Transcription
GFI Product ComparisonGFI EventsManager 2013vs.SolarWinds Log & Event Manager
GFI EventsManager2013SolarWinds Log &Event Manager virtual applianceNetwork discoveryWindows domains Data retention/ save log entries to databaseFile basedproprietary storageengine To a certain extent1 FeaturesInstalls prerequisites automaticallyReal-time event log monitoringReal-time event log archivingIndexes log dataDynamic columns and normalization of Windows event dataDrill-down browsingAbility to automatically interpret and categorize events basedon built-in intelligence offered by the vendor as well as othercriteria (during/outside normal operational time, etc.)Data centralization and management functionality (frommultiple instances or appliances) with various options toimport, backup, delete and move data from/into main, backup,custom or rollover databases or backup filesOut-of-the-box configuration (predefined computer groups,configured to use appropriate processing rules)Role-based authentication in the consoleAudit the actions of users operating the applicationDashboard views availableReal-time operations status and statistics available ondashboardReal-time "top important logons" statistics available ondedicated dashboardReal-time "critical and high importance events" statistics availableon dedicated dashboardReal-time "top Windows service status" statistics available ondashboardReal-time "top network activity events" statistics available ondashboard (based on Windows Vista events)Filter events based on basic event information: category,source, computer, etc.Advanced filtering for general forensics and breachinvestigation - filter events based on extended eventinformationMonitor Syslog devices (routers, firewalls, switches) and/orLinux, Unix computersBuilt-in SNMP trap server for monitoring routers, firewalls,switches, sensors, etc.1 The product allows searching for any kind of information using the inDepth technology, but does not allow complex filtering criteria that contain field names and matching values.GFI EventsManager 2013 vs. Solarwinds Log & Event Manager2
GFI EventsManager2013SolarWinds Log &Event Manager Detect if machines respond slow or do not respond to PING Detect if there are no volumes encrypted by Microsoft solutions (i.e., BitLocker ) Detect if there are disk volumes that are getting full Detect and integrate summaries of scan results fromvulnerability scanners, missing patches, service packs, openports, antivirus presence and status, and unauthorizedapplications installed Monitor Windows .EVT(X) formatsMonitor Windows custom log in .EVT(X) formatSupport for collecting text based logs – any format.Monitor Microsoft SQL Server – c2 style auditingMonitor Oracle 9, 10, 11 serversMonitor W3C / W3C EXT logs (Microsoft IIS, Exchange, ISA)Out-of-the- box support for native SharePoint events(embedded or through 3rd party tools)Monitor various Windows events generated by applicationssuch as antivirus software, Exchange servers, ISA servers, webservers, etc.Change monitoringDetect inactive users and inactive domain machinesDetect if Microsoft firewalls are not enabledDetect if IPSec policies are not assignedUser-based activity monitoringSecurity policy monitoringAuthorization and authentication mechanisms monitoringHealth monitoringPerformance monitoring (integrates withGFI LanGuard) (based on logs) (based on logs)(based on logs)Flexible reporting 2Running correlation rules on historical data 3Limited*(integrateswith GFIEndpointSecurity) File monitoringUSB controlLimited by the Crystal reports framework which runs predefined templates which cannot be changed in terms of layout and columns. On Windows 7 OS the reporting application(separate install) was unstable and crashed.2The vendor does not offer such functionality; however they claim to have “correlation”, where “correlation” is defined in the manuals (a small paragraph) as a time-based threshold.EventsManager offers the same functionality, but it is not called “correlation”.3GFI EventsManager 2013 vs. Solarwinds Log & Event Manager3
GFI EventsManager2013SolarWinds Log &Event Manager Event handling based on fully customizable processing rules Ability to identify actions performed by the users withadministrative privileges on Windows systems based on realtime monitoring and privilege change history To a certain extent4 Automatic synchronization of the list of the machines with themachines registered in ADBuilt-in intelligence to interpret, categorize and translateeventsNoise reductionTechnical reports availableStatistical reports availableAccount usage reportsAccount management reportsPolicy changes reportsObject access reportsApplication management reportsPrint server reportsHTTP activity reportsWindows Event Log system reportsPCI compliance reportsSOX compliance reportsGLBA compliance reportsHIPAA compliance reportsGCSx Code of Connection compliance reportsReal time alertingReactivity – run code, perform actions on detection of certaineventsScalabilityAdvanced monitoring features in terms of availability andperformanceMonitoring of network protocols via generic TCP/IP Check SMS/Email/NetMessage Only limited by thehardware (2 Billionevents on averageserver hardware)Will be present inthe next release230 GB storagefor the database –around 230M eventsper appliance Separate product:Solarwinds NetworkPerformanceMonitorThe product identifies events generated by users who are CURRENTLY members of administrative groups. EventsManager identifies events generated by users who were members of theadministrative groups AT THE TIME WHEN THE EVENT OCCURRED. It is a very important difference.4GFI EventsManager 2013 vs. Solarwinds Log & Event Manager4
GFI EventsManager2013Monitoring of network devices via SNMP and WMI Monitoring of server services – Web servers – URL availability,ISA/TMG Servers, etc. Monitoring of server services – Mail servers – Exchange, IMAP,SMTP, POP3, Email route, etc. Monitoring of server services – NNTP Monitoring of server services – NTP ? Monitoring of server services – Database servers – SQL,ADO, ODBC Monitoring of server services – Terminal services Monitoring of servers services – Print servers Monitoring of infrastructure services – Active Directory /LADAP Monitoring of infrastructure services – DHCP Monitoring of infrastructure services – DNS Monitoring of infrastructure services - WINS Node Monitoring - Windows – node availability Node Monitoring - Windows – availability of resources andservices GFI EventsManager 2013 vs. Solarwinds Log & Event ManagerSolarWinds Log &Event ManagerSeparate product:Solarwinds NetworkPerformanceMonitorSeparate product:Solarwinds Server &Application MonitorSeparate product:Solarwinds Server &Application MonitorSeparate product:Solarwinds Server &Application MonitorSeparate product:Solarwinds Server &Application MonitorSeparate product:Solarwinds Server &Application MonitorSeparate product:Solarwinds Server &Application MonitorSeparate product:Solarwinds Server &Application MonitorSeparate product:Solarwinds Server &Application MonitorSeparate product:Solarwinds Server &Application MonitorSeparate product:Solarwinds Server &Application MonitorSeparate product:Solarwinds Server &Application MonitorSeparate product:Solarwinds NetworkPerformanceMonitorSeparate product:Solarwinds NetworkPerformanceMonitor5
GFI EventsManager2013Node Monitoring – Windows – performance Node Monitoring – Windows – script output Node Monitoring – Linux /Unix – node availability Node Monitoring – Linux /Unix – script output Node Monitoring – Linux/Unix – availability of resources andservices SolarWinds Log &Event ManagerSeparate product:Solarwinds NetworkPerformanceMonitorSeparate product:Solarwinds NetworkPerformanceMonitorSeparate product:Solarwinds NetworkPerformanceMonitorSeparate product:Solarwinds NetworkPerformanceMonitorSeparate product:Solarwinds NetworkPerformanceMonitorGFI EventsManager 2013 vs. SolarWinds Log & Event ManagerCompetitor WeaknessesEventsManager StrengthsThe product lacks built-in support for scanningnative audit logs of SQL Server and Oracledatabase servers.The product offers additional scanningcapabilities: it can monitor database servers,native SharePoint events and IBM iSeries events(through 3rd party apps)The product doesn’t offer minimal preconfigured event source groups based on thelog type or functional rolesThe product is shipped with lots of predefinedgroups that have associated correlation rulesbased on the type of device (e.g. Windows domain controllers, Exchange servers, SQLServer servers, Oracle servers, etc.)GFI EventsManager 2013 vs. Solarwinds Log & Event Manager6
Detect activities of users with administrativeprivileges has limited functionality although itis critical for compliance. The product does nottake into consideration the group dynamicsand the fact that user membership may changefrom the time the event is logged until the timewhen the event is collected or used as parts ofthe reports and filtered views. Thus the productcan only identify actions of administrators ifthe user is still administrator at the time whenthe product collects the entry. This is notenough for compliance as usually incidentsimply changing account membership after theaccount was used to cause an incident. (I.e. ahacked admin account is used for maliciousactivity and immediately removed, disabled ormoved to Users group so the trace is lost). Inhighly distributed, medium environments, thisphenomenon can easily happen.The product records the group dynamics of usergroups with administrative privileges and is ableto determine with 100% accuracy if a certainuser triggering a log entry was an administratorat the time when the event was logged –exactly what is required by PCI compliance, forexample – irrespective of when the log entry iscollected by the product, or used in reports.Compliance functionality is limited to logrelated tasksCompliance functionality is enhanced tocover for some aspects related to security,such as identification of inactive user accounts(direct PCI requirement to disable them), nonresponsive machines, disks getting full, etc.Cannot monitor text filesThe product can monitor text logs based ona user-defined, customizable schema thusgreatly enlarging the coverage in terms of logcollection.Filters and searches are based on regularexpressions only. In Windows environments itis very difficult to build filters and searches likethis, sometimes even impossible.Filtering and searching works at very granularlevel enabling both regular expressions supportand Windows advanced filtering capabilitiesbased on he extended tags of the Windows events.There is no option to synchronize the list ofmachines that need to be monitored with themachines registered into ADThe product offers an insightful dashboardpresenting critical information generated basedon the event logs that have been collected.The dashboard graphs offer advanced filteringcapabilities which can quickly point out theproblems found in the network. It can evensend daily notifications with an image of themost important events that have occurred inthe network.GFI EventsManager 2013 vs. Solarwinds Log & Event Manager7
Lack of flexibility in reporting: althoughthe number of default reports is high, theframework being used does not allow columnbased customization or layout changes. Theonly customization which can be done is relatedto rows (filtering) and schedule.Very flexible reporting enables creation ofreports which include any field (column) andany filter (row) together with various layoutoptions.Virtual appliance implies some extra costsgiven by the hardware requirements of runningvSphere or Hyper-V. These costs becomeincreasingly important in highly distributedenvironments with small amounts of machinesper-site.The product can be installed on any regularmachine if the load it has to cater with is nottoo high. It has specific functions built in forhighly distributed environments enabling datacentralization over non persistent connections,etc.Difficult to deploy, configure and run in spite ofthe fact that it is packaged as a virtual appliance.There are modules needed to be installed forreporting purposes, collecting purposes and theentire product architecture is complex.Easier to install configure and run due to thefact that everything is already in the product (noneed to install anything or configure networkinfrastructure), there is an AD sync function builtin and wizards are present all over the place.Active network and server monitoringfunctionality is offered in two additionalproducts at significant extra cost.Active network and server monitoringfunctionality is integrated into the product at noextra cost.The product does not offer the ability to react tothe information it findsThe product offers the possibility to run scripts,code or third party applications when certainincidents occur.The product lacks out of the box functionalityand consequently, pre-configured items (exceptpre-configured reports)The product offers preconfigured roledependent computer groups, processing rulesand filters thus eliminating the importantrequirement of knowing what events to lookfor or which logs to scan. At the same time itoffers a large number of preconfigured reports,including compliance relatedConclusionOverall Solarwinds Log & Event Manager provides a solution that offers more coverage by default when itcomes to network devices and network activity, but less features in terms of log type support, complianceand forensics, at a higher TCO and with higher maintenance costs because of the difficulty to manage anduse. On the other hand EventsManager provides the flexibility to support pretty much any kind of log anddevice together with good defaults and lots of useful features for compliance and security related tasks,keeping a good value for money ratio. Additionally EventsManager offers integrated active network and servermonitoring at no extra cost while the competitor offers a solution that requires purchasing other products.GFI EventsManager 2013 vs. Solarwinds Log & Event Manager8
4309 Emperor Blvd, Suite 400, Durham,NC 27703, USATelephone: 1 (888) 243-4329Fax: 1 (919) 379-3402ussales@gfi.comENGLAND AND IRELANDMagna House, 18-32 London Road, Staines, Middlesex, TW18 4BP, UKTelephone: 44 (0) 870 770 5370Fax: 44 (0) 870 770 5377sales@gfi.comEUROPE, MIDDLE EAST & AFRICAGFI House, San Andrea Street, San Gwann, SGN 1612, MaltaTelephone: 356 2205 2000Fax: 356 2138 2419sales@gfi.comAUSTRALIA AND NEW ZEALAND83 King William Road, Unley 5061, South AustraliaTelephone: 61 8 8273 3000Fax: 61 8 8273 3099sales@gfiap.comFor a full list of GFI offices/contact details worldwide, please visit: http://www.gfi.com/contactusDisclaimer 2013. GFI Software. All rights reserved. All product and company names herein may be trademarks of their respective owners.The information and content in this document is provided for informational purposes only and is provided “as is” with no warranty of any kind, either express or implied, including butnot limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. GFI Software is not liable for any damages, including any consequentialdamages, of any kind that may result from the use of this document. The information is obtained from publicly available sources. Though reasonable effort has been made to ensure theaccuracy of the data provided, GFI makes no claim, promise or guarantee about the completeness, accuracy, recency or adequacy of information and is not responsible for misprints, outof-date information, or errors. GFI makes no warranty, express or implied, and assumes no legal liability or responsibility for the accuracy or completeness of any information contained inthis document.If you believe there are any factual errors in this document, please contact us and we will review your concerns as soon as practical.GFI 2280 aug13USA, CANADA AND CENTRAL AND SOUTH AMERICA
Solarwinds Network Performance Monitor Node Monitoring – Linux /Unix – script output Separate product: Solarwinds Network Performance Monitor Node Monitoring – Linux/Unix – availability of resources and services Separate product: Solarwinds Network Performance Monitor GFI
