• United States
Neal Weinberg
Contributing writer, Foundry


Aug 03, 20043 mins

* The Reviewmeister puts NetIQ's Security Manager to the test

Security event management is an important and growing area, so we put NetIQ’s Security Manager 5.0 to the test.

Security Manager comprises three main components: Event Manager, Intrusion Manager and Log Manager.

Event Manager is the central console that manages and displays security events.

Intrusion Manager watches incoming logs for signs of intrusion and either generates alerts or takes a defined action when an incident is suspected.

Log Manager is the workhorse, handling collection, standardization and archiving of all managed logs.

Security Manager is an agent-based product, with agents available for servers running various flavors of Windows and Unix/Linux. These agents cull the servers’ event logs. They perform initial rule analysis on the incoming events and forward them to a central database. Security Manager also includes a proxy agent – which must reside on a Windows machine – that effectively acts as a syslog server and taps into other security and network devices such as firewalls, intrusion-detection systems and routers.

Security Manager uses wizards to perform most tasks, such as agent installation and correlation definition. This is one of Security Manager’s greatest strengths, as each wizard maintains a consistent interface to minimize training. We used the agent installation wizard to install agents on our Windows and Unix systems, and to install proxy agents to capture Check Point, Snort and Cisco switch logs. Setup for Snort logging was simple and took just minutes following the instructions provided in the Security Manager documentation.

Through the NetIQ Development Console, administrators can create new data providers to handle logs from in-house applications or other third-party products not initially supported.

The Security Manager administrative interface operates as a Microsoft Management Console snap-in, so all aspects of this product are managed through a standard Windows interface. A Web console is also available. One nice feature to both interfaces is an easy access icon in the system tray that quickly launches commonly used wizards and consoles. Security Manager includes numerous different consoles – Analysis Console, Development Console and Incident Management Console, which are all accessible through the main Monitor Console.

Creating event correlation rules is also a simple process through the Correlation Wizard. We created our test correlation rules in minutes. Development Console also can be used to fully customize your rules.

A unique feature in Security Manager is the Incident Management component. Here, Security Manager can watch incoming events for signs of a known attack and alert security administrators when it finds something suspicious. Security Manager also includes some incident-tracking options, which let administrators enter company-related comments for flagged incidents.

Security Manager includes more than 300 default views of the data and reports of the data stored in the database. The three main categories are forensic, trend and summary reports.

Security Manager is a strong product in the security event management market. Its fairly Windows-centric design might not fit all organizations, but its ease-of-use while maintaining a high level of flexibility and complexity is impressive.

For the full report, go to