IT Central Station is now PeerSpot: Here's why

When evaluating Log Management tools and software, what aspect do you think is the most important to look for?

Ariel Lindenfeld - PeerSpot reviewer
Director of Content at PeerSpot (formerly IT Central Station)

Dear members, 

Let the community know what you think. Share your professional opinion!

PeerSpot user
1919 Answers

Harris Ward - PeerSpot reviewer

Understanding what your organization is capable of monitoring and responding to, even if you have all of the right tools.   Do you need to monitor 24x7? How will you escalate off hours?  Are you trying to check a box, or proactively protect your environment?  

Consider co-managed SOC services if you are not able to provide your own SOC.

Gerrit Boele - PeerSpot reviewer

Log Management should be a separate function of correlation. Correlation is best served in a SIEM tool. Analytics technology can be something that crawls your meta data to find issue, but buying a log management tool that does correlation is asking the bus boy to cook dinner. He can do it cause he is in the restaurant but doesn't mean the food will be good.

Jeff Uhlich - PeerSpot reviewer
Real User


RanjanSandeep - PeerSpot reviewer

1. Automatic Remediation
2. Co-relation Engines
3. Real Time Threat Visibilities
4. Pre-Built Dashboards

R.G. - PeerSpot reviewer
Top 20User

Usability, Compatibility, Integration with other solutions and Support

it_user632850 - PeerSpot reviewer

Log compression and metadata storage capability
Ease of implementation/integration
Relational or Full Text English Query Support, Efficient Query Response
Compatibility with existing security vendors/products
Responsiveness of Tech Support and Integration Support Services
Support for breadth of security vendors and speed of new security product log integration
ID Management, Ticketing, and Geolocation Visualization Support

it_user395517 - PeerSpot reviewer

Real Time remediation
Ease of customization (collectors/connectors)
Integration with Identity management stacks (for enriched information)
Scalability (possible split between collection, correlation, remediation, reporting, ..)
No hardware constraints
PCI, SOX, ISO,.... reporting

it_user863733 - PeerSpot reviewer

Data Storage and Indexing analysis
Compression capabilities
Reporting and Alerting capabilities
Event Correlation capabilities
Secure data transmission between Log Collection and Storage
Built in parsers
Query speed and performance of user interface

it_user861630 - PeerSpot reviewer
Real User

Volume of logs (sources and size)
Storage requirements and recoverability (from archive)
Ability to integrate/forward log management into a SIEM or forward to an MSSP
Ability to selectively choose what logs and/or events are sent into the management system

it_user858429 - PeerSpot reviewer
Real User

1. First is to check how the target systems are configured in terms of logs generated. i.e syslog may be disabled, apache conf etc
2. Types of logs collected
3. Log size
4. Storage and retention

it_user837123 - PeerSpot reviewer

Data compression and reporting followed by speed.

it_user822597 - PeerSpot reviewer
Real User

Hands down it's usability... Look, there are no shortage of tools available in our industry - but which ones do you use? Log management can be complex and the solution that lowers the barrier to success wins out in my book.

Usability comes down to several factors:

Ease of use is the primary one. How difficult is it to use the software and what types of documentation, community and vendor support exist? How difficult is it to get it up and running? How easily can you incorporate the log management tool into your existing processes using the IT/Security resources you have available? Does the tool help you track your assets or provide case management capabilities (if used as a SIEM). How difficult is it to incorporate new log sources? What reports are available out of the box?

Another item to not lose sight of is compatibility. Do your devices have parsers available for the Log Management tool you are evaluating. This ties back to usability because if you are relying on a vendor to provide custom parsing for you, it's expensive and time consuming. Broad device support and a community that contributes actively to supporting log sources is a must.

Finally, a large component of usability is understanding the architecture limitations and licensing aspects of the solution you are evaluating. It's really critical to make sure you don't outgrow your solution and/or find out later that it's going to be prohibitively expensive to either expand your solution or add related features and services. How much is that custom parser development going to cost? Adding FIM? Adding specialized parser support? What about storage expansion? If you are getting resource errors, do you understand where the performance bottlenecks come from? This could be a tuning issue or a hardware/licensing restriction.

I know this "answer" provide more questions than it does answers! But asking the right questions will lead you down the right path for success!

reviewer818484 - PeerSpot reviewer
Real User

Costs - by device or by amount of log traffic (and can that traffic be trimmed/parsed before counting against your threshold?).

reviewer673236 - PeerSpot reviewer
Real User

Indexing. Reporting. Alerts. Parsing. Organization. Reporting. Translating to easy to read formats and well as maintaining raw data. Correlating events.

it_user672189 - PeerSpot reviewer

If supported, a SIM can collect and correlate logs from just
about any device or application in your network. Examples include
routers, switches, wireless access points, firewalls, IDS/IPS, NBAD
(Network Behavioral Anomaly Detection) devices, vulnerability
scanners, windows hosts, unix hosts, services such as DHCP or DNS,
authentication services such as Active Directory, Radius, and LDAP as
well as applications such as Apache, Exchange and antivirus software.
Log collection is most often accomplished with redirecting syslog
output to the SIM, but can also be accomplished with vendor specific
methods such as Checkpoint’s LEA.

KhLee - PeerSpot reviewer

* Customization of audit policy categories
* Centralized log & event consolidation with manageable data retention
* Nearly real-time event monitoring alerts & notification(severity align to SLA policy)
* Nearly real-time log correlation & parsing
* Scalable platform to effectively handle the increasing number of message packets for analytics
* Schedule-able or on-demand accessibility to a wealth of security and compliance data for historical analysis, trending & reporting
* Agile collector mechanisms to monitor the increasing variety of event sources across the corporate network including FW, IPS, routers, bio-metric devices, servers, physical-access control systems, databases and applications
* Flexibility of deployment options e.g On-premise, hosted as well as hybrid implementation
* Support distributed deployment model
* Multi-tenancy & HA

it_user638145 - PeerSpot reviewer

Data retention, storage and compression are important.
Ability to search for patterns
Reporting and alerting
Secure data transmission
Fast access to storage
Automation for activities
Speed to write data
Ability to search quickly

it_user341232 - PeerSpot reviewer

Data Storage and Indexing analysis
Compression capabilities
Reporting and Alerting capabilities
Event Correlation capabilities
Secure data transmission between Log Collection and Storage
Built in parsers
Query speed and performance of user interface

Buyer's Guide
Log Management
July 2022
Find out what your peers are saying about Splunk, Datadog, IBM and others in Log Management. Updated: July 2022.
622,645 professionals have used our research since 2012.