Editor's note: This is a summary of our testing of this product, for a full rundown of how it fared in our testing across SIEM categories; please see our full coverage.

NetIQ's Security Manager is a suite of Microsoft Windows-based software applications that provide the security functionality to complement NetIQ's existing AppManager performance and availability products. NetIQ sells the Security Manager product as both a stand-alone offering and an integrated component of AppManager. In our tests, we deployed it solo. As it currently stands, NetIQ has the foundations of a good SIEM platform in place but Security Manager still requires improvements in a few critical areas.

Security Manager is the only product we tested that is delivered solely as software - a fact that yields a pretty high pain factor right from the get-go. Before we could even start the device provisioning process we had to first install four Windows 2003 servers, two instances of SQL Server 2005 (one Enterprise Edition), SQL Server 2005 Analysis Services, and SQL Server 2005 Integrated Services. These installations were performed on dual-processor, dual-core system with 4GB of memory, too, which is not exactly a lightweight helping of hardware. The Microsoft infrastructure had to be up and running before we could start the NetIQ software installation, which wasn't quick, either. After another set of about a dozen Security Manager component installations, we had to configure the NetIQ infrastructure, and then – and only then – could we start configuring devices to start sending log information.

A day of software installation, while painful, would have been tolerable if the pain ended there, but unfortunately it didn't. Because the NetIQ agents are unable to accept event feeds from differing device types (such as a Cisco firewall and a Snort IDS sensor) we had to deploy new agents for every new device type we brought online. Fortunately NetIQ is aware of this problem and plans on releasing a more mature syslog agent later this year, but this oversight makes the product a real bear on the installation-front.

Once up and running the product contains the basics of a SIEM platform: principle levels of correlation for event reduction, a reporting engine, an alert viewer and an analysis workbench. Unlike most of the other SIEM products tested, however, NetIQ requires the installation of Windows "fat" clients do be installed on monitored devices and there's an assortment of them that are used, as we've noted above.