Re: Log management

[Greg Vickers <g.vickers () QUT EDU AU>]

Hi Charles,

Charles L. Bombard wrote:
> Hey everyone,
>
>         What would you all recommend for central log management? We are
> currently looking at GFI eventmanager. The ideal solution will combine
> the monitoring of both windows and linux logs, and have the ability to
> generate alerts based on our settings.
>
>         Recommendations of things to look at as well as things to avoid
> is appreciated.

Over the course of 18 months, we have done an investigation, initial
trial and extended trial and the we feel that the best product for this
University is Huntsman by Tier-3 (Tier-3, http://www.tier-3.com, are
based in Sydney, Australia)

These were the companies who responded to our investigation:
Computer Associates
IBM
Checkpoint
CISCO
ISS
eIQ Networks
LogLogic
Network Intelligence
Tenable
ArcSight
OpenService
Symantec
netForensics
eSecurity
Micromuse
NetIQ
Tier-3
SenSage
Intellitactics

The results from the investigation directed us to trial products from
the following companies:
OpenService
Tier-3
SenSage
Intellitactics

As an outcome of the extended trial, we have presented to our Steering
Committee our report with the recommendation to proceed with purchasing
Huntsman. There are some follow up items that the Steering Committee
wish to discuss with our local supplier and Tier-3 so we have not
completed the purchase yet.

I'm sure that this sector has changed in the last 18 months - some of
the features of Huntsman that made it attractive to us were:
* Anomaly detection
* Reporting
* Alerting
* Simple, easy to use GUI interface (via a thick client)
* Correlation of events across different event sources
* 'Universal' log processor & integration

Some of these other products will be more suitable to a different
environment, situation or financial resource (the range we found was
free vs six figures.) Your mileage will vary :p

Feel free to shoot me questions about our process and result.

So not really a recommendation, but this is what we did and what we
found would be suitable for QUT. I hope it gives you some useful
information and some other places to look.

However, thinking about it, one of the most telling indicators was how
enthusiastically a given company responded to our inquiries. The
responses we had ranged from a single page of sales propaganda to a
sheaf of paper 2cm thick!

--
Greg Vickers
IT Security Engineer & Project Manager
IT Security, Network Services,
Information Technology Services
Queensland University of Technology
L12, 126 Margaret St, Brisbane

Phone: +61 7 3138 9536
Mobile: 0410 434 734
Fax: +61 7 3138 2921
Email: g.vickers () qut edu au
IT Security web site: http://www.its.qut.edu.au/itsecurity/

CRICOS No. 00213J