No doubt that if you are working with large and medium sized servers and infrastructures, you have come across the need to collect logs and review or analyze them. With more servers the problem escalates as you have to log into every system to check the logs. It becomes very nice once you start having different systems that have different logging mechanisms. I touched the subject with my article on configuring splunk and snare for logging.
The main issue is that, once you start logging, you can't really do much with the logs.

The biggest problem that companies face is that log management is still done via custom hacked scripts created by an admin that may have left already.Customization and correlation is nearly impossible. Data retention is usually backing up the parsed logs and pray you will never need them again. When the day then comes to investigate a breach that might have occurred a few months back, you will hear the admins teeth grind together in pain.

Luckily there are companies that offer solutions for this problem and I am here to review 3 big ones, all in different price categories and sometimes even classes. This is not a "best product ever" review, this is a feature comparison that will give you a view of how different product fit different needs and what they offer.

If you are a large corporation that is already implementing a SOX or PCI compliant log management infrastructure, you probably will just fly over this. But if you are a company thaat needs to get up to date and wants to implement centralized log management, this is for you. Each product is reviewed by sections: Product overview, Price, compliance with regulations, documentation, administrative overhead, strengths and weaknesses and finally my personal impressions

NOTE: This article is heavily focused on log collection for Windows, though it touches other Operating Systems as well. This is because remote logging is supported by all 3 of these systems and *nix systems can log remotely out of the box.

1. Loglogic - the mother of all Log management systems

Overview
seeing the features, redundancy and the sheer volume that LogLogic can handle with their infrastructure is staggering. The infrastructure is quite nicely done and they have compliance with every major regulation you can throw at them. The Management interface is a bit tricky and not for the faint of the heart. It takes a long while to get used to and you better learn your regular expressions in order to get the most of it all.
This has good and bad sides, the good one is that you can find any correlation you want, generate any kind of report and pretty much filter ALL your logs centrally the way you want it. The bad side is that is very hard to use.
The architecture that LogLogic uses is quite interesting. LogLogics sells their own appliances. You cannot purchase the software. The windows even collector software is actually free for download but it logs only to the LogLogic back-end.
In order to collect Windows Event-Logs, for example, you set up a Event-Log collector, a Windows server with Lasso installed, and point it to all the servers with a single configuration file. Then you either have to give the service account you are using for the Lasso service full domain admin rights or tweak the security policy and the way the service works. Once that is configured, the Lasso server collects the data over standard tcp from the domain Controllers or Server you specified and forwards them in a secure manner to the LogLogic back-end. This is nice since you have no software running on the servers. Just one. the same principle goes for Other Operating system collectors, though you can configure *nix systems to log remotely and that changes things then a bit, the principle is the same though.

Compliance with regulations
Loglogic has done a very good job in designing their systems so that with a little bit of configuration can be made compliant with pretty much any regulation out there. Since every regulation is different you have to tweak the system for full compliance but, at least Loglogic 4 has support out of the box for SOX, ITIL and a host of others. Support here is the keyword as you cannot be compliant out of the box. However Loglogic provides you with a very good starting point.

Documentation
That is a bit of a downside. Documentation for Loglogic isn't the greatest and, at least when I had an issue, their support wasn't too eager. They kept referring me to the Administrators document even though the Information I wanted was not there. When I finally explained to the technical guy that security policy demands that the agent cannot run as domain administrator he finally pointed me into the right direction but made it clear that he had no idea how to proceed and the domain admin is the only supported way.

Price
LogLogic is expensive. You mostly get what you pay for but I am not sure if 6 or 7 figures are justified for most companies. If you are a major corporation it is a totally different story but otherwise the price-tag can be quite a shock.

Strengths and weaknesses
As mentioned above, Log logics' approach requires no installation of an agent or major changes to the servers when they are running. You can configure and install the windows collector on a new server and bring it on-line whenever you feel like it. As long as your security settings are done correctly and the setup complies with your security policy, the machine fetches logs without the servers really knowing about it.
The real downside is the management interface and the price. Of course you get a bunch of nice shiny boxes that are tuned for performance and speed, but as I said, it comes down to need and for the medium size business LogLogic might be a bit steep. For the small business it is a definite no go.

2. Snare Server Infrastructure
First off, I would like to thank Leigh from Intersect Alliance to give me access to their demo equipment to do some testing and checking of their Server product. Snare Server is a central logging and archiving server and Snare itself is a whole infrastructure of logging and analysis software. Snare server is a proprietary appliance that runs Linux under the hood. You are presented with a nice easy to use interface on the Snare server and the icons in each menu are quite clear. I could get a lot of information without reading any kind of documentation. There are prebuilt searches and correlations as well as suspicious activity showings. From a windows Server perspective for example, I like it that it can show when the event log was cleared or when the audit policy was modified by whom.

Though the interface is a bit limited, it can be configured and customized. Out of the box this is however worlds ahead of LogLogic.

Snare server relies on the snare agents which need to be installed on all the machines you want to log from. This is an administrative overhead and according to my information Snare has played with the thought of agent-less but they decided to stick with the agents. As a side-note: Loglogics' Lasso is based on Snare and shares much of the same code.

The one thing that blows me away from Snare isn't really the fact that Snare Server is a great product, it is, but the fact that they share so much software with the world. You can download the Snare agents for free and integrate them with other log management software. You can download an even generator to stress-test your system and you can download a (heavily) stripped down version of snare server, called snare backlog for free as well.
The real kicker comes though when you think that if you buy a snare server, you get the full source code with it. Yes, that is correct. Full source code!! This could be so that they are in line with the GPL but not many companies hand this over voluntarily.

Compliance with regulations
Snare is in line with a lot of regulations and snare is used by some quite high-level agencies and government institutions. The regulations include HIPAA, SOX, GLBA, Patriot Act and even international standards like the Danish DS-484:2005 and the British BS7799 or ISO 17799.

Documentation
This is where Snare REALLY shines. Their documentation is top notch and they have a LOT OF IT. You can get any documentation regarding their products for free from their website and they are very good. You can also request a live demo from their website and test the Snare Server.

Price
The price for Snare varies but they have appliances that cater any segment and business size and are priced accordingly. This is an out of the box solution and requires little configuration to get you going.

Strengths and weaknesses
The one weakness I have found was the lack of quickly configure custom reports on the Server. You will need to actually read the documentation :). The strengths however are quite big. There is the fact that a lot of their software is free (as in beer), they are huge supporters of the GPL, Snare Server supports a lot of regulations, and the people there are very nice and helpful. They do not have the overhead that large corporations have. The source code and documentation wealth is amazing though.

3. Splunk
Overview
Splunk is the cheapest of our 3 solutions yet by no means the black sheep.
Splunk is a central log collection software. This means no appliance to buy, this can be installed on any Linux or Windows machine. There are 2 versions, Splunk and Splunk professional. The normal version is actually free for anyone which actually might be quite interesting for smaller businesses. The professional license has a few additional tools such as reporting but if you want to test Splunk, there is nothing stopping you since you get a fully functional product.

Splunk is not like the other Log management products. It has a feature or more like THE feature that I would love to see in Snare or Loglogic with the same strength. Splunk is a search engine. Think of it as Google for your Logs. Now the brilliant part is, it works just as fast and just as well as Google, just on your logs. You can get correlation between events and log entries and configure to fetch logs from pretty much anything.
Splunk is a server that receives logs from a variety of sources. it supports Snare agents as well as remote logging facilities such as syslog and correlates correctly between logs from different hosts and systems.

Compliance and regulations
Splunk also complies and can comply with the long list of regulations just like Snare server.

Documentation
The Splunk documentation is also in very good order and very easy to read and understand and this is one of its strengths. Splunk also has a good community based approach in terms of forums and FAQs to get you up and running. The community support is good and clear and everyone is very helpful.

Price
The price for0 Splunk is cheap in a sense. They pricing approach is by volume of log messages / day. It starts with 2500USD/year if you have a peak volume of 500MB of messages /day. To put this into perspective 500MB is a LOT of log entries. in comparison really quickly, a normal Apache log from 2blocksaway.com is 10MB and contains information of what over 2000 users read and viewed in a day here. So 500Mb of log traffic is quite big. Of course if you have a huge amount of servers and want to monitor every little detail then the volumes go up and so does the price but the prices are reasonable since even when you have 100GB log volume per day! the annual cost is "only" 75000 USD. I know a log of companies that don't reach 100GB worth of logs in a year.

Strengths and weaknesses
splunks' one huge strength is its search feature. to put it plainly, it kicks a**. It is fast and exact. Its reporting and management interface is clean and can be used even by a newcomer. To get the most of the system the documentation is excellent and the price is competitive and reasonable. What more can you expect?

Impressions on all 3 systems
After working with all 3 systems, I cannot tell you if there is a clear winner, each has its strengths and weaknesses and they all are very good. Some cater to different needs and offer different options for you but in the end they do the same thing. Pricing and support is one issue of course that a lot of companies look for and there you have to differentiate. LogLogic is clearly the corporate type of company that has a lot of sales buzzwords and that provides a corporate image and stability. Don't get me wrong, their product infrastructure is probably the best out there, but they know it. Snare is the hybrid, they are a stable and successful company and cater corporations and small businesses alike. They wear their hats for both markets and they do it well. They have a friendly face but you know you have a stable back-end and can get the support you want. Splunk is sort of the new kid in town and is very modern and hip. they are great and I had good conversations with their staff and they know what they are doing. They are relaxed and do not have any of the corporate image. So if you like to work with people that know what they do but are very relaxed and friendly then Intersect Alliance or Splunk is for you. Splunk is very community based so if you like to interact via Internet this is the one for you

discuss this topic to forum