Rollout: Log Management Gets SLIM

Q1's new appliance adds event correlation.

Mike Fratto, Former Network Computing Editor

January 17, 2008

3 Min Read

THE UPSHOT

CLAIM:  Q1 Labs' Simple Log and Information Management--SLIM--appliance adds event correlation to log management, to provide reports based on log data. The company says the product can help meet regulatory requirements that demand log retention and review.CONTEXT:  Q1 Labs is a security event management (SEM) company that's getting into the log management market. Meanwhile, log management vendors such as Splunk are adding data mining features to their products. SLIM is best suited to correlation and reporting rather than data mining.CREDIBILITY:  SLIM relies on the same underlying framework used by Q1 Labs' SEM product, QRadar. The event correlation and report definitions are easy to set up. Defining parsing rules for messages can be difficult, but that's true with other log management products as well.

Q1 Labs' Simple Log And Information Management--or SLIM--stores logs from a variety of devices and can correlate events and create ad hoc and scheduled reports. Each appliance is rated for 5,000 events per second; adding devices ups the ratio.

SLIM's event-correlation feature is useful for uncovering malicious activity in real time and can be easily customized. It also includes report templates for regulations such as Sarbanes-Oxley. However, SLIM isn't as agile with real-time data mining or arbitrary event data as products from Splunk or LogLogic, both of which create indexes of data as they stream from event sources. SLIM is ideal for companies that want to automate report generation and event correlation from log data.

As tested, SLIM costs $24,000. It ships with 2 Tbytes of disk space; raw data and indexes are compressed after two days. In contrast, Splunk's commercial software starts at $5,000 for 500 Mbytes of indexed data per day, and hardware may run to more than $10,000. Moreover, Splunk doesn't have SLIM's event correlation component. A more comparable product, LogLogic's LX 2010, lists for $28,000 plus $14,999 for compliance and control suites. It has robust archiving functions and powerful search capabilities.

SLIM ships with a large number of support modules that parse events from common devices such as Cisco Systems' PIX, the Linux syslog, and Windows event logs. You can also write custom modules.

The appliance's log management capabilities revolve around search filters, and search is where SLIM shows its event reporting roots. Searches are defined by specifying predefined fields, selecting an operator, and choosing the string you're looking for. Regular expressions can be defined to search the packet payload, useful when dealing with unparsed data. Once retrieved, we could view data in multiple ways using a drop-down menu.

A number of predefined reports for regulations such as SOX and standards such as COBIT come with the appliance. It also provides executive reports. SLIM's robust event correlation engine is somewhat unusual in the log management market. We could create rules to match up events as they stream into the appliance. Using event correlation, disparate events can be related to generate a metaevent. SLIM can also forward events to other systems if needed, and can send data to an archive.

SLIM is a well-rounded log analysis product suited for report generation and event correlation. Its search capabilities aren't as slick as Splunk's or LogLogic's, but it's powerful enough to dig through mounds of data. The missing piece is the ability to easily add interpreters for log sources.

Read more about:

20082008

About the Author(s)

Mike Fratto

Mike Fratto

Former Network Computing Editor

Mike Fratto is a principal analyst at Current Analysis, covering the Enterprise Networking and Data Center Technology markets. Prior to that, Mike was with UBM Tech for 15 years, and served as editor of Network Computing. He was also lead analyst for InformationWeek Analytics and executive editor for Secure Enterprise. He has spoken at several conferences including Interop, MISTI, the Internet Security Conference, as well as to local groups. He served as the chair for Interop's datacenter and storage tracks. He also teaches a network security graduate course at Syracuse University. Prior to Network Computing, Mike was an independent consultant.

See more from Mike Fratto
Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.
SIGN-UP

You May Also Like

More Insights
Webinars
More Webinars
Reports
More Reports

Editor's Choice

development toward AI brain and artificial intelligence
Machine Learning & AI
More Robots Are Coming, But Where Are They Going?
More Robots Are Coming, But Where Are They Going?

May 28, 2024

Future environmental conservation and sustainable ESG modernization development
Sustainability
Nature Positive Isn’t a Negative
Nature Positive Isn’t a Negative

May 28, 2024

Close-up Of A Businessperson Looking At Laptop Screen Showing Personal Files Encrypted Text
Cyber Resilience
How Does the Ransomware-as-a-Service Model Work?
How Does the Ransomware-as-a-Service Model Work?

May 23, 2024

Business person draws a creative business project
IT Leadership
Why CIOs Are Under Pressure to Innovate
Why CIOs Are Under Pressure to Innovate

May 15, 2024

RSA Conference 2024 in San Francisco.
Cyber Resilience
RSA Conference Last Look: From VC Investing to Cybersecurity CEOs
RSA Conference Last Look: From VC Investing to Cybersecurity CEOs

May 21, 2024

Webinars
More Webinars
White Papers
More White Papers
Live Events
More Live Events
Reports
More Reports
May 2, 2024
While there are plentiful options in cyber resiliency and business continuity tools and platforms, there isn’t one that can knock out everything from sudden cloud outages to prolonged ransomware attacks in a single punch. What can you do to keep the company on its feet no matter what is thrown at it? Find out in this new virtual event.
Reserve Your Seat Now