Log management reins in security and network device data


This article can also be found in the Premium Editorial Download "Information Security magazine: Tips from the 2007 Security 7 Awards."

Download it now to read this article plus other related content.

In some cases, a log management tool is seen as the first step in the analytical chain. But the market for such tools has become confusing, with dual product lines from log management vendors that have branched out into the security information management (SIM) space, and SIM vendors that offer other versions of their products for log management.

"Increasingly our midsized customers want to just get their auditors off their back and don't necessarily want to implement a full-blown SIM," says Tracy Hulver, vice president of marketing and product development of netForensics.

The issue is that the two approaches--SIMs and log management tools--serve different masters and are often two different products, with SIMs focused on correlation and real-time alerts, and log managers emphasizing long-term archiving and evidence preservation. "Log management is more useful for ad hoc, after-the-fact investigation, while SIM is more concerned about codifying the business rules and notifying the security team to respond to a problem," says Hugh Njemanze, CTO and executive vice president of engineering of ArcSight.

As a result, some of the SIM and log management product lines have been developed independently, even those sold by the same vendor. For example, netForensics and NetIQ don't offer a common repository for their two product lines, although the former is working toward this goal and hopes to have a unified repository by the

    Requires Free Membership to View

end of this year. "In the past we had a single repository for our SIM and log management product lines but there were some issues," says NetIQ's Pick. "Now we have a SQL database on the real-time side for the SIM, and have flat files that are indexed for the log archive server."

Another difference between log management tools and SIMs is how they analyze data. Most log managers do "free text" searching, which is useful for finding particular records that can be used for legal evidence. SIMs tend to normalize and analyze network events and can correlate different conversations between computers or IP addresses, which is useful in resolving incidents or tracking down exploits.

Choosing between a SIM and a log management tool depends on your organization's log management goals. If compliance and auditing requirements are your pressing issues, then start with a traditional log management tool. If you're more worried about breaches, start with a SIM.

In the end, you may decide you need both.

This was first published in October 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: