Skip navigation


4 Posts authored by: brad.hale Employee

Volume-based, index-based, or events per second (EPS) based licensing for Security Information Event Management (SIEM) is simply not in the best interest of the IT organization. Maybe volume-based licensing is good for Splunk, but customers should understand why this type of licensing model is not good for them. 


Volume, indexed, or EPS based licensing models mean that the license size will be determined by a metric that will vary based on network, server and application activity.  Normal activity can generate multiple Gigabytes of log data or tens of thousands of events.  Peak loads can easily increase this volume by a factor of 50.  So should a customer be charged by the average, the peak, or somewhere in between?


Estimating log generation or EPS is both a timely and an inaccurate process.  In order to determine how much log data will be generated you generally need to know Events Per Second (EPS).  By multiplying EPS by the average log size, you can get a rough idea of the amount of log data generated on a daily basis.   To learn more about estimating log generation, you can download this white paper: Estimating Log Generation for Security Information Event Management.


Since it is difficult to estimate EPS and log generation, it is more than likely that you will overestimate the two and you will be paying for something that you are not fully using.  Even worse, if you are an organization that experiences a number of security oriented incidents, you can find yourself exceeding your license limit routinely.  For example, a single DOS attack can result in your firewall logs increasing by over a factor of 1000.


The better licensing model for the IT organization is one that is based on nodes monitored.  A nodes-monitored licensing model is easier to calculate because you simply have to count the number of devices, servers, or applications that you want to monitor.  This model eliminates any risk of your software being shut down due to an unusual log generation peak.  In addition, the nodes model will reduce your overall cost as you pay for exactly what you use, no more, no less.


SolarWinds Log & Event Manager (LEM) is a great, low-cost SIEM solution that offers a node-based licensing model.   LEM collects, correlates, and analyzes log data from thousands of network devices and applications and provides IT pros with the operational and security intelligence they need to manage their infrastructure on a daily basis.


So, if you’re looking for an alternative to Splunk and their flawed licensing model, you can see for yourself how LEM and Splunk compare.

Why would anyone choose a volume-based pricing model over a node-based model for a SIEM solution?

IT users want software that is powerful, easy-to-use and install.  Can anyone argue with statement?  If we can all agree that this is one of the goals of users, then why are there so many solutions in the market that don’t meet this fundamental requirement? Why are so many vendors putting out expensive, hard to use and difficult to install products?

It is my opinion that the core of the problem is that most suppliers sell software, under the auspices of being “powerful” or “flexible” that simply cannot be used “out of the box”. Perhaps they do this because they also sell professional services that provide greater financial gain.  With many suppliers, professional services are needed just to get the software “deployed”, and are couched under the customization umbrella, when in reality it’s building the software out to do what you thought you were buying in the demo.

An example of this hard-to-use problem is illustrated by one of the log management vendors, Splunk.  Based upon a recent review of Splunk it would appear that what you get is plenty of complexity and less out-of-the-box value.  Below are just a few of the direct quotes from this review:

“If you want to make Splunk work, you’ve got to be ready to abandon the slick GUI and dive deep into difficult technical configuration, editing configuration files, writing regular expressions, and taking the time to understand where your data are coming from and how Splunk will see them"

“We got Splunk working very smoothly in our multi-vendor environment, but only after investing serious effort in understanding how Splunk collect and indexes data."

“Overall, getting data into Splunk is much more of your typical open source experience with a confusing maze of pointers, wikis, product tech notes and documentation…"

“The Search manual is 289 pages long, and starts with Splunk's idea of the top search commands you have to learn…there are almost 125 search commands."


Now to be fair, the reviewer had many positive things to say about the product, but these comments above illustrate a core problem.  Just because the product is powerful doesn’t justify the need to make it hard-to-use.  Do they not agree with the customer’s goals of powerful, easy-to-use, and install?

By no means is SolarWinds perfect in this regard. I’m sure you could pick at many things in our products that aren’t the easiest to use, but I will say this, when we know a feature is causing problems in the product we will focus on reworking it so it becomes easier, but I never hear that of other vendors.  Will Splunk shorten the search command list so it’s easier to use?  Will they make it easier so I don’t have to dive into deep technical configuration editing to get value out of the data?  Maybe they will, but most likely like many other vendors those ‘powerful features’ will remain in the product for years to come.

What do you think, are we listening to you and creating better, more powerful, easy to use software?

At the Oracle OpenWorld trade show last October, John Chambers, Cisco’s chief executive, predicted that “video will be the platform for all forms of communication in IT as we go forward."  In addition, they predict that by 2013, 91% of all network traffic will be voice/video streams.

While that is to be expected from the head of a company that has a vested interest in proliferating video delivery, it is also consistent with a survey that we recently ran here at SolarWinds.  In this survey, we found that:

  • 89% of respondents have deployed some level of video service within their network. 
  • Assessment of network readiness to support video traffic is viewed as critical. 
  • 75% of respondents indicated that video monitoring and troubleshooting are either "Important" or a "Must Have" in their network monitoring system

    So, how does video impact your network and how do you go about ensuring both network performance and video quality?  Don’t think for a minute that because you haven’t built-out a Cisco Telepresence or Polycom system that you are not at risk of video significantly impacting the performance of your network.  The real impact likely will come from the use of desktop video.

    Today, desktop video is very inexpensive to deploy. High quality web cams can be purchased for <$100 or they are already integrated into your laptop. Add free software (like Skype) or a package that may be included with another license (like Microsoft Office Communicator) and voilà, you have deployed video conferencing and the next thing you know is that it is going viral.  Heck, I get a video call from my daughter every afternoon when she get’s home from school.

    So, I ask the question again.  What is the impact on your network of all of this video and how do you ensure network performance and quality? I think that we simply don’t yet know the answer.  Every enterprise will be different depending on their use cases and IT infrastructure.  By pro-actively monitoring your network, you can at least understand the current impact of video and plan for future capacity needs.

    Video and network monitoring can be accomplished with advanced hardware appliances that measure and monitor video call data records (CDRs) in real-time to provide information about utilization patterns and demand trends so that you can start to predict capacity needs. Unfortunately, these products tend to be expensive, hard to deploy, and difficult to use.

    Another more cost effective approach is to use network and traffic monitoring software products such as SolarWinds Network Performance Monitor, NetFlow Traffic Analyzer and IP SLA manager.  These products allow you to pro-actively monitor overall network and traffic performance and see detailed statistics such as bandwidth utilization, one-way latency, jitter, loss, and QoS statistics.

    Would love to hear your thoughts.  Are you deploying video on your network?  Are you concerned about the impact?  What are you doing to monitor and manage? What vendors are you using?

    You can go here to learn more about SolarWinds Network Performance Monitor, NetFlow Traffic Analyzer, and IP SLA Manager.  All three have a free fully functional 30-day trial for download.

    For another example of video on your network,  feel free to jump in your way back machine and relive the one-hit wonder that inspired the title of this blog.

    My colleague and I both zeroed in on the “Verizon® 2011 Payment Card Industry Compliance Report: A Study Conducted by the Verizon PCI and RISK Intelligence Teams”, written by the Verizon Wireless PCI and RISK Intelligence Teams (the “Verizon Report”) (PDF link). The Verizon Report reviewed over 100 assessments done in 2010 by Verizon’s Investigative Response group.

    To cut to the chase, the report confirms what we all know, that security is hard.  A very good indicator of security readiness, PCI compliance, is a complex, continuous and evolving process.  The report goes on to state that businesses aren't getting much better at PCI standards year-to-year.

    Highlights of the study include:

    • 79% of businesses assessed initially failed compliance
    • Organizations struggled most with protecting data at rest (Requirement 3); tracking and monitoring (Requirement 10); regularly testing (Requirement 11); and maintaining security policies (Requirement 12)
    • Only 11% of those companies that initially failed compliance actually passed the requirement for monitoring access to network resources (Requirement 10)

    Some of the conclusions of the study are: 

      • Real world demands and fatigue can get in the way of compliance. Specifically, the study says "When faced with the choice of where to place their energies, many people will choose to just get things done rather than worrying about the 'right way' or the 'compliant way'"
      • Compliance is a dynamic process and not a point-in-time event” – it takes effort to maintain compliance as things change 
      • Security and, by extension, compliance, are still considered to be a drag on the economy by most businesses rather than an assumed part of the risk of doing business.” – businesses that saw security as a continuous, valuable process worth investing in were more successful when it came to compliance, too
      • Organizations that suffered data breaches were much less likely to be compliant than a normal population of PCI clients. Verizon combined results of the PCIR and the Data Breach Investigation Report (DBIR) to find PCI clients scored better than breach victims by a 50% margin

      This got us wondering… why are so few businesses able to comply with requirements when there are a number of easy to use and affordable solutions available to help?  Are they simply not real pain points that network engineers feel?  Are they not understood? Is proactive compliance viewed as too expensive?  Or, is it that they simply don’t have the time to implement?

      All too often, compliance is something you think of at audit time, when you have to prove that everything is in order. A tremendous amount of time and effort goes into prep work.  With the right systems in place, compliance can be automated, and automating is critical to making it manageable. The key is that compliance becomes integrated into doing business, rather than a sprint you prep for around audit time.

      The study cited “failure or inability to invest in a capable automated tool” along with “not maintaining security procedures to trigger a response to an exception report” as two key issues in this area. SolarWinds offers two very powerful, yet easy-to-use, affordable products that automate many of the processes and reports required to achieve PCI compliance. 

      SolarWinds® Network Configuration Manager (NCM) enables users to ensure that network device configurations comply with both internal and external regulations and standards such as PCI.  NCM’s policy reporter helps automate the policy compliance process by identifying devices with configuration violations and those that could be accessed by unauthorized users, pose a security risk, or do not meet configuration standards. Check out our NCM product page for more information.

      SolarWinds Log & Event Manager (LEM) has been developed to meet security and log management requirements; quickly identify attacks, highlight threats, and uncover policy violations; respond to events and shut down threats immediately with automated actions; and produce the results you need to prove compliance.   For more information on Log & Event Manager, check out our Log & Event Manager site.

      This is the first part of a multi-series blog.  Stay tuned for more information on both SolarWinds Network Configuration Manager and Log & Event Manager and how they specifically address compliance needs.

      Brad Hale, the product marketing manager for SolarWinds network management products, is a 25 year veteran of technology product management, marketing and business development where he has worked across numerous vertical market segments within the software, hardware and systems industries. 

      [ED. NOTE: The post above was co-authored by Nicole Pauls. Nicole is a director of product management at SolarWinds and is primarily responsible for wrangling log and event data into a meaningful IT tool via SolarWinds Log & Event Manager. Product Manager during the week and Ironman triathlete on the weekends, she somehow finds time to comment on industry trends, too. The post also references the copyrighted work, “Verizon® 2011 Payment Card Industry Compliance Report: A Study Conducted by the Verizon PCI and RISK Intelligence Teams," written by the Verizon Wireless PCI and RISK Intelligence Teams (the “Verizon Report”).]

      Filter Blog

      By date: By tag:

      SolarWinds uses cookies on its websites to make your online experience easier and better. By using our website, you consent to our use of cookies. For more information on cookies, see our cookie policy.