Showing results for 
Search instead for 
Did you mean: 
Create Post

LEM v. Splunk

Level 9

I’ve been at SolarWinds almost 4 weeks now and I’ve been sitting in on a lot of prospect sales calls, to get a feel for SolarWinds Log & Event Manager (LEM) customers and their use cases for SIEM and Log Management.  A surprising number already have Splunk, but it does not appear to be satisfying them.

LEM, like most SIEMs, does not prevent someone from breaking in to your IT house.  LEM will bite intruders pretty hard if you tell it to....


Upon installation, Splunk is like starting with a blank spreadsheet

Splunk provides a 367 page search manual of syntax descriptions and usage examples.  Contrast this with LEM, which uses a drag-and-drop interface and is highly visual for administrators and security professionals.  It employs visual search tools such as word clouds, tree maps, bubble charts and histograms, all available without additional work.

In addition, LEM comes with over 700 rules, filters and reports to provide security and compliance best practices.  While “security-in-a-box” might be the panacea that isn’t here yet, LEM is moving fast in that direction.

Splunk doesn’t do In-Memory Correlation 

With Splunk, you need to wait until data has been indexed and written to the database prior to any analysis.  LEM performs in-memory event correlation allowing you to analyze millions of events across your infrastructure in real-time.  This is important when you not only want to use log files for forensics and compliance, but you also want to provide automated responses to anomalous behavior the SIEM detects.

Splunk doesn’t provide automated responses

Splunk requires that the user manually respond to actions and incidents.  LEM includes a library of built-in active responses that allow it to automatically respond to anomalous behavior and security incidents.  For example, upon seeing multiple attempted failed logins from multiple IP addresses, LEM can disable the account.

The capability to take proactive measures to improve security without human involvement is critical, as many customers do not have legions of security professionals on staff. If an incident occurs in the middle of the night, most customers would prefer the software to take immediate action. In addition, the definition of an incident is easily customized, as is the automated response to take with LEM.

Splunk doesn’t defend against USB abuse

LEM protects against end-point data loss and the introduction of malware with a built-in USB defender technology that tracks unauthorized USB activity and can take immediate action.  A typical use case is that if a USB is inserted into a sensitive group of endpoints, LEM will disable the USB, preventing both data loss and the introduction of malicious code.  Based upon my initial research, it appears that Splunk does not offer this feature.

Splunk may require additional installation assistance

Splunk offers “Splunk Professional Services” to deliver deployment and advisory services, which may be required based upon your configuration needs.  SolarWinds takes a different approach, allowing customers to be up and running quickly using a virtual appliance deployment model, easy-to-use web based console and intuitive interface.  Almost all LEM customers do a free 30 day trial prior to purchase and find out quickly that it truly is easy to deploy themselves, rather than going back to management and asking for professional services dollars to get going.

Now, just to focus on cool LEM features

LEM provides log collection, storage, analysis, real-time correlation and automated responses.  LEM is not a spreadsheet approach to SIEM.

Key differentiators:

  • LEM automatically indexes data from security appliances, firewalls, intrusion detection systems, servers and apps and normalizes log data into common formats to help identify problems.
  • LEM also provides 300+ audit-proven report templates and a console that enables you to customize reports for your organization’s specific needs.  Great management reporting can make the difference between a successful implementation and one that is perceived as a failure.  If you happen to have a manager who loves status updates, you will appreciate the automated reporting capabilities in LEM.
  • LEM enables organizations to proactively defend and mitigate security threats with continuous real-time intrusion detection from multiple domains and systems.  LEM enables you to analyze millions of events across you infrastructure with real-time, in memory, non-linear, cross-domain and multi-dimensional correlation.
  • In terms of log file storage, LEM stores log data in a high-compression data store. The user is not troubled with maintenance and administration, and retention requirements are easy to specify.

More on LEM v. Splunk


Level 7

>Upon installation, Splunk is like starting with a blank spreadsheet

Not really. Splunk has over 350 Apps at their splunkbase Download Apps, Ask Questions + Get Support | Splunk Community

Product Manager
Product Manager

That's true - but it is up to you to install the apps and make sure that disparate event types from different apps (say Windows and Linux) either match up or you're searching across all of them. It's just a different approach to the problem that might require a little more knowledge about what you're looking for, or a little more training of the system. Essentially, normalization is like having all of those apps pre-installed and categorizing events across apps for like devices/events, though sometimes you do need to peel back the onion to look at a single device and all of the interesting stuff just associated with it.

In the end, it depends on your approach to the problem, where you'd like to spend your time, and where you need the flexibility.

Level 9

Nice perspective on Sasha's comment, Nicole.  One thing to add: Splunk no longer appears to be positioning its offering as an SIEM.  Go to their website and search for SIEM.... They seem to be refocusing on Big Data.  I'm curious what Sasha's thought are about our comments.   The best thing about community is we can learn from our customers!

Level 7

Search for SIEM Search | Splunk returned 180 entries in And over 1000 hits in their blogs.

Level 9

Hear you, but if you go to the Splunk website, as of a half hour ago, when I searched on SIEM I got no hits.  Google has a long memory, maybe?  Maybe longer memory than current Splunk strategy?

Level 9

Oh wait, I see what you're saying...  weird that the default was "documentation" on the search, leading the casual observer to think they have no "documentation" relating to SIEM.  Most software companies I've known include information under "documentation", if they are committed to the space. 

Level 15

Thanks for the posting!