Scale in log management has several dimensions. For example, expanding a log management investment from perimeter threat monitoring to regulatory compliance will increase the number and type of assets that need to be monitored significantly. In turn, the total event volume that must be supported also rises. Given the long term retention requirements that accompany regulations, capacity also now becomes a challenge. Depending on how distributed regulated assets are, geographic scalability becomes a must have. Finally, each use case adds additional load in terms of analysis and all these dimensions of log management scalability should be considered as part of the planning process.
When planning is done right, short-listing vendors for evaluation becomes much easier since the test requirements are well defined and aligned with long term goals. However, as part of this process, evaluation of many factors such as vendor independence, viability, evaluation of support and services, and relevant reference accounts is often overlooked.
Across use cases, any organization will need to monitor devices all the way from the physical layer up through custom applications; this infrastructure will rarely come from a single or even a handful of vendors. Yet several log management vendors have very limited out of the box support for a broad range of devices. Larger vendors may offer breadth in collection capabilities, but it is often limited to sources from their own portfolio. When you look across layers of the OS stack, the infrastructure at most organizations will be heterogeneous so support for the entire range of vendor and device logs in the environment (not just the immediate use case) is an important evaluation criterion.
Technology is only one aspect of any IT investment. With the downturn in the economy, many vendors are hard hit financially. Before making any investment, it is important to evaluate the viability of the vendor, independent of their technology. Along the same lines, the quality of support, services and partnerships should be evaluated. Don't assume that a larger vendor can meet your needs best. A more accurate metric would be the size of the support and services staff dedicated to log management. Otherwise you may end up having to go through three tiers of escalation before actually speaking with a specialist in log management.
Finally, organizations in different verticals may differ in the type of devices they have. References from deployments of equal scale are invaluable in ensuring that solutions under consideration can in fact meet your needs in terms of technology, support, and services.
This isn't a comprehensive discussion of the common pitfalls in log management, but hopefully it sheds more insight on common mistakes that can be avoided in planning and selecting the right log management investment.
Ansh Patnaik is the director of product marketing at ArcSight.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.