Professional Documents
Culture Documents
Arcsight Data Platform - Logger
Arcsight Data Platform - Logger
1
September 2018
Agenda
What is Logger?
Standalone Logger
ArcSight Data Platform – ADP Logger
Logger Components & Architecture
Logger Value Proposition
Competition
Why Logger?
What is Logger?
3
What is Logger ?
Analytics
ArcSight
In standalone mode,
SIEM
Enterprise Hunt Data Third Party
DB
User Behavior
Security Tools Lake Applications
Analytics
consumes events from Management
ArcSight Data
Management
Platform
Console
Quick Searches and Event Broker
Sources
12 TB addressable storage Data
Cloud Servers & Network Endpoint
Users Apps
per node Workloads loT
5
Standalone Logger and ADP Logger
6
Standalone Logger and ADP Logger
Standalone Logger
Used without ADP
Can consume events from raw devices or Connectors
ADP Logger
Consumes events from raw devices, Event Broker or from Connectors
Consumption license centrally managed by ArcMC
Logger Components & Architecture
8
Logger Components
Receivers
Receives events from SmartConnectors, FlexConnectors, Files, Network Connections
ADP Logger can also receive events from Event Broker
Forwarders
Forwards events to ArcSight ESM, other Connectors, other Syslog or any TCP or UDP downstream device
Storage Groups
Allow for the separation of events by retention period or by event type
Search
Google-like search for events, over time, use pipeline operators for transformations and quick charts
Dashboards
Visual summaries of activity over time, top entities
Reports
Repeatable, ad-hoc or scheduled, long term analysis and summary of events suitable for Management as well
as Analysts
Lookups
Dynamic comparisons with external sources of information, such as a list of malicious domains or blacklist IP
Addresses
Alerts
Both near real time and scheduled
9
Quick time to value through log analysis and
dashboards
Take advantage of
ArcSight CEF Categories
to quickly build powerful
searches
All failed login attempts
across ANY device in your
organisation is as simple as
-categoryBehavior =
"/Authentication/Verify" AND
categoryOutcome = "/Failure"
Logger easily turns your
searches in to
meaningful dashboards
used across your
enterprise
10
120+ Searches, Filters and Reports Included
Dozens of search filters and
reports allow you to immediately
analyse and deliver quality
dashboards and reports within
minutes
11
Storage Groups
Up to 100 Storage Groups help segregate data with different access rights, retention
and priority
Store highest priority events online for a longer period of time
Prioritize storage so disk cost is reduced and optimised
12
Scheduled and Real Time Alerts
Be alerted in near-real time as
soon as a critical event occurs, such
as “A USB storage key was inserted
in to a critical server”
13
Quick Searches
Searches can be free text like
Google
Start with a simple search and let
Logger help you define your next
search or pivot
Turn a search in to a visualisation
easily
14
ArcSight Data Platform Logger
Secure Data Integration
Micro Focus Secure
Data provides Format-
Preserving Encryption
(FPE)
ArcSight
SmartConnectors apply
the FPE to one or more
fields
ArcSight Logger
provides on-demand
clear/FPE display, with
access defined by Role
15
Logger Value Proposition
16
Logger Value Proposition
Straightforward event consumption for both standalone and
ADP
Long term storage
Quick search – google like search across fields and any text.
Bloom filters allow unmatched speed across billions of events.
Repeatable Reporting
Scalable Performance, up to 12 TB per instance, and up to 100
peers. Log Management that scales.
Typically less-expensive longer term storage thanks to high
levels of compression (around 7:1 – 10:1)
Peer based searching allows transparent scale out without
operational disruption
NIST 800 Compliant log archiving to NAS, DAS or any medium
with no time limit.
Archive and hash digest all events to guarantee event integrity
Granular Role Based Access – only the right people can see
sensitive information
17
Competition
18
Competition
Splunk
Multiple Splunk Data Models with varying normalization make Big Data analysis near-impossible
More Expensive. Even more so as data volumes grow. Filtering & Aggregation are difficult and problematic.
Poor Compliance solution – allows for deletion of events in data store
LogRhythm
Appliance-only offering
Limited device support
Custom log sources hard to support
Elastic
Takes a lot of time to configure and structure data (build your own filters)
Fine grained JSON, XML and programming skills required to deliver near-Logger quality dashboards and
reports
Is a plethora of applications, widgets and configuration files (Elastic, Kibana, Logstash and many plugins such
as GROK)
19
Sizing and Capacity
Software Logger
5 GB / day minimum, steps of 5 GB/day up to 500 GB/day
Appliance Logger
L7600 5 GB / day minimum, steps of 5 GB/day up to 250 GB/day
12 TB Addressable Storage per Logger instance
Can mix and match peering to software and appliances
Up to 100 peers – transparent searching across all peers
High availability can be achieved by using
Logger destination pools (from Smart Connector)
HA appliances can be used to ingest a second copy of all events in case of primary failure
20
Why Logger ?
ArcSight Logger is a Universal Log
Management solution that can Collect
Everything, Analyze Anything and can
ArcSight
Analytics
be Used Anywhere. ArcSight
SIEM
Enterprise Hunt Data Third Party
DB
User Behavior
Security Tools Lake Applications
Analytics
ArcSight Logger unifies searching, Management
reporting, alerting and analysis across
ANY type of enterprise log data. L L L L
ArcSight Data
Management
ArcSight Logger supports multiple
Platform
Console
deployment options and can be Event Broker
installed as an Appliance or as
Software or as a Virtual Machine.
Supports Cyber Security, Compliance,
IT Operations, GRC, and Log Analytics
Sources
Plays a key role in high-integrity long-
term event archiving and reporting Data
Servers &
within the ArcSight Data Platform Users Cloud Apps
Workloads
Network Endpoint loT
21
Thank you.
www.microfocus.com
22