InfoWorld review: Better network security, compliance with log management
ArcSight, LogRhythm, and NitroSecurity ace mining event logs for security alerting, compliance auditing, and other usesFollow @rogeragrimes
Searching stored data. Searching stored data for interesting patterns and events is an important part of log management, and an area where vendors strive to differentiate their products. Vendors will often tout how quickly their filtered searches work across very large amounts of data (although none of these claims were tested in this review). Most offer searches based upon keywords, English phrases, and Boolean logic. Some vendors force the user to type in all search expressions, while others also provide a graphical, pick-and-choose, "build a query" interface. Building a query click by click is helpful in teaching new administrators, although experienced admins almost always prefer the quickness and flexibility of a typed query.
If your organization needs to search a lot of raw, unstructured event logs, ask the vendor if they support search filters across non-normalized data. And if they do, how exactly can you search it, and how do searches of unstructured data differ from searches of structured data? Many vendors only allow keyword searches of raw data, whereas others allow Boolean logic.
Can searches be performed across peers? Among the products reviewed, only ArcSight, LogLogic, LogRhythm, and Splunk can execute searches across multiple nodes. All the products allow search filters to be saved. But the better products allow them to easily be turned into reports and saved for later use. Some products allow search filters to be sent to others and shared, which is particularly helpful in very large environments with many log reviewers.
It's also good to have plenty of built-in, predefined search filters. Some products come with none or just a small sampling. The best products come with dozens of predefined, interesting queries, typically tied to one or more compliance objectives. The most common are for failed logons. A few products, including LogLogic, include "near context" queries that will show 10 or so events before and after a particular message you are interested in.
Alerting. Alerting is an important feature of log management and even more essential for SIEM. The vendor should support several different methods of alerting. All the products reviewed have email alerting, and most allow SNMP forwarding. Surprisingly, only a few have SMS alerting or allow analog modem dialing for pagers that lack an Internet interface. Some, including NitroSecurity, interface with common help desk software (usually Remedy) or have their own "help desk" function to help with responses. Most products allow unlimited alerting, but some, notably ArcSight Logger, only allow a limited number of active alerts -- five in the case of Logger. ArcSight's SIEM product has no such limitation.
Alerting comes in several forms. At the very least, alerting allows a notification to be sent if a particular log event is detected, and all products allow alerts to be based upon a certain number of events in a particular time period. One of my favorite alert types is the baseline alerting, in which the product itself determines the "normal" event patterns for the environment, while the admin determines the percentage of deviation to alert on. NitroSecurity supports baselining on every message type, whereas LogLogic's baselining is limited to all messages coming from a particular device or set of devices.
Whatever log management product you choose, make sure it has the ability to throttle alert messaging. Nothing is worse than getting 100 alerts from a single event in the middle of the night.