Tuesday, June 5, 2007

Reader Mail

Anonymous writes,

"Do you use their Log Management product Logger as well? If so (or if not), what do you see as the differenc [sic] between ESM and Logger?"

We're working on bringing in a demo unit of the ArcSight Logger appliance, but do not have it deployed today. I've read the cut sheets (PDF Link) and sat through the Webex for Logger, so I can sort of answer your question.

Think of ArcSight Logger like Snare plus syslog-ng plus a Google search appliance. You can shovel common event streams into it either using native means (like syslog) or using the ArcSight Connector agents. Logger can then feed events based on boolean filters (like those used in the main ESM product) "upstream" to the ESM product.

Unlike ArcSight ESM, Logger only lets you search & sort events. There's none of the visualization or correlation that ESM has. There's also none of the reporting, case management, asset data, patterns, and so on and so forth.

We're looking at Logger to possibly fulfill two roles. The first is that I'd like to reduce some of the redundancy we currently have with software agents. Having one box grab data from multiple sources and feed it to the ESM Manager server would simplify things on my end a lot. It would also eliminate one of the few remaining points where data loss could occur during downtime of any of our ESM component servers. The second is that I'd like to give our operations and engineering teams easy access to log data without having to deploy and support ESM Consoles for all of them. As I point out in my next post on SIM sizing, one of the places you are likely to encounter performance problems is the database and people searching for events. Offloading some of that through Logger will hopefully save us from having to spend more on database server hardware down the road.

I hope that answers your question.


godfadda said...

How can you mention "Snare plus syslog-ng plus a Google search appliance" and not mention "Splunk" as an alternative to Logger (at a lower price point on your own hardware,with your own taste of *nix/BSD)??

PaulM said...

The truth is that I just didn't think of it.

Also, Splunk is only an alternative to ArcSight Logger in a stand-alone capacity. Splunk can't push events to ArcSight ESM. Logger can. It's kind of a 'duh' statement, I know, but it's also a deal breaker for existing ESM customers.

godfadda said...


Splunk will replicate incoming events to an outgoing port (via Splunk2Splunk) with the data then funneling into your syslog connector).

If I had to choose the most stable middleman tho, it would be to have all events goto syslog-ng then push out two streams to Splunk or Logger and then another stream to the ESM connector.

Splunk can also be launched via the Arcsight tools menu, pass parameters to the browser.
Check this post