• United States
Neal Weinberg
Contributing writer, Foundry


Jan 27, 20043 mins
NetworkingWeb Search

* The Reviewmeister looks at security event management product ArcSight 2.5

You can call them SIM, you can call them SEM, you can even call them ESM, but whatever you call these security event management products, the goal is to make sense of the reams of information your security infrastructure spits out.

The Reviewmeister looked at several of these products, so let’s start with ArcSight 2.5, which scored high marks for its  ease of use, flexibility and administration interface.

With SEM products, there is considerable discussion about agent and agentless products. The word agent conjures up thoughts of a piece of software running on monitored devices. These products blur that line a bit.

ArcSight uses agents, but it also can run agentless. But if you go this route with ArcSight, you lose some of the features the agents provide, such as agent-level filters for events you don’t want logged to the central server.

We found that ArcSight has the best agent installation process. Their agent install program looks the same across platforms, provides a full list of devices to select and includes detailed installation instructions.

The installation team came in to configure the device for our lab environment and set everything up so alerts and events were being sent to their system from three initial devices in our test bed – a NetScreen firewall, a Cisco VPN Concentrator and a Cisco Catalyst switch – which all logged directly to syslog. The ArcSight configuration took about four hours.

After getting our devices set up, we launched scans from Nessus and Internet Security Systems’  Internet Scanner to trigger firewall, Snort and system events. We created various filters, correlations and alerts on each product. ArcSight provided the best method of creating filters and correlation rules, and you are only limited by your imagination.

ArcSight also provides the best means of supporting proprietary or unsupported logs. Its Flexagent lets you quickly parse a log file to use in filters and correlation rules.

We spent a good deal of time setting up devices under each SEM product framework. Systems logging to syslog was usually the easiest, but we even hit a few snags with those – what port to use, what facility to use. Windows event logging was also tricky, usually being the one device that definitely required an agent on the actual Windows server. All products supported Check Point firewall logs, but this was not easy to set up for any product. Check Point has always made its product more complicated than it needs to be, and logging setup continues this tradition.

Because security analysts will spend many hours a day looking at the SEM interface, the GUI should be intuitive, easy to use and helpful. ArcSight provides the most flexible interface and is still easy to use in spite of everything you can do with it. You can configure your workspace with any number of graphs and views, all completely customizable. You can drill down to more detailed information at just about every point, and you can turn anything into a graph.

For the full report, go to