ArcSight has announced the 5.0 version of its Logger log management software. Logger 5 stores and indexes logs from more than 300 sources, such as firewalls, network devices and more. It includes structured and unstructured search capabilities, allowing IT to run queries against the logs for troubleshooting, investigations and other uses. ArcSight offers an introductory version of the software for $49, which lets customers collect up to 750Mbytes of log data per day from as many as 10 devices, for a total of 500Gbytes. Customers can upgrade to an enterprise version that starts at $7,500. Logger 5 is also available in four appliance versions, starting at $20,000.
While ArcSight is best know for its security-oriented products, the company is positioning Logger for other IT groups as well, including compliance, operations and help desks. "If you have your log management system so siloed that it's only in security, you aren't leveraging it effectively," says Jasmine Noel, founding partner at the IT consultancy Ptak Noel and Associates. "Logging products are getting more interesting now because people realize log data can be used in different ways. Security uses it one way, operations uses it for other things." For example, ArcSight says Logger 5 offers new functions for IT operations, such as the ability to analyze CPU utilization or application runtime-stack trace reporting.
Search is key to making log data more useful to IT groups. "With the type of questions that IT has to answer, you need to find connections between different types of data, and ad hoc querying is useful for that," says Noel. Other log management products also offer strong search capabilities, including Splunk and LogRhythm. The $49 version of Logger includes full search and reporting capabilities, but limits customers to 500Gbytes of uncompressed log data. If customers exceed that limit, Logger will continue to save logs, but freezes out the search and reporting functions on the additional data. Customers can delete data to stay below the 500GB limit.
The starter version also restricts log sources to a handful of syslog-based connectors, including devices from Cisco Systems, Windows and Check Point. Customers must upgrade to the enterprise software or appliance version to get access to ArcSight's complete library of connectors.
Splunk offers a free version of its logging software that accepts up to 500Mbytes of logs per day, but will index any amount of stored log data. Splunk's free version does not limit the types of log sources that can be consumed. Logger 5.0 runs on Red Hat, Oracle Linux or Centos, and can run inside a virtual machine. ArcSight plans to support additional operating systems in a future release. Noel says ArcSight's strategy of releasing a low-cost version may pay off down the road. "Software products in general are great for downloading and trying out," she says. However, as the amount of log data grows, she anticipates customers will migrate toward the appliance option. "If you are into terabytes of data, that's when hardware/software combos shine because they've been optimized."