Volume-based, index-based, or events per second (EPS) based licensing for Security Information Event Management (SIEM) is simply not in the best interest of the IT organization. Maybe volume-based licensing is good for Splunk, but customers should understand why this type of licensing model is not good for them.
Volume, indexed, or EPS based licensing models mean that the license size will be determined by a metric that will vary based on network, server and application activity. Normal activity can generate multiple Gigabytes of log data or tens of thousands of events. Peak loads can easily increase this volume by a factor of 50. So should a customer be charged by the average, the peak, or somewhere in between?
Estimating log generation or EPS is both a timely and an inaccurate process. In order to determine how much log data will be generated you generally need to know Events Per Second (EPS). By multiplying EPS by the average log size, you can get a rough idea of the amount of log data generated on a daily basis. To learn more about estimating log generation, you can download this white paper: Estimating Log Generation for Security Information Event Management.
Since it is difficult to estimate EPS and log generation, it is more than likely that you will overestimate the two and you will be paying for something that you are not fully using. Even worse, if you are an organization that experiences a number of security oriented incidents, you can find yourself exceeding your license limit routinely. For example, a single DOS attack can result in your firewall logs increasing by over a factor of 1000.
The better licensing model for the IT organization is one that is based on nodes monitored. A nodes-monitored licensing model is easier to calculate because you simply have to count the number of devices, servers, or applications that you want to monitor. This model eliminates any risk of your software being shut down due to an unusual log generation peak. In addition, the nodes model will reduce your overall cost as you pay for exactly what you use, no more, no less.
SolarWinds Log & Event Manager (LEM) is a great, low-cost SIEM solution that offers a node-based licensing model. LEM collects, correlates, and analyzes log data from thousands of network devices and applications and provides IT pros with the operational and security intelligence they need to manage their infrastructure on a daily basis.
So, if you’re looking for an alternative to Splunk and their flawed licensing model, you can see for yourself how LEM and Splunk compare.
Why would anyone choose a volume-based pricing model over a node-based model for a SIEM solution?