InfoWorld review: Better network security, compliance with log management
ArcSight, LogRhythm, and NitroSecurity ace mining event logs for security alerting, compliance auditing, and other usesFollow @rogeragrimes
Work with the vendor to figure out log management instance roles and distribution to maximize performance in your environment. Every product in this review can act as a store-and-forward collector for its own products, meaning you can have one instance collect all the local traffic before forwarding the data, often compressed, to a centralized, "master" log management instance. Many of the products could also forward events to other products, especially those that support syslog and SNMP. Several products, including both software and appliances, could act as collectors only or as indexers, which tend to be the two most CPU-intensive operations.
Give the vendor your network's dimensions (network bandwidth, available capacity, and number of clients that will be monitored) and your log management plans. Then let the vendor respond with their recommended distributed configurations. With appliances, this will often result in different hardware models in different locations.
Performance is not only important in avoiding network congestion issues, but also when analyzing real-time or historical data, printing reports, and doing more involved forensic analysis. When you have tens of millions to billions of event messages to work with, you don't want to be waiting 10 minutes for a simple query to return. If your solution involves multiple log management nodes, make sure that queries and reports can work across "peers," meaning that one click in a management console will execute searches and reporting across all product instances. And test the performance differences and features when crossing peers. A few of the products have more limited features when searching across peers. All of the products tested are fairly flexible regarding workload distribution, with the lone exception being GFI EventsManager.
Most vendors will claim that they can work with environments of any size. And many vendors claim to have installed solutions handling tens of billions of messages per day, without client complaint. Ask for customer references, get any performance guarantees in writing, and test thoroughly before committing to a big-dollar purchase.
Management dashboard. Every log management product has management console dashboard that displays crucial real-time and short-term summary statistics about the log management system itself and the monitored events. Most dashboards include event messaging counts, local CPU performance, and notification about any critical events.
Almost all allow customization of the dashboard and let you configure what is shown by user or role. In most cases, but not all, dashboard displays are context-sensitive. You can click on a displayed graph to get a more detailed drill-down. A few, like NitroSecurity, allow extensive modifications where almost any metric, graph, or alert can be shown.
User roles are important, as most products allow administrators (which have full privileges) to set more limited roles. For example, some products allow limited admins to be defined, in cases where administrator-level privileges are needed but only regarding a predefined set of clients: all Windows machines, all Cisco routers, and so on. Most products have a read-only role where none of the configuration settings can be modified, but the users can run reports and see predefined graphs and metrics. Most of the products allow only two to four roles to be defined, and only allow administrators to define which screens are displayed. A few others, including Splunk, NitroSecurity, and LogLogic, allow extensive role definitions where each attribute and field on a screen can be defined per role.