We are currently going through a similar exercise. We have Arcsight now. It is a bear to manage. They even told us if we went above the Express product, we would need to hire a full time administrator.
Looked at enVision. I talked to a large user reference and they said while it does it's thing well, they felt that it to took more care and feeding than it should. Looked at Splunk. Really liked it's flexibility and extensibility. I would describe it as "google for your logs". The down side is it doesn't come with any reports, dashboards, correlation, etc. And they leave it up to you to interpret the logs - for example, Kerberos login I think results in 3 entries. They leave it up to you for the intelligence to decide that those 3 mean "Kevin logged in". If they would develop a starter pack of reports, dashboards and correlations, they would probably be my favorite. Looked at Logrythm. Nice product. Downside is it is build on SQL. That's a downside from a performance perspective when you have billions of records per month and want to do some analysis. Looked at NitroSecurity. They have a FIPS certified appliance. Given that I am in the DoD market, that gives them a few extra points. They have a purpose built database (like Splunk), so queiries were fast. It comes with many things configured (or available) right out of the box. If I had to make a decision today, it would be Nitro for my environment. On Fri, Nov 5, 2010 at 2:39 PM, Weatherford, Chad <[email protected]>wrote: > Hello all! > > > > We are currently using GFI EventsManager for our event management but we > are now looking to expand the monitoring to 300+ locations with everything > coming back to HQ. This led us to look at other products and I was wondering > if any of you may be using these could tell me what you think. We are > looking at the following: ArcSight, enVision by RSA, Tripwire and Nessus LCE > with Security Center. > > > > Thanks in advance for any feedback! > > Chad > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
