// Disclaimer: Vendor response Hi Anthony: The right answer depends on your project's objectives. For compliance and forensic purposes (e.g. Sarbanes Oxley), where you need to store all log entries for years, high volume applications (greater than, say 10-20 million entries per day) require non-relational solutions such as Addamark LMS (www.addamamrk.com) - the horsepower required for a relational approach to manage high insert rates and associated indices required for fast reporting can create major performance headaches and storage problems (read: lots of expensive server and CPU hardware). If you want correlation as a real-time security management tool to help reduce false positives, manage point solution console glut and identify blended threats then what you need is a security event correlation product such as Open's Security Threat Manager (STM): http://www.open.com/products/threatmanager/threatmanager.shtml STM correlates events from servers and sentry systems with vulnerability data, asset values and lines of business to pull the threat signal from the log noise -- the goal here being compromise prevention, more efficient use of your time, and ultimately a more secure company. Whatever the need, ensure that as part of your project you understand the following aspects of the solutions you're examining. There are fundamental differences among vendors that can have both short- and long-term effects on your success and total cost of ownership (TCO); effects that go way beyond basic features, capabilities and the product's software license, such as: - Architecture: can it scale, and if so, how? Is it easy to scale out, or does it only scale up? - System configuration, implementation needs: how long to get started? - Ongoing admin needs: if correlation is to save me time, is that saved time used up writing rules, administering the system, etc? - Hardware / platform needs: how much iron do I need? Do I need a SAN? - Other software costs: e.g. do I need to provide DB licenses myself? - High availability / failover approach. Thanks, Phil Hollows VP Security Products OpenService, Inc. http://www.open.com 508.599.2000 -----Original Message----- Hi everyone, I was wondering if anyone knows of a tool for log-file correlation and analysis. By that I mean being able to see in a unified form and arranged chronologically log entries from a variety of disparate and distributed systems. For example, web servers, application servers, operating systems and database servers. Thanks for any pointers that you can provide. Best Regards, Anthony Butler Amcor _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Apr 08 2004 - 09:12:03 PDT