5 tools for making sense of system logs

Security and systems administrators discuss the best and worst features of log management products such Splunk, ArcSight and LogRhythm.

security log monitoring
Thinkstock
Table of Contents
Show More

Log management software helps IT managers understand and act on the flood of log data spewing from IT systems — to investigate security problems, prevent outages and improve the online customer experience. In essence, logs are a specialized source of business intelligence, while also providing an audit trail for regulatory compliance.

Five of the top log management software products are Splunk, LogRhythm, AlienVault, HPE ArcSight Logger and SevOne, according to online reviews by enterprise users in the IT Central Station community. Those users say that the most important criteria to consider when choosing log management software are speed, stability, ease of use, and robust search capabilities.

Here, users give a shout-out for some of their favorite features, but also give the vendors a little tough love.

Editor’s note: These reviews of select log management software vendors come from the IT Central Station community. They are the opinions of the users and are based on their own experiences.

Splunk

Valuable Features

“Great log management capabilities with flexible and comprehensive search capabilities. It’s scalable and easy to use.”
Vinod S., Manager, Enterprise Risk Consulting at a consultancy
“Fast availability of operational data spread across several servers to prevent or react faster to outages or performance decreases.”
Enrico M., Integration Architect at a manufacturing company
“Its performance, scalability and most importantly the innovative way of collecting and presenting data.”
Hristo D., Systems/Applications Specialist at an energy/utilities company

Room for Improvement

“Operational workflow, use case framework, and ticketing systems to make it suitable for security operations center (SOC) environments.”
Vinod S., Manager, Enterprise Risk Consulting at a consultancy
“It could be easier to set up and add new sources – [operations that] Splunk is improving with every new version.”
Hristo D,Systems/Applications Specialist at a energy/utilities company
“No aggregation: The logs being sent to Splunk are received as-is and sent to the data store. It is not aggregated. This is a good thing for log collection and search performance, but it is not good for underlying storage sizing.”
Vinod S., Manager, Enterprise Risk Consulting at a consultancy

You can read more Splunk reviews on IT Central Station.

LogRhythm

Valuable Features

“The speed at which I can get into forensic data is the most useful thing.”
Matthew M., Lead Specialist for Information Security at a hospitality company
“The product was easy to deploy and easy to learn how to use. The web console is the best I’ve seen, when compared to other SIEMs.”
SrInfoSysSpec477., Senior Information Systems Specialist at a manufacturing company
“The advanced intelligence engine -- in fact, the whole suite -- is very powerful. It depends on how you use it. Security management is what it's best at.”
Ghias M., IT Security Specialist at a manufacturing company

Room for Improvement

“I'd like to see a real-time dashboard of events. I know it's available, but it needs work. I haven't been able to put in the 20 or 30 hours that it would take to really become an expert with it.”
ITDirector685., Director of Information Technology at a university
“The reporting aspect is difficult to use. We had a recent update which fixed a lot of bugs and added a lot of great features. But the reporting is lackluster.”
Ryan C., Information Security Analyst at a financial services firm
“Adding an entity (you should be able to create a template and/or eliminate locations) could be much faster, streamlined.”
VPInfoSec751., VP, Information Security Officer, at a financial services firm

You can read more LogRhythm reviews on IT Central Station.

AlienVault

Valuable Features

“AlienVault provides excellent visibility into your network by combining centralized logging, host-based intrusion detection (IDS) and network IDS.”
Jan W., Security Consultant at a tech consulting company
“Flexibility. It is possible to implement fully customized plug-ins, scripts, etc. We haven't yet found any limitations.”
David R., Chief Information Security Officer at a tech services company
“I work across many diverse networks, AlienVault offers by far the most critical information when analyzing a client’s environment for issues that need to be addressed.”
Jacques T., Security Consultant at a tech consulting company

Room for Improvement

“The reporting could do with some improvements; for example, the vulnerability report only tells you what vulnerabilities are open and lists them, but there is no indication of how old they are at a glance, and what vulnerabilities have been closed since the previous scans.”
InfoSecOfficer506., Group Information Security Officer at a consumer goods company
“The alarms section is very robust, yet I still find myself having to look back through the events to find more details. It would be nice if I could navigate straight to the event from the alarm.”
Trevor S., Information Systems Network Technician at a local government
“The configuration is somewhat complex and the interface a bit non-intuitive. Interpretation of the results can be difficult.”
Alan O., Senior Infrastructure Analyst at a pharma/biotech company

You can read more AlienVault reviews on IT Central Station.

HPE ArcSight Logger

Valuable Features

“It has excellent query syntax and response. Complex queries of large volumes of data generally take [only] seconds [or] minutes.”
Lance A.,Senior Security and Compliance Engineer at a retailer.
“The server has the ability to provide in-depth, real-time awareness of all activities on the network.”
NwkSpecialist534.,Network Specialist at a government agency
“The most valuable features for us are the out-of-the-box device support and multi-tenancy maturity, compared to other SIEMs.”
Mayur M., SIEM Administrator at a tech services company

Room for Improvement

“With the connectors, there were some legacy devices that had some problems since support was dropped for those.”
QAConsultant390.,QA Consultant / Security Testing Professional at a tech company
“I wouldn’t mind adding a few features such as grouping of events (based on the name, source address, etc.) in real-time rather than requiring the running of reports every time.”
Zulfikhar N., Security Solutions Delivery Engineer at a tech services company

You can read more HPE ArcSight Logger reviews on IT Central Station.

SevOne

Valuable Features

“The most valuable feature for us is its flexibility to handle different systems and different functions. We use it for networking, service systems, power distribution units….”
Tools&AutomationMngr916., Manager of Tools and Automation at a tech company
“The features we are seeing the greatest benefit from are the enhanced reporting, net-flow data collection, and the data retention.”
Jonas S.,SaaS Engineer at a tech vendor
“The most valuable features for us are the huge number of network devices it can monitor. It has a lot of useful features; not only the basic things like measurements of CPU, disk, and memory, but it also has the ability to measure net flow.”
InfoMngmtSrEng609., Information Management Senior Engineer at a tech services company

Room for Improvement

“I think that the downstream suppression could be improved. Suppression [now] must all be done manually, but improvement is on SevOne's roadmap, I believe.”
Eric S., Chief Technology Officer at an aerospace/defense firm
“It needs a platform to add portals. Some of the low-level features and how they work could use some improvements.”
Abdul-Bari K., Senior Software Engineer at a communications service provider
“The initial setup must be planned well to fit your environment. The product is perpetually evolving with a number of complementary products in the pipeline.”
Ken O., Network Management Development and Support at a tech services company

You can read more SevOne reviews on IT Central Station.

This story, "5 tools for making sense of system logs" was originally published by CSO.

Related:

Copyright © 2016 IDG Communications, Inc.