System logs are one of the great untapped data resources of IT shops. They are analysed, usually in a silo context, often for a machine-specific task such as capacity management, performance analysis or used for post-exceptionaudits. Log files from different systems are not usually brought together and mined, or indexed, for post-hoc reporting, let alone real time analysis.
Security customers and vendors are one constituency that has naturally tended to appreciate the value of event logs. But usually this information is considered in quite a narrow context. Its all about correlating security and network data. That is not to say that companies like Tripwire or CyberTrust or QCC don’t provide a valuable service. But its clearly bounded, and concerns a particular set of risks.
Compliance to corporate or regulatory standards on the other hand is a much broader issue, which security incident management is just one element of. Compliance is a business process issue that goes far beyond tracking intrusion detection exceptions and patterns.
There are some vendors and technologies emerging that are looking to challenge the idea that log data is cheap, and should be written to background storage in case they are needed later.
Log management and analysis is not a subset of security incident management (SIM). In fact SIM is a subset of log management.
Log data can be tremendously valuable. I would point to LogLogic, LogRhythm and Splunk as some organisations to check out. You should check out the Splunk homepage, if only to see the rather amusing “What’s H0rked in your infrastructure today?” homepage. You can download Splunk and check it out. Get a feel for log analysis. Prism EventTracker and Network-Intelligence are another couple of firms in the space.
So what’s up with Log analysis? What is your approach? Are you using it in a compliance context? At RedMonk we have decided to track log management and analysis as a sector in its own right, as part of our compliance oriented architecture research.
Where does compliance meet log management and analysis? In reporting. Its all about reporting. How do you get IT talking to the business? Provide reports in a language they understand – like Sarbanes-Oxley or MiFID. If you’re going to pay a vendor money for a log analysis solution demand canned reports your business managers will appreciate. Expect them to drive business semantics into the software for you.
If you are a vendor of a log management tool, or a customer, please let us know – we would very much like to speak to you. Cote talked to our thinking here.
disclaimer: I recently met up with Andy Lark, chief marketing officer of LogLogic, a pal first and a RedMonk client second, and we drank some fine wine at Bedales and talked business. I also know Andy Grolnick , LogRhythm president, and would like to win the company as a client. Stephen O’Grady looked at Splunk, which is open source, and said it is interesting. I have friends at Tripwire and QCC. I had lunch with CyberTrust last week. I think that’s it.