Skip to content
Data Analytics, Security Operations

Choosing a Centralized Log Management Solution: Top 5 Criteria

March 4, 2021

Once you decide to pursue centralized log management, you’ll find several options in the market. How do you choose the best solution for your needs? In this article we’ll discuss the top five criteria for comparing different centralized log management solutions so you can determine which one is right for your organization:

  1. Data ingest limits
  2. Tolerance for data source changes
  3. Ability to cater to end-user needs
  4. Built-in machine learning capabilities
  5. Control and customization of alerts

Data ingest limits 

Think about the upper limits of your data ingest needs. Are they consistent over time, or do you have periodic spikes in data at the end of the month, or during the holidays? Make sure you test how a prospective solution performs at the upper limits of your data ingestion needs. A CLM solution that slows to a crawl at peak times, or worse, drops data during peak times, is not the right choice.

Tolerance for data source changes

How does the CLM handle changes to data sources or format? Sometimes a data format change can negatively affect the ability of the CLM to ingest, parse, and store the data. Does a change in format break or adversely affect data ingestion? Does the CLM discard data that doesn’t fit into the schema?

If digital transformation is a key use case, you may want to consider keeping the raw data intact, since you may need the ability to re-analyze it later. You also need to decide how important the raw data is to your organization. Does the CLM store the data raw, or is the raw data lost after it is parsed and stored? Will you need to go back and re-examine your old data in new ways?

Ability to cater to end-user needs

The visualizations, dashboards, and features should be attuned to the needs of your users. Think about how your security professionals will use the CLM solution every day. What dashboards will they need to see? What are their most common workflows? Make sure you test your prospective CLM solution to see how easy it is (or isn’t) to move through these workflows. And don’t just test use cases for advanced users or power users. Give users of all skill levels some hands-on time with your prospective CLM solution and get their feedback on how intuitive they find it. Test the use cases for your Tier-1 analysts, too.

Remember, the value of the solution will be determined by the number of people who can effectively use it on a daily basis. Be sure to test both common and advanced uses cases. Give users of all skill levels some hands-on time with your prospective CLM solution and get their feedback on how intuitive they find it. Test if multiple users running simultaneous queries impacts system performance. Testing the performance of the entire system as multiple users run concurrent queries is an excellent measure of how the CLM will perform once you deploy it.

Build-in machine learning capabilities

Many solutions claim to offer artificial intelligence (AI) and machine-learning (ML) capabilities—but do they work for your use cases? Test these ML capabilities on your specific needs. In large enterprises, a CLM can collect a vast amount of security-related data. So, having help spotting anomalies, correlating events, and enriching data can take a big load off your analysts. Take the time to explore the ML/AI capabilities and how they can extend the capabilities of your team.

Control and customization of alerts

Most SecOps teams are drowning in alerts. It’s much more critical to receive meaningful alerts and notifications, and to have flexibility in alert policies. Can alerts be suppressed to prevent a flood? Do you have to set static alert thresholds, or can thresholds be dynamic?

Reducing alert noise and fatigue can significantly improve your analysts’ effectiveness. Sit down with analysts of all levels to get their perspectives on what exactly should trigger an alert, how they would resolve it, and the best way to distribute alerts to your team over different times of the day, week, and month. Also consider how alerts integrate with your processes. Do alerts integrate with other solutions your team relies on such as Slack, ServiceNow, and others?

To see the full story of how to deploy CLM the right way for your specific business needs, download the eBook The Shift Is On.

More Data. More Clarity. More Confidence.