RE: [logs] Products for log correlation

From: Phil Hollows (phil@private)
Date: Thu Apr 08 2004 - 08:54:13 PDT

  • Next message: Brown, James (Jim): "RE: [logs] Products for log correlation"

    // Disclaimer: Vendor response
    Hi Anthony:
    The right answer depends on your project's objectives.  For compliance and
    forensic purposes (e.g. Sarbanes Oxley), where you need to store all log
    entries for years, high volume applications (greater than, say 10-20 million
    entries per day) require non-relational solutions such as Addamark LMS
    ( - the horsepower required for a relational approach to
    manage high insert rates and associated indices required for fast reporting
    can create major performance headaches and storage problems (read: lots of
    expensive server and CPU hardware).  
    If you want correlation as a real-time security management tool to help
    reduce false positives, manage point solution console glut and identify
    blended threats then what you need is a security event correlation product
    such as Open's Security Threat Manager (STM):   
    STM correlates events from servers and sentry systems with vulnerability
    data, asset values and lines of business to pull the threat signal from the
    log noise -- the goal here being compromise prevention, more efficient use
    of your time, and ultimately a more secure company.
    Whatever the need, ensure that as part of your project you understand the
    following aspects of the solutions you're examining. There are fundamental
    differences among vendors that can have both short- and long-term effects on
    your success and total cost of ownership (TCO); effects that go way beyond
    basic features, capabilities and the product's software license, such as:
    - Architecture: can it scale, and if so, how? Is it easy to scale out, or
    does it only scale up?
    - System configuration, implementation needs: how long to get started?
    - Ongoing admin needs: if correlation is to save me time, is that saved time
    used up writing rules, administering the system, etc?
    - Hardware / platform needs: how much iron do I need? Do I need a SAN?
    - Other software costs: e.g. do I need to provide DB licenses myself?
    - High availability / failover approach.
    Phil Hollows
    VP Security Products
    OpenService, Inc.
    -----Original Message-----
    Hi everyone,
    I was wondering if anyone knows of a tool for log-file correlation and
    analysis.  By that I mean being able to see in a unified form and arranged
    chronologically log entries from a variety of disparate and distributed
    systems.  For example, web servers, application servers, operating systems
    and database servers. 
    Thanks for any pointers that you can provide.
    Best Regards,
    Anthony Butler
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Thu Apr 08 2004 - 09:12:03 PDT