Serious Event Log Management Without the Bull

Every network is different, and the regulatory requirements and internal standards with which security professionals and their networks must comply are wide-ranging.

Therefore, the event log management tools that are central to compliance and network administration efforts must be flexible and well supported. Unlike antivirus utilities and other common network tools, event log management software can't be just another software product or a mysterious black box in a server rack. The factors that make every network unique, the very nature of the data being stored, and the structure of the databases on which effective log management strategies rely demand flexibility and scalability.
Download Windows Logging Software

One size has never fit all in this market, and size doesn't matter. Scalability and ease of use are what matter.

Curious about our claims here? Take a look at this 2008 Network World assessment of SIEM solutions starting at $20,000 USD: "SIEM Tools Come Up Short."

Since 1997, Dorian Software has pioneered event log management and today boasts the patented method for total event log management. Themes in the development of Dorian's software titles have consistently been ease-of-use, modularity, flexibility, and scalability. Of these terms, "modularity" is the least common in IT marketing, but it is critical to Dorian's approach to event log management.

An article entitled "Event Response" in the November 2004 issue of Windows IT Pro Magazine nicely describes and applauds Dorian's modular method, but our explanation also takes into account our experiences with customers since 1997:

Our concept of event log management stems from the earlier, more common needs of network administrators to collect log files into a central store, then cut through them later for periodic, casual review or more formal auditing purposes. As security requirements evolved, more networks became interested in monitoring network events at the frontline. Still, as this evolution has taken place, there has never been a single "one size fits all" formula for the handling of log files for every network - some continue to simply monitor or some choose only to collect, for example.

Haven't Determined Your Log Strategy?
For more on which components of our event log management solution will best meet your needs, take a look at our Event Log Management Solution Configurator.

The expansion of regulatory compliance requirements and stricter security standards since 2001 have made our Total Event Log Management Solution a good recommendation for most networks, yet questions remain: For example, what about the management of workstation logs in addition to server logs?

Because requirements differ along with the people and networks that face them, the need for the inherent flexibility of a software solution remains true. The rise in popularity among vendors and sales reps of management consoles, "dashboards," hard-wired appliances, and bloatware are taking solution seekers in the wrong direction.

Watch Out for These
Log Tool Pitfalls

Ask yourself what you are required to accomplish in event log management. Be wary of "return on investment" claims when you are faced with requirements for your network's security - the primary goal isn't return on investment, it is compliance. No amount of bells and whistles or ROI alone will guarantee compliance in auditors' eyes.

It is for this reason that our modular approach to event log management is best - you determine the log strategy that best meets your needs. Inflexible management consoles and "one size fits all" approaches to log management can wreak havoc - like a bull in a china shop - on your network and your IT budget.

Additionally, as the regulatory compliance, network security, and network auditing markets have grown, software vendor tactics have grown more aggressive. According to an article in an earlier issue of Network World, two of the most common methods involve 1) a "free" trial period of software after which surprise charges are introduced; and 2) mission-critical implementations of software at low introductory costs followed by steep surprise charges or removal of the software. This latter method is more common in the SEM and SIEM markets. Watch for it.

At Dorian Software, our approach is the same as it was before the SEM / SIM / SIEM boom - we offer truly free 30 day fully functioning evaluation versions of the software, after which you may decide to purchase it or not. If you do purchase the software, you understand up front that you may always add additional licenses or services if you choose, and renewal of support services is at a pre-determined annual percentage of software cost. For more details, visit our Download Center or find out more about our Support Services.

Look to a more flexible, tested, and well supported approach to log management - look to Dorian Software Creations for event log management without the bull.

Questions to Ask Yourself and Your Team When Evaluating Log Management Tools:

  • What are our requirements for monitoring, auditing, and/or log data retention?
  • Are we actually looking to meet security requirements or is our primary focus more efficient management of log data?
  • How long has the vendor specialized in event logs? Are there other areas of network security that they suddenly specialized in once they came en vogue?
  • When evaluating the software, be sure to contact technical support. You aren't just evaluating the software - you are evaluating a total package that includes the vendor. Can I live with this level and quality of support for the life of the product?
  • Are there any current or future needs for EVTX log management? Does the vendor already offer extensive support of EVTX log files or are there only promises of support?

Finally, Watch Out for These Pitfalls When Deciding on an Event Log Strategy and Tools:

Forced Agent Installation
In some cases, your configuration may require an agent. But, most shouldn't require one. If your network configuration can support agent-free log management, why get stuck with a package that requires agent installation and maintenance? Look for a solution that provides agent-optional capability. Dorian Software provides this.

Watch Out for These Budgetary Pitfalls

Extra charges for domain controllers.

Extra charges for multi-processor systems.

Add-ons. Understand them before purchasing the first software package.

Multiple and more expensive versions of the same product. Often, scalability hinges on your purchase of other versions of the software or more add-ons.

Proprietary or "Embedded" Databases
These are only a positive for the vendor. Think about it - do you want to be locked into a third party vendor's database structure? Doesn't the flexibility of a mainstream database structure - such as that of SQL - make more sense? Usually a proprietary or "embedded" database is a component of a software company's recurring revenue model - it guarantees that you must keep up with releases and ongoing maintenance fees.

Remember: A standard, mainstream database structure won't hold you or your data captive.

Focus on "Security" Events
Threats come in many forms as any network administrator knows. Unfortunately, many packages rely or have relied on the Microsoft definition of a "security" event - specifically, one that occurs in the Security Log. Because of this, report selection is often limited.

Compliance with many of today's regulations and best security practices require a comprehensive view of network health and security, and data of interest isn't found in the Security Log alone.

Think about your requirements, your environment, and everything that happens in the Application Log and other log types - many of those should be considered to be under the "security" umbrella as well. For instance, did you know that you can audit printer usage by looking in system event logs?

"Dashboard" and "Console" Packages
Of course, not every console is a bad thing - this is more a question of personal preference in terminology. However, in recent years, these buzzwords are indicators that the package is a "one size fits all" product aimed at marketing to larger enterprises. The upfront cost may seem low, but it is usually a stepping stone to a larger recurring revenue generation scheme - hours in support, thousands of dollars in "add-ons" or "snap-ins," consulting fees and hidden training costs often make these a pit for your budget dollars.
Need More Information on Log Management?

Keep up on the complexities of the Windows Event Log and eventing at eventlogs.blogspot.com.

Think spending more money means a more robust, easy to use log solution? Think again.
Read "SIEM Tools Come Up Short," from Network World, June 2008.

For more on event log strategies that can work for you, visit our independent online information resource for event logs:
www.eventlogs.com.

To begin your free software evaluations, visit our Download Center.

Outsourced Development and/or Support
Contact technical support during the evaluation phase or look at the vendor's "international" locations. Are those locations there to cut cost or better serve the customer? More and more, this issue is becoming one of importance to government agencies, military organizations, and other security conscious organizations. Finally, honestly ask yourself if "lower cost" software or solutions could actually cost you more in downtime, hours spent learning or correcting the software, and training to overcome poorly designed interfaces.

Incompatibility with Syslogs
Many network devices still report critical events using a syslog mechanism. Do you now or can you foresee the need to monitor or audit router, firewall, or UNIX / LINUX (*NIX flavored) machine incidents? Dorian Software provides the capability to work with these types of logs at no additional charge. Whether or not you need it now, at least you have the option.

Hardware and Appliance Based Solutions
This too can be a matter of personal preference. But, think about the inherent flexibility in software - easier update, easier configuration, and independence from the limitations of physical hardware. Do you really want to ship your appliance back to the vendor the night before an audit?

True, more common utilities such as antivirus and search technologies may be well suited to "plug and play" hardware consoles. However, there are many factors on which event log strategy depends that are outside the control of vendors and security professionals:

  • database structure and design
  • portability of data
  • access to data in the event of security breach and the resulting investigation
  • network infrastructure and speed
  • changes to event log structure and event ID mapping

These factors are likely to drive up both the cost of an appliance and maintenance of that hardware, when the alternative to your network might just be a new server - which helps you avoid a proprietary hardware commitment.

In fact, in many government and higher security applications, an appliance based solution is simply out of the question for these and other reasons.

Dorian Software Quote
 

OUR SOLUTIONS :: Event Log Management Suite || Event Archiver || Event Alarm
Event Analyst || Event Rover || UltraAdmin || Fortress Desktop || Other Solutions || Case Studies ::
SALES CENTER :: Get a Quote || Order Now by Credit Card || Find a Reseller || Government Sales || Academic Offers ::
DOWNLOAD CENTER :: Free Downloads || Product Upgrades ::
SUPPORT CENTER :: Knowledge Base || Dorian Library || General Application Support || Report Bugs and Errors ::
OUR COMPANY :: Press Releases || Milestones || Dorian Alliance Partners || Investor Relations
Patents and Licensing || Legal Notices and Trademarks || Contact Us || Send an eCard ::
Home || Site Directory || Resources 1 2 3 || Related Links

Other Dorian Resources:
eventlogs.com || eventlogs.blogspot.com || eventarchiver.com || eventalarm.com || eventanalyst.com || eventrover.com
ultraadmin.com || fortressdesktop.com

Dorian Software Creations, Inc.
Phone 678.222.3443 | Toll Free 1.866.682.3646
Fax 413.647.8727 | Email sales@doriansoft.com

|| © Copyright 1999-2009 Dorian Software Creations, Inc. All rights reserved. ||
|| For questions and comments about this site, contact the webmaster. ||

Event Archiver, Event Analyst, Event Alarm, Event Rover, UltraAdmin, Fortress Desktop, and the Dorian word mark are trademarks or registered trademarks of Dorian Software Creations, Inc.
U.S. Patent No. 7,155,514 and other patents pending.

Microsoft, Windows, Microsoft Windows, Microsoft Windows NT, Microsoft Windows 2000, Microsoft Windows XP, Microsoft Windows 2003, Windows Vista, Windows Server, Microsoft SQL, and Microsoft Access are trademarks or registered trademarks of the Microsoft Corporation. All other trademarks are the trademarks of their respective companies.