Key features of a Log Management solution include:
Scalability
Real-time analytics
Advanced search capabilities
Integration with existing tools
Security and compliance support
Scalability ensures a solution can handle increasing data volumes as a business grows. Real-time analytics enable quick insights into log data, allowing for immediate action on potential issues. Advanced search capabilities facilitate the fast retrieval of specific log entries, which is essential for troubleshooting. These features contribute significantly to efficient IT operations and system monitoring.
Integration with existing tools is critical for maintaining seamless workflows and improving data correlation efforts. A Log Management solution should support compliance requirements with features like secure data storage, audit logs, and access controls. This ensures the organization can meet legal obligations and mitigate risks associated with data breaches. Security features help protect sensitive log data from unauthorized access, maintaining data integrity and privacy.
Log Management should be a separate function of correlation. Correlation is best served in a SIEM tool. Analytics technology can be something that crawls your meta data to find issue, but buying a log management tool that does correlation is asking the bus boy to cook dinner. He can do it cause he is in the restaurant but doesn't mean the food will be good.
Understanding what your organization is capable of monitoring and responding to, even if you have all of the right tools. Do you need to monitor 24x7? How will you escalate off hours? Are you trying to check a box, or proactively protect your environment?
Consider co-managed SOC services if you are not able to provide your own SOC.
Director of Information Security at a healthcare company with 5,001-10,000 employees
Vendor
2017-03-22T22:05:29Z
Mar 22, 2017
Log compression and metadata storage capability
Ease of implementation/integration
Relational or Full Text English Query Support, Efficient Query Response
Compatibility with existing security vendors/products
Responsiveness of Tech Support and Integration Support Services
Support for breadth of security vendors and speed of new security product log integration
ID Management, Ticketing, and Geolocation Visualization Support
Data Storage and Indexing analysis
Compression capabilities
Reporting and Alerting capabilities
Event Correlation capabilities
Secure data transmission between Log Collection and Storage
Built in parsers
Query speed and performance of user interface
Senior Network Security Engineer at Starz Entertainment
Real User
2018-04-24T16:21:25Z
Apr 24, 2018
Volume of logs (sources and size)
Storage requirements and recoverability (from archive)
Ability to integrate/forward log management into a SIEM or forward to an MSSP
Ability to selectively choose what logs and/or events are sent into the management system
Head, Risk and Advisory at a tech services company with 201-500 employees
Real User
2018-04-18T08:47:29Z
Apr 18, 2018
1. First is to check how the target systems are configured in terms of logs generated. i.e syslog may be disabled, apache conf etc
2. Types of logs collected
3. Log size
4. Storage and retention
Senior Security Engineer at a marketing services firm with 201-500 employees
Real User
2018-02-19T18:44:20Z
Feb 19, 2018
Hands down it's usability... Look, there are no shortage of tools available in our industry - but which ones do you use? Log management can be complex and the solution that lowers the barrier to success wins out in my book.
Usability comes down to several factors:
Ease of use is the primary one. How difficult is it to use the software and what types of documentation, community and vendor support exist? How difficult is it to get it up and running? How easily can you incorporate the log management tool into your existing processes using the IT/Security resources you have available? Does the tool help you track your assets or provide case management capabilities (if used as a SIEM). How difficult is it to incorporate new log sources? What reports are available out of the box?
Another item to not lose sight of is compatibility. Do your devices have parsers available for the Log Management tool you are evaluating. This ties back to usability because if you are relying on a vendor to provide custom parsing for you, it's expensive and time consuming. Broad device support and a community that contributes actively to supporting log sources is a must.
Finally, a large component of usability is understanding the architecture limitations and licensing aspects of the solution you are evaluating. It's really critical to make sure you don't outgrow your solution and/or find out later that it's going to be prohibitively expensive to either expand your solution or add related features and services. How much is that custom parser development going to cost? Adding FIM? Adding specialized parser support? What about storage expansion? If you are getting resource errors, do you understand where the performance bottlenecks come from? This could be a tuning issue or a hardware/licensing restriction.
I know this "answer" provide more questions than it does answers! But asking the right questions will lead you down the right path for success!
Systems Engineer at a university with 201-500 employees
Real User
2017-05-26T14:10:32Z
May 26, 2017
Indexing. Reporting. Alerts. Parsing. Organization. Reporting. Translating to easy to read formats and well as maintaining raw data. Correlating events.
If supported, a SIM can collect and correlate logs from just
about any device or application in your network. Examples include
routers, switches, wireless access points, firewalls, IDS/IPS, NBAD
(Network Behavioral Anomaly Detection) devices, vulnerability
scanners, windows hosts, unix hosts, services such as DHCP or DNS,
authentication services such as Active Directory, Radius, and LDAP as
well as applications such as Apache, Exchange and antivirus software.
Log collection is most often accomplished with redirecting syslog
output to the SIM, but can also be accomplished with vendor specific
methods such as Checkpoint’s LEA.
Product Manager at a tech services company with 5,001-10,000 employees
MSP
2017-05-12T08:00:55Z
May 12, 2017
* Customization of audit policy categories
* Centralized log & event consolidation with manageable data retention
* Nearly real-time event monitoring alerts & notification(severity align to SLA policy)
* Nearly real-time log correlation & parsing
* Scalable platform to effectively handle the increasing number of message packets for analytics
* Schedule-able or on-demand accessibility to a wealth of security and compliance data for historical analysis, trending & reporting
* Agile collector mechanisms to monitor the increasing variety of event sources across the corporate network including FW, IPS, routers, bio-metric devices, servers, physical-access control systems, databases and applications
* Flexibility of deployment options e.g On-premise, hosted as well as hybrid implementation
* Support distributed deployment model
* Multi-tenancy & HA
Data retention, storage and compression are important.
Ability to search for patterns
Reporting and alerting
Secure data transmission
Fast access to storage
Automation for activities
Speed to write data
Ability to search quickly
IT Security Specialist at a manufacturing company with 1,001-5,000 employees
Vendor
2015-11-25T15:44:49Z
Nov 25, 2015
Data Storage and Indexing analysis
Compression capabilities
Reporting and Alerting capabilities
Event Correlation capabilities
Secure data transmission between Log Collection and Storage
Built in parsers
Query speed and performance of user interface
Key features of a Log Management solution include:
Scalability ensures a solution can handle increasing data volumes as a business grows. Real-time analytics enable quick insights into log data, allowing for immediate action on potential issues. Advanced search capabilities facilitate the fast retrieval of specific log entries, which is essential for troubleshooting. These features contribute significantly to efficient IT operations and system monitoring.
Integration with existing tools is critical for maintaining seamless workflows and improving data correlation efforts. A Log Management solution should support compliance requirements with features like secure data storage, audit logs, and access controls. This ensures the organization can meet legal obligations and mitigate risks associated with data breaches. Security features help protect sensitive log data from unauthorized access, maintaining data integrity and privacy.
Log Management should be a separate function of correlation. Correlation is best served in a SIEM tool. Analytics technology can be something that crawls your meta data to find issue, but buying a log management tool that does correlation is asking the bus boy to cook dinner. He can do it cause he is in the restaurant but doesn't mean the food will be good.
-Searchability
-Compression
-Encryption
Understanding what your organization is capable of monitoring and responding to, even if you have all of the right tools. Do you need to monitor 24x7? How will you escalate off hours? Are you trying to check a box, or proactively protect your environment?
Consider co-managed SOC services if you are not able to provide your own SOC.
1. Automatic Remediation
2. Co-relation Engines
3. Real Time Threat Visibilities
4. Pre-Built Dashboards
Usability, Compatibility, Integration with other solutions and Support
Log compression and metadata storage capability
Ease of implementation/integration
Relational or Full Text English Query Support, Efficient Query Response
Compatibility with existing security vendors/products
Responsiveness of Tech Support and Integration Support Services
Support for breadth of security vendors and speed of new security product log integration
ID Management, Ticketing, and Geolocation Visualization Support
Real Time remediation
Ease of customization (collectors/connectors)
Integration with Identity management stacks (for enriched information)
Scalability (possible split between collection, correlation, remediation, reporting, ..)
No hardware constraints
PCI, SOX, ISO,.... reporting
Data Storage and Indexing analysis
Compression capabilities
Reporting and Alerting capabilities
Event Correlation capabilities
Secure data transmission between Log Collection and Storage
Built in parsers
Query speed and performance of user interface
Volume of logs (sources and size)
Storage requirements and recoverability (from archive)
Ability to integrate/forward log management into a SIEM or forward to an MSSP
Ability to selectively choose what logs and/or events are sent into the management system
1. First is to check how the target systems are configured in terms of logs generated. i.e syslog may be disabled, apache conf etc
2. Types of logs collected
3. Log size
4. Storage and retention
Data compression and reporting followed by speed.
Hands down it's usability... Look, there are no shortage of tools available in our industry - but which ones do you use? Log management can be complex and the solution that lowers the barrier to success wins out in my book.
Usability comes down to several factors:
Ease of use is the primary one. How difficult is it to use the software and what types of documentation, community and vendor support exist? How difficult is it to get it up and running? How easily can you incorporate the log management tool into your existing processes using the IT/Security resources you have available? Does the tool help you track your assets or provide case management capabilities (if used as a SIEM). How difficult is it to incorporate new log sources? What reports are available out of the box?
Another item to not lose sight of is compatibility. Do your devices have parsers available for the Log Management tool you are evaluating. This ties back to usability because if you are relying on a vendor to provide custom parsing for you, it's expensive and time consuming. Broad device support and a community that contributes actively to supporting log sources is a must.
Finally, a large component of usability is understanding the architecture limitations and licensing aspects of the solution you are evaluating. It's really critical to make sure you don't outgrow your solution and/or find out later that it's going to be prohibitively expensive to either expand your solution or add related features and services. How much is that custom parser development going to cost? Adding FIM? Adding specialized parser support? What about storage expansion? If you are getting resource errors, do you understand where the performance bottlenecks come from? This could be a tuning issue or a hardware/licensing restriction.
I know this "answer" provide more questions than it does answers! But asking the right questions will lead you down the right path for success!
Costs - by device or by amount of log traffic (and can that traffic be trimmed/parsed before counting against your threshold?).
Data compression and reporting speed.
Indexing. Reporting. Alerts. Parsing. Organization. Reporting. Translating to easy to read formats and well as maintaining raw data. Correlating events.
If supported, a SIM can collect and correlate logs from just
about any device or application in your network. Examples include
routers, switches, wireless access points, firewalls, IDS/IPS, NBAD
(Network Behavioral Anomaly Detection) devices, vulnerability
scanners, windows hosts, unix hosts, services such as DHCP or DNS,
authentication services such as Active Directory, Radius, and LDAP as
well as applications such as Apache, Exchange and antivirus software.
Log collection is most often accomplished with redirecting syslog
output to the SIM, but can also be accomplished with vendor specific
methods such as Checkpoint’s LEA.
* Customization of audit policy categories
* Centralized log & event consolidation with manageable data retention
* Nearly real-time event monitoring alerts & notification(severity align to SLA policy)
* Nearly real-time log correlation & parsing
* Scalable platform to effectively handle the increasing number of message packets for analytics
* Schedule-able or on-demand accessibility to a wealth of security and compliance data for historical analysis, trending & reporting
* Agile collector mechanisms to monitor the increasing variety of event sources across the corporate network including FW, IPS, routers, bio-metric devices, servers, physical-access control systems, databases and applications
* Flexibility of deployment options e.g On-premise, hosted as well as hybrid implementation
* Support distributed deployment model
* Multi-tenancy & HA
Data retention, storage and compression are important.
Ability to search for patterns
Reporting and alerting
Secure data transmission
Fast access to storage
Automation for activities
Speed to write data
Ability to search quickly
Data Storage and Indexing analysis
Compression capabilities
Reporting and Alerting capabilities
Event Correlation capabilities
Secure data transmission between Log Collection and Storage
Built in parsers
Query speed and performance of user interface