on log management capabilities, and the product scorecards reflect only their log management features. I did not evaluate real-time event correlation -- the hallmark of the SIEM solution -- though I do note in the reviews and the product comparison table where those features are present. It's usually a good thing when a solution offers more capabilities at a given price point.
The product features and functions I did evaluate are those related to collecting, storing, and reviewing the wide variety of event logs a company might want to watch closely. While you won't need a complete and detailed understanding of log management to follow this product review, you might keep in mind the several distinct phases of the log management lifecycle: policy definition, configuration, collection, normalization, indexing, storage, correlation, baselining, alerting, and reporting. (You'll find summaries of these phases in the sidebar, "Living the log management lifecycle," and a more thorough treatment in my downloadable report, "Log Analysis Deep Dive: Finding Gold in Log Files.") The specific product features I examined, and the most important differences among products in this category, are explored in the remainder of this article.
Testing was done in a small private lab with 15 to 20 computers (some physical, some virtual), mimicking a small-business network with Windows, Linux, BSD, routers, and wireless clients. At times, some of the functionality was viewed when the product was running on larger, real production networks or on a remote lab created by the vendor, when more clients better demonstrated a particular feature.
Alerting and reporting (20.0%)
User interface (20.0%)
Overall Score (100%)
|ArcSight Logger 4.0||10.0||9.0||8.0||8.0|
|GFI EventsManager 8.2||7.0||8.0||8.0||8.0|
|LogLogic MX3020 (version 4.9.1)||8.0||8.0||8.0||9.0|
|LogRhythm LR2000-XM (version 5.0)||9.0||9.0||9.0||9.0|
|NitroSecurity NitroView ESM 5750 and ELM 2250||10.0||9.0||9.0||8.0|
Windows 7 is suddenly telling users it isn't genuine -- and it has nothing to do with Windows being...
Last Tuesday's MS14-066 causes some servers to inexplicably hang, AWS or IIS to break, and Microsoft...
These strong alternatives to the popular languages are gaining steam -- and may be the perfect fit for...
Sponsored by Nuage Networks
Sponsored by Fibre Channel Industry Association
There's only one explicit Apple Watch MDM policy, but more controls than you might realize
Don't want your home address or other personal info published to the world? This weekend, take an hour...
Little languages abound to bring your code to the Web with surprising ease and few compromises
Apple’s ‘my way or the highway’ upgrade policy for OS X really needs to change