ArcSight Review

Allows integration and log collection with different devices.

What is most valuable?

The valuable features are:

  • Integration and log collection with different devices.
  • Collecting logs from many different sources. If you have your own app, you can do logging for it. In addition, you can customize log parsing.
  • Correlations of logs from different device types.
  • Built-in content such as reports, dashboard, compliance, and standard packages.
  • Option to correlate logs with business data.
  • Option to adjust the product to different roles: operations, decision makers, and administrators.
  • You can adjust the web console interface to match the specific role.
  • Integration with other products, such as databases and IPSs.
  • Additional features are available with simple extensions. The solution enables you to monitor logs and to analyze data, but you can also use additional add-ins such as reputation services that can integrate ArcSight ESM with tipping point IPS.
  • Correlations of logs from different device types.
  • Ready-made content that can be used immediately.
  • Customized business tables can be correlated. For example, the employee sick leave register can be correlated with Windows login logs.

What needs improvement?

I would like to see the following improvements:

  • Less time to administer and track logs on separate devices.
  • Ease of changing the product underneath. For example, instead of Juniper routers, we started to use Check Point routers.
  • Reporting: I would like an easier way to find the root cause.
  • Simplicity: I would like to see an easier way to figure out which column has the mapped data.
  • Component accessibility: Components are managed in different places; console, web console, and administration web. It would be nice to have easier access.
  • Better UX: I would like to see a better user experience with the web client. Sometimes, it is very slow and not very intuitive.
  • Better documentation or "how-to" videos: Usually documentation for devices, whose logs are going to be collected, is poor. Those guides are split in two parts: 1. To-do content for device administrator. 2. To-do content on the ArcSight side. When a customer uses these guides, it is not clear what he has to do. Sometimes the customer asks specific questions that the ArcSight implementer cannot answer. Some of these questions are about specific roles, privileges needed for a domain, or database use when the specific source is added.
  • Simplified licensing and license extension for console users: Console users are licensed separately. Those licenses are expensive. The web console is introduced with limited features.

What do I think about the stability of the solution?

There were some stability issues in the partner versions. The client versions were stable.

What do I think about the scalability of the solution?

There were no scalability issues.

How is customer service and technical support?

The technical support was not very good. They are slow and not very efficient. I rely on personal contacts to solve my issues.

How was the initial setup?

The installation was straightforward. It has some built-in connectors that are easy to set up.

What's my experience with pricing, setup cost, and licensing?

The product is not cheap. If you set it up and use it well, it is a worthwhile purchase.

Which other solutions did I evaluate?

We evaluated Splunk and McAfee Log Manager.

What other advice do I have?

Prior to implementation, do an internal assessment and analyze business, technical, and other requirements. Know your inventory and ask for a project methodology approach. Ask your partner for a referral visit to other customer sites.

Disclosure: My company has a business relationship with this vendor other than being a customer: We are a partner.
Add a Comment
Sign Up with Email