When Is a Log and Event System Like a Cathedral?

Measure twice cut once....it's all in the design and build out.  There will always be changes and needs to tweak and "Re-design" aspects of it. 

When a cathedral is being built over the course of several centuries, the building's requirements are likely to change.  Additions and adjustments are being made even while the building is still under construction from the original design.  I think this is the same way a log and event system works.  Requirements are added over the course of the system's lifespan in such a way that the system is completely different from what it was originally intended to be.  Flexibility is so important, especially as security or monitoring requirements change, and a logging / event system can only be as good as its ability to adapt. 

A little while back, there was a discussion about firewall rules and the need to monitor, audit, or update occasionally. I think the same applies here. Yes, things change and updates are needed. Our industry as a whole is in continual change, adapting to the needs of the customer, so why is so far fetched to think we would need to adapt our individual networks and systems?

I don't think you can look at log correlation and event management systems, or network / infrastructure management systems in terms of complete/incomplete ever. So the answer to "when are they like a cathedral" would be never.

I think really the only way to look at these systems are in terms of up-to-date vs. Not up-to-date and effective vs. ineffective. And both of those measurement concepts are completely relative and open to interpretation. What I consider effective may be considered completely useless by someone else, it really depends on what I mean to accomplish with the system and whether or not I'm accomplishing it.

Great blog entry!

I have to agree with Aforsythe.  I think one of the large problems with log and event management systems is unrealistic expectations and/or bad project management.  To quote Stephen Covey "you need to begin with the end in mind".  Basic project management means creating a project scope with reasonable expectations and goals.  Then select a log and event management system that can meet those goals; once they are met the project is complete and successful.  As requirements in the future change you can make the necessary changes to the system to meet those needs.  Like any system a log and event management system will require some care and feeding and that should be expected but that isn't the same as a project that is never completed.

I believe that Acy Forsythe summed it up nicely in his reply, you have to rely on your own interpretation in order be satisfied with your results.

We recently installed Splunk to manage all our logs and events for the enterprise. It took almost six months to get to a point where we could start using it for some deeper levels of analysis and operational intelligence by combining various machine data  and logs. It is a continuous process to keep this system valid because of the constant changes in the infrastructure and can never claim that is task is over.

Monitoring is never a "set it and forget it" type of thing, logs are definitely no exception. It's cool to have all (some, most) of your data in one place, but even after you get past the first "now what?" there's a constant "oh, I wish I would have automated that" and "oh, a new log source" and "oh, new devices" that you are always building, building, building.

So I guess after you build that cathedral, you have to keep up with repairs, remodel the interior, and handle the constant influx of new people.

I think alot of things in IT designs that are like that.  They always need tweaked, checked upon, etc.  There are not very many "set it and forget it" processes in IT.  Great post.  Definitely makes you think.

That just goes to show that if you don't put the necessary effort into the planning stages, your project will fall apart before it's even begun

"Organizations don't have the money of an Italian Renaissance prince and can ill afford to pay heaps of cash into something that simply fades away into the dust of time."

I don't know about you, but I see organizations do this all the time.