InfoWorld review: Better network security, compliance with log management
ArcSight, LogRhythm, and NitroSecurity ace mining event logs for security alerting, compliance auditing, and other usesFollow @rogeragrimes
I did not test vendor performance or compression reports, both of which are often exaggerated. Some vendors felt this was unfortunate because one of their strongest claims of competitive advantage was in dealing quickly with huge amounts of data. We recommend testing real-life performance before buying any log management product. This author has seen many log management products perform well when handling a few hundred machines but slow to a crawl when handling a few thousand computers.
In a pleasant turn of events (excuse the pun), I felt all of the reviewed items were solid products ready to be deployed on any company's network. Not one of the products tested would fail to provide value, although of course some would provide more value than others. Every reviewed product worked as advertised, had a myriad of useful features, and was mature enough to be used in a production environment. The top goal of this review was to highlight the features that made each product competitively distinct so that readers can decide which ones might make sense for testing in their environment.
Log management evaluation guide
This section will discuss the various features available in each of the log management products tested and should help provide a framework for evaluating any other log management solution. For the seven products reviewed, I've also included a handy log management product comparison spreadsheet to help in your evaluation.
One of the first decisions to be made is whether to use an all-inclusive appliance or a software-based product. Most log management products come as appliances simply because appliances typically handle the performance and storage requirements more easily than a software product running on a general-purpose operating system. Yes, it is true that administrators could configure and optimize a software product's underlying host OS to be as efficient as an appliance -- after all, an appliance is just an operating system host running log management software. With appliances, however, the hard configuration and optimization work is already done.
The downside of appliances is that they tend to be limited to a few off-the-shelf configurations and disk capacities, and their underlying operating system -- often a Linux distro or Microsoft Windows -- may be harder to patch. Although most of the appliance vendors in this review claimed to keep the underlying host patched and up-to-date as a part of their normal product upgrades (which are often automated), I found many products running older versions of code, such as the Apache Web server, with known vulnerabilities for which patches are available. If you decide to use an appliance, ask the vendor whether they update the underlying OS quickly when patches are available; if allowed under the licensing agreement, also consider testing the product for vulnerabilities before buying.
Workload distribution. Most of the products tested provided all-in-one functionality, meaning their product would act as management console, data collector, storage device, indexer (for search queries and filters), and report generator. In addition, most products could be configured to serve in just one role or multiple roles without performing all roles.
Workload distribution is incredibly important if you plan to collect log messages from more than a few hundred clients. Not that the log management tool itself poses a bottleneck -- if an appliance, it will usually have four or more Gigabit Ethernet interfaces -- but a network can sustain only so much additional traffic without causing application and operation performance issues. Sending log messages from 1,000 computers to a single log manager can bring any network to its knees.