Log management review: ArcSight Logger
ArcSight Logger 4 meets all the requirements of enterprise-grade log management, with plenty of flexibility and optionsFollow @rogeragrimes
ArcSight has been a pioneer in the security event management business since 2000, and the company's leadership shows in the richness, flexibility, and maturity of its offering. The product lineup is led by the ArcSight Enterprise Security Manager and Logger event log management appliances, although the company has smaller appliances and companion modules for identity-based and compliance monitoring.
Unlike most of the products in this review (all except Splunk), which throw in some SIEM functionality, Logger is strictly for event log collection and reporting. It doesn't include event processing rule sets or make decisions about incoming information and alert you to security events. Rather, it simply sucks in all of the log information you want to analyze and generates reports on it.
For this review, ArcSight sent me the Logger 4 7200-series appliance (2U) with six 1TB RAID5 drives, the maximum amount of internal storage available. Using default compression, ArcSight says the unit can store 42TB of event storage before needing to archive to external storage, though I did not verify this.
Logger 4 runs on 64-bit Oracle Enterprise Linux with one or two Intel Xeon Quad Core 2.0GHz processors, two or four network interfaces, and 12GB or 24GB of RAM. Initial setup was fast and easy -- standard for today's appliances. Configuration, management, and operations can be done using a command-line interface or an HTTPS-protected Web GUI.