25. Oct. 2013 by Helen
There are basically two types of log analysis solutions: a typical desktop application and a full blown SIEM (Security Information and Event Management) product. At first, both may seem quite similar since when it comes down to essentials, they are all about processing log files. But when you start analyzing specs sheets, you’ll very soon find out that they are actually totally different.
From a complexity point of view, a desktop application genre representative - Retrospective can be compared to a 6 piece jigsaw puzzle which a two year old can handle. Setup and configuration takes less than two minutes and intuitive interface enables you to start searching log files effectively without weeks of training. SIEM on the other hand is like a 1000 piece double-sided jigsaw puzzle picturing a clouded sky. Configuring core functionality, installing agents on each monitored server requires much expertise and takes a lot of time.
Of course the 1000 piece puzzle comes with a much higher price tag. Depending on the volume of data processed and stored, you may have to pay as much as $3000 each month for the service. Obviously you don’t go there unless it’s really necessary, especially since you can get a lifetime enterprise license for Retrospective for a fraction of that amount.
Can you imagine going through the installation and configuration of Splunk only to check your web server log file and investigate the reason for the downtime? Me neither. Ad-hoc analysis is one of the things for which SIEM hasn’t been made. Desktop applications such as Retrospective allows browsing remote log files without needing to install agents on remote hosts or changing network configuration in order to allow specific traffic. It’s only a matter of providing user credentials and pointing to the location of the log files to process.
A function available with SIEM solutions that is not possible with desktop applications is storing processed log files. So if you need to store and index your log files for some regulatory reasons, requirements of compliance, governance or audit, you will need an SIEM solution, as desktop apps like Retrospective or BareGrep are unable to provide this service. Retrospective does allow you to save your search results, but that’s that.
SIEM solutions often mention ‘big data’ in marketing content. It basically means that it comes with a lot of features that you actually might never use if the only thing you need is the ability to search for what’s interesting to you. Retrospective leaves log files exactly where they are and processes them upon your request. It’s as simple as that.
Splunk is also offered as a service, but since the data is hosted outside your network infrastructure, you become very dependent on your internet connection performance. This might get quite frustrating when trying to access data on a busy day with your connection maxed out, not to mention a scenario in which your connection decides to go down. No access to your precious search engine and everything else.
Retrospective search engine implements multithreaded remote log files searching which makes it so much faster in comparison to BareGrep or WinTail.
I've never been good at linux grepping and never really got around to mastering regular expressions. I haven’t use tail command even once. awk has always been magic to me and so was sed. If you’re anything like me, you will be surprised how effective and convenient Retrospective can be at log files searching.
I know that we live in web 2.0 times and everything is in cloud, accessible through web browser. The point is that web browser never ensures as good user experience as a well designed and implemented desktop application. Retrospective features tabbed interface and allows exploding each tab into a separate window enabling the advantage of multi-screen setups.
Here’s a quick comparison between Retrospective, Splunk, Sumologic, XpoLog, BareGrep and WinTail covering essential features.
Be wise when spending your money. Invest in SIEM solutions only in case you’re obliged by some regulations to store and process log files or if it will bring revenue. In case you need to supervise your server farm or troubleshoot a malfunctioning system, desktop application is the way to go. Go ahead and download Retrospective and give it a try. You won’t regret it.