Log management appliances/software

Posted on 2009-04-15
Last Modified: 2012-08-14
Are there any SIEM log management appliances that allow the user to export the data captured to it's native format (e.g. Windows event log data captured in the appliance exported from the appliance back into the native Windows event log format)?

I have heard that RSA Envision can do this yet I can't find anything to tell me the allowable export formats from this appliance. Has anyone come across any legal cases where they have been asked to provide log data in its native format? I have heard that there are laws written that state that this is the case but I don't know the exact law or how people are getting around this.

Question by:snowmizer
    LVL 60

    Accepted Solution

    The article below should help you in the choice of devices
    By comparison, the more mature listeners and parsers from CheckPoint, High Tower and Q1 Labs allow you to simply point your device  any device  to the appliance and the SIEM platform will automatically accept the feed, identify the format, and figure out which event came from which device of which type (for example, a syslog-based event from a Cisco ASA firewall vs. a Linux host). This is extremely helpful if you happen to have a centralized syslog implementation already in place as you can then "relay" all inbound syslog messages with something like the syslog-ng (Syslog Next-Generation) "spoof source" configuration directive. But even if you don't have a centralized syslog implementation in place being able to point all devices to a single syslog destination helps make device deployment simple.

    Other data acquisition features of these products include support for protocols such as CheckPoint's OPSEC LEA, database scraping mechanisms for products from established security vendors such as ISS and McAfee, and proprietary agents that can run on hosts to acquire non-syslog based event data like that found in vulnerability scanner data and Windows event logs. The products from Q1 Labs and eIQ supported the widest assortment of security devices and platforms out of the box but organizations will want to gather their own compatibility requirements when compiling their SIEM evaluation short-lists.
    You can also set filter in the link below to know the supporting appliances

    Check out syslogappliance as well

    There are more in Annex C of the NIST SP800-92 - "GUIDE TO COMPUTER SECURITY LOG MANAGEMENT". It also talks about the compliance need in section 2.2 addresses five major regulations  PCI, SOX, HIPAA, GLBA and FISMA
    Useful Excerpt:

    Syslog provides a simple framework for log entry generation, storage, and transfer, that any OS, security software, or application could use if designed to do so. Many log sources either use syslog as their native logging format or offer features that allow their log formats to be converted to syslog format.

    When evaluating syslog replacements, organizations should pay particular attention to interoperability, because many syslog clients and servers offer features not specified in RFC 3195 or other standard-related efforts. Also, organizations that use security information and event management software (as described in Section 3.4) to store or analyze syslog messages should ensure that their syslog clients and servers are fully compatible and interoperable with the security information and event management software.

    Section 3.4

    There are no standards specific to SIEM, so each SIEM product stores and transmits data in any format it chooses. However, SIEM products usually offer capabilities to protect the confidentiality, integrity, and availability of log data. For example, network communications between agents and the SIEM servers typically occur over the reliable TCP protocol and are encrypted. Also, agents and SIEM servers may need to provide credentials to each other and be authenticated successfully before they can transfer data (e.g., agent sending logs to server, server reconfiguring agent).
    LVL 60

    Assisted Solution

    You may want to read this blog as well for using SIEM for fraud detection

    As for law cases, I will say the guidelines set the pace for vendor competition in the compliance domain


    Expert Comment

    RSA enVision uses IPDB, which stores all the logs in their native format, "RAW" format, as they are stored , they are compressed using their own proprietory encryption as well it is basically WORM method, Write Once and Read many,

    as compared to other SIEM appliance or tools, they either rely on Oracle Database, MS SQL, or MySQL database basically any RDBMS, however with RSA it is purely in Native RAW format.

    I hope this helps.

    which compliance regulation are you dealing with, SOX,HIPAA,FISMA..?

    hope this may help.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
    PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now