ArcSight boosts system log management capabilities

A new log management tool from ArcSight Inc. has an impressive free-form search capability that may make life easier for forensics experts.

System logs can be a vital tool, both in tracing how security events occur and in helping to limit their effects. But storing multiple log files and then making sense of them can be a mammoth task.

Security management company ArcSight Inc. says it has come up with an answer to the problem with the launch of Logger 4, its latest analysis tool.

Logger 4 allows logs from all parts of the network to be stored in compressed form in a single searchable database. For the first time, the company says it is able to mix both structured log data from network devices, and also unstructured data, tracking, for instance, what applications users accessed, what emails they sent, instant messages and accessed websites.

ArcSight has developed a proprietary file structure optimised for log files. It allows data to be compressed by a factor of 10:1 and searched using free text, as in an Internet search engine, rather than structured relational queries.

"Logger 4 is intended to serve both sides of the business -- IT operations and the compliance people," said Rick Caccia, head of product marketing for ArcSight. "IT operations tend only to need data for a short time, but with the increased number of incidents, compliance people need to keep the logs longer for investigation purposes."

Get more out of your security event log data

These three tips will help you get the most out of security log management tools.

The system log management tool is delivered as an appliance with a capacity of up to 42 terabytes, and comes with ready-made connectors for 300 different devices, said Caccia.

He said the free-form search facility gives investigators a great deal of flexibility when starting their forensic research. "A lot of times, when something happens, people just don't know [where] to begin," Caccia said. "We capture everything in the enterprise, and Logger 4 allows them to search, and then refine their searches as they go along."

He said that ArcSight is the first company to marry structured and unstructured log data in a single system, and provide a single reporting tool to analyse it. By bringing all the data together, the product allows companies to detect a wide range of incidents -- from CPU spikes and network flows caused by bots and keyloggers, to fraudulent behaviour of users.

Jon Oltsik, a principal analyst at Enterprise Strategy Group, a research company based in Massachusetts, said Logger 4 was an impressive advance. "The Holy Grail [in log management] has been to provide for more types of devices and more types of data, and then [give] the ability to go in and search the data," he said. "The current searchable data leader so far has been Splunk Inc. Splunk is used by the security administrator type of role, but not on an enterprise implementation. Logger 4 provides an enterprise-level log management system and also fulfils the needs of the security administrator who spends their day querying log data."

Oltsik said the 42-terabyte capacity of Logger 4 would be adequate, because companies would generally be keeping a rolling window of between 3 and 6 months of logs, and archive them.

He added that ArcSight, with its security incident and event management platform, and the ability now to analyse logs, is well placed to handle a broad variety of incidents. "There are two real requirements, and ArcSight's involved in them. First, the real-time event that sets off alarms, and where you need to react fast. You need the ability to sift through the events, correlate the events, filter out the noise and find something that represents a real attack pattern. That is the typical emergency response situation," he said.

"Then you have the low and slow attack, where attackers infiltrate systems slowly -- they are dicey and difficult and are hard to analyse. You have to work like a detective finding each clue and working back."

Read more on Data breach incident management and recovery