ArcSight Logger review

The initial logon takes you to a role-customisable dashboard, which at first focuses on the monitoring the system's performance, including CPU utilisation and event logging metrics. Most admins will spend much of their time within the Analyse tab, where search queries and alerts can be defined.

Search queries can be composed of keyword searches (for raw text searches across structured and unstructured data), as well as Boolean logic, and complex searches can be built using the Search Builder.

Directly typing in search queries is the fastest method for experienced admins, but the large number of expression choices can be intimidating to new users. Beyond understanding Boolean logic, advanced queries require an understanding of Logger's schema and the data it is collecting. Here's an example of a complex query: 

failed AND name="*[Bad Logon]*" AND categoryBehavior CONTAINS Stop NOT ("192.168.4*" OR REGEX=":\d31")

Luckily, the Search Builder graphically presents the various structured data fields available and lets the user point and click their way into complex queries. Search queries can be saved and even analysed before running to find any weaknesses.

No matter how you construct the query filter, the query itself is very fast. Most queries, even across tens of millions of events, only took seconds. Each query result includes how long it took the query to execute and how many events per second it queried to reach those findings. Queries can be executed across multiple Loggers at once. Results can be saved and exported, and the query can be turned into an alert. One note of caution: ArcSight has artificially limited Logger to five active alerts at once. More flexible alerting can be enabled in ArcSight's other products.

Reporting is another strong feature. Logger comes with many built-in reports; my favorite was the SANS Top Five report set and the ability to create customised reports. Logger has the most design and editing options for reports of any product in this review. Reports can be ad hoc, run on a predetermined schedule, converted into multiple formats (including HTML, PDF, and Microsoft Excel), or added to the dashboard.

There are four main types of Logger users: System Admins, Logger Operators, event log Searchers, and Reporters, who can only manipulate the reporting options. Each role can be configured with different levels of access and permissions. Other minor features, such as query granularity and storage rules, are continued evidence of Logger's maturity. Nearly every feature allows customisation, scheduling, export, and performance optimisation. Most data streams are encrypted by default, and Logger supports FIPS 140-2 encryption, certificates, and one-time passwords for remote technical support.