Which SIM product do you use?

Currently at work we have tons of logs and many tedious processes to check the logs from firewalls, IDS, proxy, events logs, patchlink, and so on. In a prior job, I implemented CISCO MARs, which worked ok from a network perspective, but fell short from a log management perspective. The products I'm looking at are Trigeo, Network Intelligence, and Arcsight. I'm steering more for Trigeo because of the open platform, and it has tons of flexibility and control. The price is also much better than the rest. Also, the open source SIM OSSM has. With all that said, which products does everyone use and/or recommend.

Thank you everyones input and time.

ArcSite will require you to hire an entire team of people (and developers) to maintain it. It falls short of the claims.

MARS is "ok" but you too have discovered that you can't manage logs very well. I'm saying this based on my log management requirements which are going to be very different than most.

Net Forensics == Poop.

I use NueSecure, which is now called IBM TSOM (Tivoli Security Operations Manager). I've used it for years and I am reasonably happy with it. That said, IBM is making me do a forklift upgrade. They are re-writing the product and dumping MySQL for DB2 (big surprise) and they are making enhancments to the custom rule engine that *should* boost performance when doing complex custom analysis. The interface is going to get some lipstick and heels too.

Now, as far a log "management" goes, you haven't provided a single requirement so I can't give you a well educated answer as to what the products that I've used can and cannot do. How about throwing some out there so I can really give you the meat you're after.

--Th13

For log management I'm looking for:

-changes on the servers (change management)
-event logging for security/application
-logging on the firewalls of denied packets/drops
-IDS correlation to other logs to create incidents, some type of ticketing system
-auditing of users changes create/delete/kill services on all devices
-database logging for changes

You do realize the enormous amount of disk space you're going to need for all of this right? If you have to meet regulatory compliance, you have to retain some data for 7 years. Also, if you're going to sift through Event Viewer logs in your SIM, get ready for *TONS* of useless data to be pumped through your SIM. You better have a good agent running on the Win32 hosts that will only fire SNMP traps over to the SIM when your create/delete/kill event IDs are seen. That's what I'm doing now so that I don't get a 99% garbage feed from Win32 hosts.

TSOM can do all of the above requirements reasonably well right now but when you start writing custom expressions for the correlation and ticketing features, you will notice a performance lag. This is supposed to be handled in the re-write.

--TH13

Use Network Intelligence on the project I'm currently on. Depends on your criteria (obviously) and what you intend to collect events from.

We've found custom integration quite fiddly, once you go above standard OS events via Syslog.

I don't have any experience with other SIM products so can't recommend (or not) NI but it's not bad, certainly worth evaluating. They have quite a good looking roadmap last time I looked and are constantly updating the system (is that a good or bad thing?).

Sometimes it still has the feel of a beta product but it has held up pretty well. Also now they are under the EMC/RSA umbrella then I would expect it to be well supported.