Log management reins in security and network device data


This article can also be found in the Premium Editorial Download "Information Security magazine: Tips from the 2007 Security 7 Awards."

Download it now to read this article plus other related content.

Standby in the logging world is syslog, which provides a framework for collecting and storing log data but has well-known performance issues and can drop some data during periods of high network use. Some vendors also support a more recent version called syslog-ng (for next generation) that includes delivery using TCP instead of UDP.

"Syslog-ng tries to solve that problem with guaranteed delivery, but that can slow down the collection process," says ArcSight's Njemanze. The trade-off is having a high-performance collector that misses log events but keeps up with real-time traffic analysis for threat mitigation, versus having something more complete but lags behind in real-time collection.

"When you are capturing all this log data you shouldn't be forced to filter or normalize any of it, because that slows things down," says Stevens.

As a result, LogLogic offers two different log management product lines. One stores its logs in a SQL database, while the other uses raw files. "It is important to do both," says Anton Chuvakin, director of product management of LogLogic. "Some users of log data want the flexibility to do visualization and compliance reports, while others want to be able to do full text searches."

"In practice, most of our customers tend to go with traditional syslog because they want to see current messages, even if this means that they lose a few in the collection process. Whichever method you

    Requires Free Membership to View

employ, make sure that the system you use to capture logs has the capacity to keep up with the message traffic," says Njemanze.

"Syslog is pretty bad and has all sorts of issues, but it's also really common, and there are millions of devices that write to its format," says Chuvakin. "Sometimes convenience can override security concerns."

Without a doubt, log management is a tough task to tackle, but the security and compliance benefits it can provide have become essential. And while the market of available tools that can help ease the process is rather convoluted, it may become clearer as vendors hone their products. Both log managers and SIMs will continue to converge as vendors add features to complement and extend their product lines. For the next few years, however, it is likely that IT and security managers will need both kinds of products to satisfy multiple needs.

This was first published in October 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: