ArcSight Logger review

Unlike most of the products in this review (all except Splunk), which throw in some SIEM functionality, Logger is strictly for event log collection and reporting. It doesn't include event processing rulesets or make decisions about incoming information and alert you to security events. Rather, it simply sucks in all of the log information you want to analyse and generates reports on it.

For this review, ArcSight sent me the Logger 4 7200-series appliance (2U) with six 1TB RAID5 drives, the maximum amount of internal storage available. Using default compression, ArcSight says the unit can store 42TB of event storage before needing to archive to external storage, though I did not verify this.

Logger 4 runs on 64-bit Oracle Enterprise Linux with one or two Intel Xeon Quad Core 2.0GHz processors, two or four network interfaces, and 12GB or 24GB of RAM. Initial setup was fast and easy, standard for today's appliances. Configuration, management, and operations can be done using a command-line interface or an HTTPS-protected web GUI.

Two of ArcSight's strengths are the number of client platforms it supports and the many ways that event messages can be sent to the Logger. In addition to being forwarded to Logger directly by the hosts using native protocols (UDP, TCP, Syslog, FTP, SCP and so on), event messages can be picked up using a variety of different methods (including text files) or collected and sent using agent software called Connectors. ArcSight provides well over 100 different types of connectors, more than any other vendor. If I could think of it, they had it. If they don't have it, you can probably build it. ArcSight FlexConnectors allow admins to create customised connectors for devices and applications that cannot use existing connectors.

Connectors pick up events in their native format, normalise the data, and deliver the structured data to the ArcSight appliance. Connectors give structure to any unstructured log data, which is important because you cannot run ArcSight reports on unstructured data, though you can run text searches on it. Connectors can also perform event filtering, event message caching, and network bandwidth throttling. The only downside is that ArcSight's connector agents are fairly large (their Windows connector is 179MB) compared to other client-side agents and can take more than 10 minutes to install.

Events can also be collected by one Logger and forwarded to other Loggers and ArcSight solutions, a handy feature for handling remote offices. ArcSight claims that more than 100,000 events per second can be sent to one appliance. I did not stress test this claim, but in my limited tests, Logger handled complex queries against gigabytes of data very well.

Events are collected into individual, customisable storage groups (up to five), which can be set up for particular device types, for different networks, or to meet different collection needs. Storage groups can be configured for size, maximum event age, and reporting priorities. Storage groups are a great feature for managing device resources, and ArcSight's were the most customisable among the products in this review.