Friday, July 06, 2007

On "Syslog Servers"

Warning: rant mode on.

I hate it when people call what we sell (i.e. log management) a "syslog server." I really do. Why will someone pay $X0,000 for just a box to "collect syslog?" No, really, why? I won't! It does indeed sound dumb.

By now, many people understand that log management is not about collecting syslog in one big trash can. You can do that much easier and cheaper if that is indeed your goal. Why would someone collect syslog in a trash can is a separate story :-), even though collecting logs is pretty useful at times. But using the log data is much more useful!

Now, let's try this for size - just how offensive it will sound: 'sourcefire - seller of packet grep'? 'symantec - seller of anti-virus'? 'cisco - router-pushers?' Sorry, vendors, I was just using you as an example; no offense intended.

So, please get it! Log management is about scalable (meaning you can deal with a lot of data) collection (yes, collection too) + retention (meaning storage and then destruction) + analysis (real-time and historical methods of making sense of data) of all types of log data (not just syslog!!!), and about making such data available for all organizational needs (security, compliance, operations, etc)

Dr Anton Chuvakin