2015-10-25 12:49:57 UTC

When evaluating Log Management, what aspect do you think is the most important to look for?

Let the community know what you think. Share your opinions now!

1616 Answers
Real UserTOP 10


2019-06-10 19:55:47 UTC10 June 19

1. Automatic Remediation
2. Co-relation Engines
3. Real Time Threat Visibilities
4. Pre-Built Dashboards

2018-04-05 19:46:14 UTC05 April 18
Real User

Log compression and metadata storage capability
Ease of implementation/integration
Relational or Full Text English Query Support, Efficient Query Response
Compatibility with existing security vendors/products
Responsiveness of Tech Support and Integration Support Services
Support for breadth of security vendors and speed of new security product log integration
ID Management, Ticketing, and Geolocation Visualization Support

2017-03-22 22:05:29 UTC22 March 17

Real Time remediation
Ease of customization (collectors/connectors)
Integration with Identity management stacks (for enriched information)
Scalability (possible split between collection, correlation, remediation, reporting, ..)
No hardware constraints
PCI, SOX, ISO,.... reporting

2016-02-25 19:47:59 UTC25 February 16

Data Storage and Indexing analysis
Compression capabilities
Reporting and Alerting capabilities
Event Correlation capabilities
Secure data transmission between Log Collection and Storage
Built in parsers
Query speed and performance of user interface

2018-04-26 21:28:48 UTC26 April 18
Real UserTOP 20

Volume of logs (sources and size)
Storage requirements and recoverability (from archive)
Ability to integrate/forward log management into a SIEM or forward to an MSSP
Ability to selectively choose what logs and/or events are sent into the management system

2018-04-24 16:21:25 UTC24 April 18
Real UserTOP 20

1. First is to check how the target systems are configured in terms of logs generated. i.e syslog may be disabled, apache conf etc
2. Types of logs collected
3. Log size
4. Storage and retention

2018-04-18 08:47:29 UTC18 April 18
ResellerTOP 5

Data compression and reporting followed by speed.

2018-03-13 19:58:24 UTC13 March 18
Real UserTOP 5

Hands down it's usability... Look, there are no shortage of tools available in our industry - but which ones do you use? Log management can be complex and the solution that lowers the barrier to success wins out in my book.

Usability comes down to several factors:

Ease of use is the primary one. How difficult is it to use the software and what types of documentation, community and vendor support exist? How difficult is it to get it up and running? How easily can you incorporate the log management tool into your existing processes using the IT/Security resources you have available? Does the tool help you track your assets or provide case management capabilities (if used as a SIEM). How difficult is it to incorporate new log sources? What reports are available out of the box?

Another item to not lose sight of is compatibility. Do your devices have parsers available for the Log Management tool you are evaluating. This ties back to usability because if you are relying on a vendor to provide custom parsing for you, it's expensive and time consuming. Broad device support and a community that contributes actively to supporting log sources is a must.

Finally, a large component of usability is understanding the architecture limitations and licensing aspects of the solution you are evaluating. It's really critical to make sure you don't outgrow your solution and/or find out later that it's going to be prohibitively expensive to either expand your solution or add related features and services. How much is that custom parser development going to cost? Adding FIM? Adding specialized parser support? What about storage expansion? If you are getting resource errors, do you understand where the performance bottlenecks come from? This could be a tuning issue or a hardware/licensing restriction.

I know this "answer" provide more questions than it does answers! But asking the right questions will lead you down the right path for success!

2018-02-19 18:44:20 UTC19 February 18

Costs - by device or by amount of log traffic (and can that traffic be trimmed/parsed before counting against your threshold?).

2018-02-12 17:12:21 UTC12 February 18
Real UserTOP 10

Data compression and reporting speed.

2017-06-14 19:55:54 UTC14 June 17
Real User

Indexing. Reporting. Alerts. Parsing. Organization. Reporting. Translating to easy to read formats and well as maintaining raw data. Correlating events.

2017-05-26 14:10:32 UTC26 May 17

If supported, a SIM can collect and correlate logs from just
about any device or application in your network. Examples include
routers, switches, wireless access points, firewalls, IDS/IPS, NBAD
(Network Behavioral Anomaly Detection) devices, vulnerability
scanners, windows hosts, unix hosts, services such as DHCP or DNS,
authentication services such as Active Directory, Radius, and LDAP as
well as applications such as Apache, Exchange and antivirus software.
Log collection is most often accomplished with redirecting syslog
output to the SIM, but can also be accomplished with vendor specific
methods such as Checkpoint’s LEA.

2017-05-25 06:55:31 UTC25 May 17
Real User

* Customization of audit policy categories
* Centralized log & event consolidation with manageable data retention
* Nearly real-time event monitoring alerts & notification(severity align to SLA policy)
* Nearly real-time log correlation & parsing
* Scalable platform to effectively handle the increasing number of message packets for analytics
* Schedule-able or on-demand accessibility to a wealth of security and compliance data for historical analysis, trending & reporting
* Agile collector mechanisms to monitor the increasing variety of event sources across the corporate network including FW, IPS, routers, bio-metric devices, servers, physical-access control systems, databases and applications
* Flexibility of deployment options e.g On-premise, hosted as well as hybrid implementation
* Support distributed deployment model
* Multi-tenancy & HA

2017-05-12 08:00:55 UTC12 May 17

Data retention, storage and compression are important.
Ability to search for patterns
Reporting and alerting
Secure data transmission
Fast access to storage
Automation for activities
Speed to write data
Ability to search quickly

2017-03-30 16:22:14 UTC30 March 17
Real User

Data Storage and Indexing analysis
Compression capabilities
Reporting and Alerting capabilities
Event Correlation capabilities
Secure data transmission between Log Collection and Storage
Built in parsers
Query speed and performance of user interface

2015-11-25 15:44:49 UTC25 November 15
Find out what your peers are saying about Splunk, LogRhythm, IBM and others in Log Management. Updated: August 2019.
366,756 professionals have used our research since 2012.
Sign Up with Email