Log management review: Trustwave SIEM

Trustwave's main competitive advantage is combining SIEM (security information and event management) and log management in one, relatively cheap appliance. While many vendors have begun bringing SIEM and log management functionality together, few do it as affordably as Trustwave -- though you'll generally need to look beyond the starting prices to see it.

The Trustwave SIEM appliance (formerly Intellitactics SAFE LP) has a relatively quick and easy initial setup, which includes setting the IP address and uploading a licensing file. There are five sizes of the appliance to choose from. My 1U test unit came with dual processors, dual power supplies, 10GB of RAM, 4TB of RAID5 disk space, and four Ethernet interfaces. It boots with Red Hat Linux 4.2.15. Booting was noticeably slower than competing appliances, often taking five minutes before I could log on to the management console.

[ Which log management solutions have the right stuff? See "InfoWorld review: Meeting the network security and compliance challenge." ]

Trustwave SIEM: Log collection and management The HTTPS management console contains three main tabs (Admin, SAFE, and Favorites) under which all the options are contained. The Admin tab is used to configure the device and log management options. The SAFE section is used to view collected information and to run reports. The Favorites option allows you to quickly access commonly used views, dashboards, and graphics. Every page and option is covered by easily accessible help files, although the help files' explanations of the options could be improved. The interface and documentation still contain some of the Intellitactics branding left over from Trustwave's purchase.

I also encountered a few minor technical issues. For example, a configuration screen indicated that high availability was enabled when it was not. And once or twice, the Trustwave SIEM kicked me out to the main log-on screen without warning.

Trustwave SIEM supports generic syslog, like every competitor, and it comes with hundreds of preconfigured device definitions, known as data adapters, for agentless collection. In most cases, capturing logs is as simple as enabling the particular data adapter and inputting one or more related host IP addresses or domain names. As you explore the different data adapters, each automatically becomes a new tab for easy referencing. Of course, bulk import is allowed.

Trustwave has excellent online instructions for configuring Windows hosts so that the SIEM appliance can monitor and collect log files, although I did find some of the instructions slightly lacking when it comes to the latest Windows versions. Trustwave also has a Windows agent that can be used to send logs to the SIEM appliance via the Syslog protocol.

Trustwave SIEM: Log searching and dashboards Once events are captured, they can be viewed individually or summarized in detail or graphical form, using the Event Explorer or Log Explorer options within the SAFE tab. Custom dashboards can easily be created and saved, although the Trustwave SIEM doesn't have all the graphic and dashboard options of some of the more expensive competitors.

Any graphic can be clicked to zero in on information about particular events or hosts. Pie slices can be clicked to generate one-off queries, which can be saved for later use or displayed on the dashboard. Occasionally, the console would be slightly sluggish in responding to new views or data queries.

One of my favorite graphic features is the ability to turn the raw events into a traffic map, where cube sizes represent network traffic relationships. The larger the object, the more events it is generating. During an attack, this traffic map could quickly show the major exploitation points needing attention.

Trustwave SIEM: Alerting and reporting Administrators can easily set detailed alert notifications, and alerts can be sent using email or SNMP. The Trustwave SIEM comes with more than 100 built-in reports, including all the normal industry compliance and IT audit reports. Reports are automatically created after one hour of data collecting, continuously summarizing in the background. Reports can be created ad hoc and published on demand or on a schedule, sent via email or saved to a directory repository, in a variety of formats (such as PDF, Excel, RTF, HTML, text, PostScript, and XML). A report wizard will let you customize any existing report.

While testing the unit, I called technical support for configuration help, not using my real name or identifying the magazine. A dispatcher immediately picked up the call, and a knowledgeable tech support person rang me a minute or two later, even though it was late in the weekend. I was duly impressed.

Trustwave SIEM is a solid all-in-one competitor with an attractive price and room for improvement. It's strong on graphical display, with nice touches such as the dynamic traffic maps. But the Trustwave SIEM doesn't run as deep nor is it as polished as top competitors.

See additional log management reviews:

Compare log management product features

Read the log management evaluation guide

This article, "Log management review: Trustwave SIEM," was originally published at InfoWorld.com. Follow the latest developments in information management and security at InfoWorld.com.

Read more about data explosion in InfoWorld's Data Explosion Channel.

This story, "Log management review: Trustwave SIEM" was originally published by InfoWorld.

An security columnist since 2005, Roger Grimes holds more than 40 computer certifications and has authored ten books on computer security.