Log management review: Trustwave SIEM
Trustwave's main competitive advantage is combining SIEM (security information and event management) and log management in one, relatively cheap appliance. While many vendors have begun bringing SIEM and log management functionality together, few do it as affordably as Trustwave -- though you'll generally need to look beyond the starting prices to see it.
The Trustwave SIEM appliance (formerly Intellitactics SAFE LP) has a relatively quick and easy initial setup, which includes setting the IP address and uploading a licensing file. There are five sizes of the appliance to choose from. My 1U test unit came with dual processors, dual power supplies, 10GB of RAM, 4TB of RAID5 disk space, and four Ethernet interfaces. It boots with Red Hat Linux 4.2.15. Booting was noticeably slower than competing appliances, often taking five minutes before I could log on to the management console.
[ Which log management solutions have the right stuff? See "InfoWorld review: Meeting the network security and compliance challenge." ]
Trustwave SIEM: Log collection and management The HTTPS management console contains three main tabs (Admin, SAFE, and Favorites) under which all the options are contained. The Admin tab is used to configure the device and log management options. The SAFE section is used to view collected information and to run reports. The Favorites option allows you to quickly access commonly used views, dashboards, and graphics. Every page and option is covered by easily accessible help files, although the help files' explanations of the options could be improved. The interface and documentation still contain some of the Intellitactics branding left over from Trustwave's purchase.
I also encountered a few minor technical issues. For example, a configuration screen indicated that high availability was enabled when it was not. And once or twice, the Trustwave SIEM kicked me out to the main log-on screen without warning.
Trustwave SIEM supports generic syslog, like every competitor, and it comes with hundreds of preconfigured device definitions, known as data adapters, for agentless collection. In most cases, capturing logs is as simple as enabling the particular data adapter and inputting one or more related host IP addresses or domain names. As you explore the different data adapters, each automatically becomes a new tab for easy referencing. Of course, bulk import is allowed.
Trustwave has excellent online instructions for configuring Windows hosts so that the SIEM appliance can monitor and collect log files, although I did find some of the instructions slightly lacking when it comes to the latest Windows versions. Trustwave also has a Windows agent that can be used to send logs to the SIEM appliance via the Syslog protocol.
Trustwave SIEM: Log searching and dashboards Once events are captured, they can be viewed individually or summarized in detail or graphical form, using the Event Explorer or Log Explorer options within the SAFE tab. Custom dashboards can easily be created and saved, although the Trustwave SIEM doesn't have all the graphic and dashboard options of some of the more expensive competitors.
- ArcSight Logger 4.0
- GFI EventsManager v.8.2
- LogLogic MX3020 v.4.9.1
- LogRhythm LR2000-XM v.5.0
- NitroSecurity NitroView ESM and ELM
- Splunk 4.1.2
- Trustwave SIEM
Compare log management product features
Read the log management evaluation guide
This article, "Log management review: Trustwave SIEM," was originally published at InfoWorld.com. Follow the latest developments in information management and security at InfoWorld.com.
Read more about data explosion in InfoWorld's Data Explosion Channel.
This story, "Log management review: Trustwave SIEM" was originally published by InfoWorld.
Copyright © 2010 IDG Communications, Inc.