16. Apr. 2013 by Markus
Recently I've noticed that in certain circles everyone seems to be going crazy about SIEM. Maybe it's not as popular as IT industry's equivalent of Justin Bieber - cloud computing, but it’s still very well known as anytime someone asks for a convenient solution to monitor their server logs, people suggest Splunk, Sumo Logic, XpoLog or a similar product. Sure SIEM does have its advantages but it’s simply not for everyone.
The obvious pros include:
big data searching and analysis,
reporting, alerting and what not,
‘heuristic’ analysis voodoo.
Cons are:
Effort of implementation (installing agents on monitored systems, re-configuring firewall policies, etc. and this is just the beginning - every single component of SIEM solution has to be configured separately).
rather substantial costs of running the system, depending on the quantity of data processed daily.
Is it worth the time and money invested? Yes it is, but only if you take advantage of indexing the large amount of data and truly benefit from it. Otherwise you will end up with a quite expensive storage facility. Properly configured SIEM can alert you upon certain events arising, but there are other solutions which do that already or will get there sooner or later. But what if you only want to search and tail your log files, and just that? Heavyweight SIEM solutions, with their fancy heuristic analysis and what not, isn’t exactly what you need, right? What would one expect from such a solution?
Remote hosts support is an obvious must when we’re talking about supervising servers. Retrospective, BareGrep or Chainsaw can easily access remote servers. Retrospective does it in a very convenient way, as it features a number of usability enhancements for servers management such as cloning servers configuration, batch-editing or ability to import hosts configurations from .ssh/config file or PuTTY. This comes in handy especially when your servers’ setup changes frequently.
Essential services running on servers require constant supervision. This can be ensured by tailing corresponding log files. Sure you can do that with tail, but using Retrospective is so much more convenient as you can tail different log files simultaneously in separate tabs, spread them all across multiple screens or get the tails of different remote servers in a merged view in a single tab.
Every day we grow more and more accustomed to the surrounding technology. And with each day we tend to pay more and more attention to user experience. In times when web technology enables building advanced applications, it can be hard for desktop counterparts to keep up. The key to win users’ hearts is intuitive user interface and features which allow daily tasks to be completed faster and better. Retrospective's rich client desktop allows bookmarking search definitions and running a defined query anytime later with a single click. Log files can be quickly added by dragging and dropping them onto the application window. BareTail and Chainsaw also feature tabbed interface, but when using either of these you might feel like you’ve gone back in time to the 90’s.
I simply hate it when there’s this decent piece of software which I like and I could really use, but for some reason the company decided against providing binaries for the operating system of my choice. Thus I really appreciate it when software companies provide their products for at least MacOS, Linux and Microsoft Windows. Retrospective checks with all three while others usually miss MacOS native binary and/or Linux version.
Another thing everyone is looking for in a log searching utility is fast data processing as no one has time to waste these days. Retrospective can greatly optimize log files processing by intelligently limiting the volume of data which has to be processed.
Is SIEM for everyone then? No, not at all.
If you simply want to search and tail your log files, spending thousands of dollars for a full blown SIEM solution is quite unreasonable. And why would anyone spend that kind of money for features they won’t really use? Especially since there are agile and robust tools designed to search and tail log files, which can be yours for a small fraction of the money required to run SIEM for a month.