Welcome Guest. | Log In| Register | Membership Benefits

  • Email this page E-mail
  • |  Print Print
  • |   Bookmark and Share
  • icon

Rollout: Log Management Gets SLIM


Q1's new appliance adds event correlation.

By Mike Fratto
InformationWeek
January 19, 2008 12:00 AM (From the January 21, 2008 issue)

THE UPSHOT
CLAIM:  Q1 Labs' Simple Log and Information Management--SLIM--appliance adds event correlation to log management, to provide reports based on log data. The company says the product can help meet regulatory requirements that demand log retention and review.

CONTEXT:  Q1 Labs is a security event management (SEM) company that's getting into the log management market. Meanwhile, log management vendors such as Splunk are adding data mining features to their products. SLIM is best suited to correlation and reporting rather than data mining.

CREDIBILITY:  SLIM relies on the same underlying framework used by Q1 Labs' SEM product, QRadar. The event correlation and report definitions are easy to set up. Defining parsing rules for messages can be difficult, but that's true with other log management products as well.

Q1 Labs' Simple Log And Information Management--or SLIM--stores logs from a variety of devices and can correlate events and create ad hoc and scheduled reports. Each appliance is rated for 5,000 events per second; adding devices ups the ratio.

SLIM's event-correlation feature is useful for uncovering malicious activity in real time and can be easily customized. It also includes report templates for regulations such as Sarbanes-Oxley. However, SLIM isn't as agile with real-time data mining or arbitrary event data as products from Splunk or LogLogic, both of which create indexes of data as they stream from event sources. SLIM is ideal for companies that want to automate report generation and event correlation from log data.

As tested, SLIM costs $24,000. It ships with 2 Tbytes of disk space; raw data and indexes are compressed after two days. In contrast, Splunk's commercial software starts at $5,000 for 500 Mbytes of indexed data per day, and hardware may run to more than $10,000. Moreover, Splunk doesn't have SLIM's event correlation component. A more comparable product, LogLogic's LX 2010, lists for $28,000 plus $14,999 for compliance and control suites. It has robust archiving functions and powerful search capabilities.

SLIM ships with a large number of support modules that parse events from common devices such as Cisco Systems' PIX, the Linux syslog, and Windows event logs. You can also write custom modules.

The appliance's log management capabilities revolve around search filters, and search is where SLIM shows its event reporting roots. Searches are defined by specifying predefined fields, selecting an operator, and choosing the string you're looking for. Regular expressions can be defined to search the packet payload, useful when dealing with unparsed data. Once retrieved, we could view data in multiple ways using a drop-down menu.

A number of predefined reports for regulations such as SOX and standards such as COBIT come with the appliance. It also provides executive reports. SLIM's robust event correlation engine is somewhat unusual in the log management market. We could create rules to match up events as they stream into the appliance. Using event correlation, disparate events can be related to generate a metaevent. SLIM can also forward events to other systems if needed, and can send data to an archive.

SLIM is a well-rounded log analysis product suited for report generation and event correlation. Its search capabilities aren't as slick as Splunk's or LogLogic's, but it's powerful enough to dig through mounds of data. The missing piece is the ability to easily add interpreters for log sources.



Subscribe to RSS


Advertisement





Get InformationWeek in Print

Apply for a free 52-week subscription to InformationWeek (a $199 value)



NOTE: Offer valid for U.S., U.S. possessions, & Canada only.