Log management review: ArcSight Logger

ArcSight has been a pioneer in the security event management business since 2000, and the company's leadership shows in the richness, flexibility, and maturity of its offering. The product lineup is led by the ArcSight Enterprise Security Manager and Logger event log management appliances, although the company has smaller appliances and companion modules for identity-based and compliance monitoring.

Unlike most of the products in this review (all except Splunk), which throw in some SIEM functionality, Logger is strictly for event log collection and reporting. It doesn't include event processing rule sets or make decisions about incoming information and alert you to security events. Rather, it simply sucks in all of the log information you want to analyze and generates reports on it.

[ Which log management solutions have the right stuff? See "InfoWorld review: Meeting the network security and compliance challenge." ]

For this review, ArcSight sent me the Logger 4 7200-series appliance (2U) with six 1TB RAID5 drives, the maximum amount of internal storage available. Using default compression, ArcSight says the unit can store 42TB of event storage before needing to archive to external storage, though I did not verify this.

Logger 4 runs on 64-bit Oracle Enterprise Linux with one or two Intel Xeon Quad Core 2.0GHz processors, two or four network interfaces, and 12GB or 24GB of RAM. Initial setup was fast and easy -- standard for today's appliances. Configuration, management, and operations can be done using a command-line interface or an HTTPS-protected Web GUI.

ArcSight Logger: Event log support and management Two of ArcSight's strengths are the number of client platforms it supports and the many ways that event messages can be sent to the Logger. In addition to being forwarded to Logger directly by the hosts using native protocols (UDP, TCP, Syslog, FTP, SCP, and so on), event messages can be picked up using a variety of different methods (including text files) or collected and sent using agent software called Connectors. ArcSight provides well over 100 different types of connectors, more than any other vendor. If I could think of it, they had it. If they don't have it, you can probably build it. ArcSight FlexConnectors allow admins to create customized connectors for devices and applications that cannot use existing connectors.

Connectors pick up events in their native format, normalize the data, and deliver the structured data to the ArcSight appliance. Connectors give structure to any unstructured log data, which is important because you cannot run ArcSight reports on unstructured data, though you can run text searches on it. Connectors can also perform event filtering, event message caching, and network bandwidth throttling. The only downside is that ArcSight's connector agents are fairly large (their Windows connector is 179MB) compared to other client-side agents and can take more than 10 minutes to install.

Events can also be collected by one Logger and forwarded to other Loggers and ArcSight solutions, a handy feature for handling remote offices. ArcSight claims that more than 100,000 events per second can be sent to one appliance. I did not stress test this claim, but in my limited tests, Logger handled complex queries against gigabytes of data very well.

Events are collected into individual, customizable storage groups (up to five), which can be set up for particular device types, for different networks, or to meet different collection needs. Storage groups can be configured for size, maximum event age, and reporting priorities. Storage groups are a great feature for managing device resources, and ArcSight's were the most customizable among the products in this review.

ArcSight Logger: Log searching and reporting The initial logon takes you to a role-customizable dashboard, which at first focuses on the monitoring the system's performance, including CPU utilization and event logging metrics. Most admins will spend much of their time within the Analyze tab, where search queries and alerts can be defined.

Search queries can be composed of keyword searches (for raw text searches across structured and unstructured data), as well as Boolean logic, and complex searches can be built using the Search Builder.

Directly typing in search queries is the fastest method for experienced admins, but the large number of expression choices can be intimidating to new users. Beyond understanding Boolean logic, advanced queries require an understanding of Logger's schema and the data it is collecting. Here's an example of a complex query: 

failed AND name="*[Bad Logon]*" AND categoryBehavior CONTAINS Stop NOT ("192.168.4*" OR REGEX=":\d31")

Luckily, the Search Builder graphically presents the various structured data fields available and lets the user point and click their way into complex queries. Search queries can be saved and even analyzed before running to find any weaknesses.

No matter how you construct the query filter, the query itself is very fast. Most queries, even across tens of millions of events, only took seconds. Each query result includes how long it took the query to execute and how many events per second it queried to reach those findings. Queries can be executed across multiple Loggers at once. Results can be saved and exported, and the query can be turned into an alert. One note of caution: ArcSight has artificially limited Logger to five active alerts at once. More flexible alerting can be enabled in ArcSight's other products.

Reporting is another strong feature. Logger comes with many built-in reports; my favorite was the SANS Top Five report set and the ability to create customized reports. Logger has the most design and editing options for reports of any product in this review. Reports can be ad hoc, run on a predetermined schedule, converted into multiple formats (including HTML, PDF, and Microsoft Excel), or added to the dashboard.

There are four main types of Logger users: System Admins, Logger Operators, event log Searchers, and Reporters, who can only manipulate the reporting options. Each role can be configured with different levels of access and permissions. Other minor features, such as query granularity and storage rules, are continued evidence of Logger's maturity. Nearly every feature allows customization, scheduling, export, and performance optimization. Most data streams are encrypted by default, and Logger supports FIPS 140-2 encryption, certificates, and one-time passwords for remote technical support.

ArcSight has always been the leader that competitors try to beat, and its Logger product is one of the two most capable in this review. The only improvements I would like to see are unlimited alerting and, to a lesser degree, leaner client agents. The latter is not a deal killer, but pushing very large clients out over the network can be an issue for any good-size enterprise.

See additional log management reviews:

Compare log management product features

Read the log management evaluation guide

This article, "Log management review: ArcSight Logger," was originally published at InfoWorld.com. Follow the latest developments in information management and security at InfoWorld.com.

Read more about data explosion in InfoWorld's Data Explosion Channel.

This story, "Log management review: ArcSight Logger" was originally published by InfoWorld.

Copyright © 2010 IDG Communications, Inc.

  
Shop Tech Products at Amazon