« Logs & The Law | Main | Log Data Management: A Smarter Approach to Managing Risk »

SANS Defines New Metric for LMI Performance

The SANS Institute recently defined a new metric for Log Intelligence performance: Real-Time Report Response Time (RRT). For too long, Log Intelligence performance was only measured in “Messages per Second (MPS)”. MPS capacity is useful when figuring out how many logging servers to buy, but doesn’t tell you about the daily user experience. (You can register to download a copy of the research into LogLogic's LS 2000 appliance)

Most real world log analysis is ad-hoc: a random combination of time frame, log sources and search criteria. With homegrown syslog servers, Report Response Times can be hours. Commercial solutions range the gamut: from one minute to many hours – even days. It pays to test before buying, because faster Response Times translate into big dollar savings.

For instance - an auditor walks in and asks about failed logins on your finance servers, then sees something unusual and asks follow-up questions. If each question takes eight hours to answer, an audit easily costs a million dollars in people-time alone! You fail your audit because you aren’t able to satisfy reporting requirements within regulated or defined timeframes.

Or - an alert indicates a security breach or performance problem. Resulting downtime costs a million dollars per hour. If faster Report Response Time helps to resolve the problem in one hour instead of eight you just saved seven million dollars! And that’s not calculating the costs you saved in terms of damage to reputation, brand and your customers’ business.

Messages per second matter but not nearly as much as response time. Some vendors will take an even more extreme approach to tuning messages per second, waiting to parse logs until reports are needed to be run. In this scenario, often with weeks of data collected, response times slow to hours. Remediation or forensics could take days or weeks. This is why LogLogic’s Real-Time Report Response Times never exceeds fifty seconds and in most instances can be measured in single digits.

LogLogic appliances pre-process log data at the time of log collection without sacrificing an inch of MPS. For large environments, multiple LX appliances crunch parts of Real-Time Reports in parallel, keeping Response Times independent of the amount of data analyzed. This is what results in ‘Google-like’ search speeds on terabytes of data.

The solution is simple when you are clear on the outcome that matters most to users.

Posted December 19, 2005 in Log Management & Intelligence | Permalink

Visit loglogic.com

Subscribe to this blog’s feed

• June 2008
• May 2008
• April 2008
• March 2008
• February 2008
• January 2008
• December 2007
• November 2007
• October 2007
• September 2007
• August 2007
• July 2007
• June 2007
• May 2007
• April 2007
• March 2007
• February 2007
• January 2007
• December 2006
• November 2006
• October 2006
• September 2006
• August 2006
• July 2006
• June 2006
• May 2006
• April 2006
• March 2006
• February 2006
• January 2006
• December 2005
• November 2005
• October 2005
• September 2005

Blogroll

• CynergisTek
• Bruce Schneier
• InfoSecDaily

Compliance

• Continuity Central
• Compliance Pipeline
• SOX Compliance Journal
• Sarbanes-Oxley 101

Good Reading

• Log Management ROI
• Log Management Best Practices
• SANS Institute Log Management White Paper

LogLogic

• O’Reilly
• Anton Chuvakin
• LogLogic.Com
• Jian Zhen

LogLogic Partners

• Juniper Networks
• ONStor
• Counterpane
• Bluecoat

Sites We Watch

• The Merc
• CRN
• IT Architect
• The Reg
• Security Focus
• Slashdot
• TechWeb
• SANS
• C/Net
• CIO Insight
• InformationWeek
• Jamie Lewis - Burton Group
• eWeek
• IT Manager's Journal
• MIT Magazine
• VNU