I looked at their product but didn't evaluate it closely enough to give an informed opinion. I can offer some suggestions about what to think about when looking at consoles- 1. The rate that they can accept events is pretty meaningless. How many inserts/queries can their database handle per second? That will make more of a difference. How many events per second can a large set of rules be evaluated against? 2. How intuitive is the interface? You want your analysts (or your NOC monkeys even) to be thinking about the data, not how to get to the data. 2a. How easy is it to modify the interface to suit particular users or purposes? 3. How powerful is the correlation language that they let you use? Can it handle statistical rules? E.g. create an alert if you see an increase of X% in any event from any source or to any destination. 4. How well does the product actually understand the alerts it is accepting? Does it just know how to split up the fields or does it actually understand that a Sendmail event from a BSD system may be related to an Exchange event from a Win2K system? 4a. Remember if you are willing to build all the intelligence from scratch, products like NetIQ and HPOpenview have been doing this for much longer and can give you a suite of tools to build anything you'd like. The question is whether that's what you want. I'm pretty sure Talisker (who runs www.networkintrusion.co.uk) is about to do an update to his console page (it's somewhat out of date currently): http://www.networkintrusion.co.uk/consoles.htm which would be a good place to look. He's also got some additional questions that are worth thinking about. toby -----Original Message----- From: Robert van den Breemen [mailto:rvdbreemenat_private] Sent: Friday, March 14, 2003 10:27 PM To: loganalysisat_private Subject: [logs] Appliancebased Logging Hi everyone, Yesterday I had a presentation by Network Intelligence Corparation ( http://www.network-intelligence.com) of their product suite. I was wondering if anyone on this list can share their experiences with this productline. It seems to be quite a total solution for implementing a logging infrastructure, including reporting & event correlation... Product is called: Envision. The appliance seems to have a high sustaioned performance of up to 6000 events per seconds (loglines per second)... Anyone any experience, it seems to be a company that focussed on the states. Greetings, Robert PS. Other products in their shop are: private I for example, which ships with PIX I think. -- _///_ /(@ @)\ ==o00o=(_)=o0oo==[ Robert van den Breemen ]==== _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Mar 17 2003 - 12:59:16 PST