Log management is one of those necessary tasks that every company should do, but that few companies do consistently well. Collecting and analyzing computer and device logs can pay off in many areas, including information security, operations management, application monitoring, system troubleshooting, and compliance auditing. A good log management solution can help with any -- or all -- of these efforts.
Security auditing may be the No. 1 reason why many companies first investigate log management tools. Verizon's "2008 Data Breach Investigations Report" [PDF], which is quickly becoming one of the most respected sources on computer crime statistics, said it best: "Evidence of events leading up to 82 percent of data breaches was available to the organization prior to actual compromise. Regardless of the particular type of event monitoring in use, the result was the same: Information regarding the attack was neither noticed nor acted upon."
This review covers seven different hardware and software solutions for log management: ArcSight Logger 4.0, GFI EventsManager v.8.2, LogLogic MX3020 v.4.9.1, LogRhythm LR2000-XM v.5.0, NitroSecurity NitroView ESM and ELM v.8.4, Splunk 4.1.2, and Trustwave SIEM.
The goal of this review is to expose readers to a general cross-section of log management features and functionality, including what features set the different solutions apart. It's important to note that while we rank each product across a common set of evaluation criteria (on a scale of 1 to 10, 10 being the highest), the products are often dissimilar to one another -- they are often different classes of products.
For example, ArcSight's single-appliance Logger is strictly a log management solution and therefore lacks a number of features found in NitroSecurity's two-appliance SIEM (security information and event management) solution. My evaluation of both products -- and all the others in this review -- focused only on log management capabilities, and the product scorecards reflect only their log management features. I did not evaluate real-time event correlation -- the hallmark of the SIEM solution -- though I do note in the reviews and the product comparison table where those features are present. It's usually a good thing when a solution offers more capabilities at a given price point.
The product features and functions I did evaluate are those related to collecting, storing, and reviewing the wide variety of event logs a company might want to watch closely. While you won't need a complete and detailed understanding of log management to follow this product review, you might keep in mind the several distinct phases of the log management lifecycle: policy definition, configuration, collection, normalization, indexing, storage, correlation, baselining, alerting, and reporting. (You'll find summaries of these phases in the sidebar, "Living the log management lifecycle," and a more thorough treatment in my downloadable report, "Log Analysis Deep Dive: Finding Gold in Log Files.") The specific product features I examined, and the most important differences among products in this category, are explored in the remainder of this article.
Testing was done in a small private lab with 15 to 20 computers (some physical, some virtual), mimicking a small-business network with Windows, Linux, BSD, routers, and wireless clients. At times, some of the functionality was viewed when the product was running on larger, real production networks or on a remote lab created by the vendor, when more clients better demonstrated a particular feature.
Alerting and reporting (20.0%)
User interface (20.0%)
Overall Score (100%)
|ArcSight Logger 4.0||10.0||9.0||8.0||8.0|
|GFI EventsManager 8.2||7.0||8.0||8.0||8.0|
|LogLogic MX3020 (version 4.9.1)||8.0||8.0||8.0||9.0|
|LogRhythm LR2000-XM (version 5.0)||9.0||9.0||9.0||9.0|
|NitroSecurity NitroView ESM 5750 and ELM 2250||10.0||9.0||9.0||8.0|
Having trouble installing and setting up Win10? You aren’t alone. Here are many of the most common...
Picking an Android phone can be difficult, but we're here to help. These are the top Android phones you...
Confidence in our power over machines also makes us guilty of hoping to bend reality to our code
Sponsored by Hewlett Packard Enterprise
Sponsored by Intel
From machine learning to digital twins, opportunities abound in emerging (and converging) tech trends
From a webcam cover and laptop lock to a USB port blocker and an encrypted flash drive, here are some...
Slack reached a $1 billion valuation faster than any startup in history. Now it must make key decisions...
With new hardware hacking devices, it's absurdly easy to attack organizations through the USB port of...