Better network security, compliance with log management
By Roger A Grimes | InfoWorld
Published: 17:22 GMT, 04 August 2010
Log management is one of those necessary tasks that every company should do, but that few companies do consistently well. Collecting and analysing computer and device logs can pay off in many areas, including information security, operations management, application monitoring, system troubleshooting, and compliance auditing. A good log management solution can help with any, or all, of these efforts.
- ArcSight Logger |
- GFI EventsManager |
- LogLogic MX3020 |
- LogRhythm LR2000-XM |
- NitroSecurity NitroView ESM and ELM |
- Splunk 4 |
- Trustwave SIEM
Security auditing may be the No. 1 reason why many companies first investigate log management tools. Verizon's "2008 Data Breach Investigations Report" [PDF], which is quickly becoming one of the most respected sources on computer crime statistics, said it best: "Evidence of events leading up to 82 percent of data breaches was available to the organization prior to actual compromise. Regardless of the particular type of event monitoring in use, the result was the same: Information regarding the attack was neither noticed nor acted upon."
This review covers seven different hardware and software solutions for log management: ArcSight Logger 4.0, GFI EventsManager v.8.2, LogLogic MX3020 v.4.9.1, LogRhythm LR2000-XM v.5.0, NitroSecurity NitroView ESM and ELM, Splunk 4.1.2, and Trustwave SIEM.
The goal of this review is to expose readers to a general cross-section of log management features and functionality, including what features set the different solutions apart. It's important to note that while we rank each product across a common set of evaluation criteria (on a scale of 1 to 10, 10 being the highest), the products are often dissimilar to one another, they are often different classes of products.
For example, ArcSight's single-appliance Logger is strictly a log management solution and therefore lacks a number of features found in NitroSecurity's two-appliance SIEM (security information and event management) solution. My evaluation of both products, and all the others in this review, focused only on log management capabilities, and the product scorecards reflect only their log management features. I did not evaluate real-time event correlation, the hallmark of the SIEM solution, though I do note in the reviews and the product comparison table where those features are present. It's usually a good thing when a solution offers more capabilities at a given price point.
The product features and functions I did evaluate are those related to collecting, storing, and reviewing the wide variety of event logs a company might want to watch closely. While you won't need a complete and detailed understanding of log management to follow this product review, you might keep in mind the several distinct phases of the log management lifecycle: policy definition, configuration, collection, normalisation, indexing, storage, correlation, baselining, alerting, and reporting. The specific product features I examined, and the most important differences among products in this category, are explored in the remainder of this article.
Testing was done in a small private lab with 15 to 20 computers (some physical, some virtual), mimicking a small-business network with Windows, Linux, BSD, routers, and wireless clients. At times, some of the functionality was viewed when the product was running on larger, real production networks or on a remote lab created by the vendor, when more clients better demonstrated a particular feature.
I did not test vendor performance or compression reports, both of which are often exaggerated. Some vendors felt this was unfortunate because one of their strongest claims of competitive advantage was in dealing quickly with huge amounts of data. We recommend testing real-life performance before buying any log management product. This author has seen many log management products perform well when handling a few hundred machines but slow to a crawl when handling a few thousand computers.
In a pleasant turn of events (excuse the pun), I felt all of the reviewed items were solid products ready to be deployed on any company's network. Not one of the products tested would fail to provide value, although of course some would provide more value than others. Every reviewed product worked as advertised, had a myriad of useful features, and was mature enough to be used in a production environment. The top goal of this review was to highlight the features that made each product competitively distinct so that readers can decide which ones might make sense for testing in their environment.
Log management evaluation guide
This section will discuss the various features available in each of the log management products tested and should help provide a framework for evaluating any other log management solution. For the seven products reviewed, I've also included a handy log management product comparison spreadsheet to help in your evaluation.
One of the first decisions to be made is whether to use an all-inclusive appliance or a software-based product. Most log management products come as appliances simply because appliances typically handle the performance and storage requirements more easily than a software product running on a general-purpose operating system. Yes, it is true that administrators could configure and optimise a software product's underlying host OS to be as efficient as an appliance, after all, an appliance is just an operating system host running log management software. With appliances, however, the hard configuration and optimisation work is already done.
The downside of appliances is that they tend to be limited to a few off-the-shelf configurations and disk capacities, and their underlying operating system, often a Linux distro or Microsoft Windows, may be harder to patch. Although most of the appliance vendors in this review claimed to keep the underlying host patched and up-to-date as a part of their normal product upgrades (which are often automated), I found many products running older versions of code, such as the Apache web server, with known vulnerabilities for which patches are available. If you decide to use an appliance, ask the vendor whether they update the underlying OS quickly when patches are available. If allowed under the licensing agreement, also consider testing the product for vulnerabilities before buying.