Thursday, July 26, 2007

A Bit More on Log Management vs SIEM (and Semantics)

OK, I am using an unrelated article to go on a tangent here, but it IS an important tangent, which can save you both money and headache ...

So, this CW blog post has the following quote: "An example would be SIM vs. log management. If a client tells me that they want me to figure out a good SIEM for them, I will ask, "Do you need SIEM with correlation and alerting and all that, or do you just need something to gather your logs?" If he says, "I thought SIEM was log management," then we just avoided a semantical error. If I had just assumed that the client knew what SIEM was, then I could have wasted a lot of his and my time."

To start, here is a startling revelation: my first reaction was to kick the author of the above for that word "just" in "you just need to gather logs!" 'Cause if you can gather 75,000 log records a second for a few months and make all them quickly available, you can pretty much forget the "just" part: it is not trivial!

Overall, I've seen (and convinced!) my share of confused people. I have given interviews to explain it. I've written about it. I've quoted other people who wrote about it (e.g. browse here). Still, I see people who venture outside :-) trying to buy "a product" without clarifying this key distinction: WHAT on Earth are you trying to buy, a SIEM or a log management tool?

Here is a one-liner that will hopefully (nah, not really! not for all people! :-)) clear it:

SIEM is about "S" - security; log management is about "L" - logs.

Everybody needs log management: if you have logs, you need log management to collect and analyze them. And you do have logs, since everybody does. It is that simple. You also need log management, since some regulations (yes, that "C-word", compliance, again!) tell that you need to have it (examples are too numerous to list here).

On the other hand, unless you are very large, plan to build a SOC, have huge staff dedicated to near real-time security monitoring, you likely don't need a SIEM. Really! If you don't believe me, that's fine: just buy one without thinking how you plan to use it and be disappointed that you wasted $X,000,000 of perfectly good dollars and a good chunk of your life. At the same time, you might feel generous that you helped boost a failing market :-) Or, if you insist, you can buy a little toy SIEM or get one as a gift, which I've heard is pretty common :-)

So, if you are looking to collect, retain, review, analyze, and otherwise deal with all your logs for various uses, go for log management. If you are looking to build a SOC, you might need a SIEM (and, actually, log management since your SOC analysts will wants to see original logs pretty often)

Related posts:

Dr Anton Chuvakin