RE: Setting up Arcsight/Tripwire

SPLUNK does not bill themselves as a SIEM(SIM, SEM, whatever the marketing name of the week) tool. They can take in logs and generate reports. They don't care what you throw at them as long as it is text based (i.e. they can monitor TOP, ps, or other scripted command outputs). They have the ability to parse and search information stored in a flat file format (i.e. Google for your log data). They do not have the ability to create tickets, track an incident, and other features that traditional SIEM tools offer.

I can't speak directly about Arcsight other than we did not choose them because the pre-sales support wasn't there for us in 2004. I did feel they would have shown to be the superior technology of the day, but that is 5 years ago.

I was about to rant about a competitor to Arcsight we used for a time but decided not to. It was too long. That competitor is being replaced with SPLUNK because SPLUNK fits our environment and needs better. The best answer to your question is to do a bake-off internally with both products. Really look at your particular use scenario. Look at the types of resources you have internally to manage the care and feeding of the product, keeping it updated as your security devices generate new logs from their updates. Some environments are better served by 'appliance' solutions, some by the ability to tailor the product as you see fit. What features do you really need? Just log, alert, report or also creating tickets on the fly, complex correlation, etc. Will it be 100% in house or a managed service?

David Henning

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Aseem Kumar
Sent: Wednesday, April 08, 2009 3:21 PM
To: focus-ids@xxxxxxxxxxxxxxxxx
Subject: Re: Setting up Arcsight/Tripwire

Is SPLUNK also similar to ArcSight, as it also captures different logs
and provides reports.
If they both are similar....then which one is better suited in terms
of easy implementation/configuration.