Tuesday, September 9, 2008

ArcSight User Conference 2008

I'm on the floor of the ArcSight "Protect '08" conference this morning. Tim and I gave our talk on ArcSight ESM Tools yesterday, and I will post some version of those slides and some of the code after I return from the conference.

Right now I'm listening to Hugh Njemanze give his keynote on product lines. There's a lot of interesting stuff in the release pipe; Logger 3.0, ESM 4.5, a new Connector appliance, IdentityView content for ESM, and something called "McLovin."

Anyway, here's what's been good so far:
  • Customer presentations (other than mine, I mean) - I missed out last year, these are the best talks so far.
  • Location - the new hotel is within walking distance of stuff (and by stuff I mean not trees and the NSA.)
  • Networking - Always the best part of this conference. I love standing around with free beer, talking to other folks about what they're doing with their SIM, and sharing ideas. Looking forward to more tonight.

Here's what's been not-so-good:
  • Wireless - the hotel wireless has been unreliable and overloaded. Frankly, I'm surprised I've been able to stay on long enough to get this post up.
  • Vendor/sponsor floor - no offense to these guys, but the freebies this year are unimpressive. I've already got a pen, thanks.
  • No bag - Instead of a "conference bag," everyone was issued a plastic file folio thing. Not that I needed another bag, but I can't smoosh the one foam squeezy thing I did get from a vendor booth into this blue plastic thing.

And I would be remiss if I didn't drop a product scoop or two:
  • Logger 3.0 has adopted a more-ESM-like boolean filter interface. Big improvement over the chained-regex search in 2.5 and earlier.
  • Demo of Logger 3.0 shows that searches of data (no details on data set) are roughly 80x faster than a similar sized search on 2.5. (The claim is 100x faster, but I counted. Still, that's a significant improvement.)
  • Hugh has hinted that the slick, high-performance append-only storage stuff that Logger has is going to be integrated into ESM in some release beyond 4.5. That could mean the end of the Oracle / PartitionArchiver storage model. It won't be missed.

2 comments:

Anonymous said...

80x - wow!! Does it mean that indexing is finally in place?

PaulM said...

It seems so. I should be clear that all I have seen so far are the presentations at the conference and the demo unit that ArcSight had for customers to play with at the con. I don't have a good sense of what kind of data is in there, or if there's a big performance difference between CEF and raw log data with in 3.0.

I did learn a few other things about Logger 3.0 that may also be of interest. Existing Logger appliances (both L5K and L7100) can be upgraded to the v3.0 software and get the same performance increase on searches of events that arrive after the upgrade. ArcSight is working on a tool to do, "low-and-slow," indexing of old events so that you can eventually have high-performance searching of all of your stored log data.

I also heard from several ArcSight folks that the GA release of 3.0 is scheduled for Q408, with one person telling me it was only a few weeks out, which might imply an October release.