6 Replies Latest reply on May 5, 2016 1:00 PM by MichaelRyom

    Does Log Insight do anything above and beyond IBM Q-Radar

    cwg306 Lurker

      So we currently have both VMWare Log Insight and Q-Radar, what I'm trying to figure out is if there is any added value to deploying both products.  I know Q-Radar does log algorithms and system analysis.  My main question is are we just duplicating?  I'm sure there are small differences, but from a high level over view can an administrator use Q-Radar to see the same info as Log Insight?

        • 1. Re: Does Log Insight do anything above and beyond IBM Q-Radar
          Richardson Porto Champion
          User ModeratorsCommunity Warriors

          You can have both and configure Log Insight to forward events to Q-Radar, see some reasons: 12 Reasons Why You Should Use The Log Insight Forwarder - VMware Cloud Management - VMware Blogs

          ---

          Richardson Porto
          Senior Infrastructure Specialist
          LinkedIn: http://linkedin.com/in/richardsonporto
          • 2. Re: Does Log Insight do anything above and beyond IBM Q-Radar
            sflanders Master
            VMware EmployeesvExpert

            Q-Radar is a SIEM and primarily meant for security analysis. Log Insight is a general purpose log analytics platform for troubleshooting and root cause analysis. In general, Log Insight is easier to use meaning that anyone at you company can consume the events without needing to have proprietary knowledge on how to use or configure the logging platform. Generally, Log Insight is used as the aggregator of all logs within environment -- as you need a central place in order to correlate -- and then event forwarding is configured on LI to send just the security logs to the SIEM. I hope this helps!

            • 3. Re: Does Log Insight do anything above and beyond IBM Q-Radar
              cwg306 Lurker

              We do have both, but the question I had was can a user see the same info via the Q-Radar interface as the LogInsight?

              • 4. Re: Does Log Insight do anything above and beyond IBM Q-Radar
                cwg306 Lurker

                Thanks, but aside from it being easier do they essentially provide the same service?  If I have the devices forward the logs to Q-Radar, would that give me the same ability to troubleshoot as Insight?

                • 5. Re: Does Log Insight do anything above and beyond IBM Q-Radar
                  sflanders Master
                  vExpertVMware Employees

                  They are not the same thing. QRadar targets SIEM events -- the features are SIEM focused. LI targets troubleshooting and RCA -- the features are focused on this. You can technically do troubleshooting and RCA in QRadar and SIEM in LI, but that is not what they are designed for. Feature-wise each product is different. For example, LI has built in machine learning to do event summarization, schema discovery, and event trending. LI also has rich agent collection including parsers + server-side agent configuration. So in short, yes they are similar, no they are not the same, in my experience most people have a central collection and analysis tool (LI) and a separate SIEM tool (QRadar). I hope this helps!

                  • 6. Re: Does Log Insight do anything above and beyond IBM Q-Radar
                    MichaelRyom Hot Shot
                    vExpert

                    The question should not be if it is possible to see the same info as Log Insight? Because the anwser would always be "yes" - It the same data you are basing your facts on. But its like asking if you can see the same if you build your own log solution, sure you can, but it hell of a job to replicate Log Insight or a SIEM solution.

                     

                    So to anwser you, we need to know your usecase, and usualy the team using s SIEM solution isnt the same as the one using a syslog solution be it Log Insight or not. SIEM is the securitys domain and Log Insight is for day-to-day operations.

                     

                    The force of Log Insight is the ease to use, the content packs which provide acual information about events/incidents that operational teams need, in order to secure proper opertion of the datacenter and doesnt require a team to keep it running. It can be used for some of the operations that SIEM solutions do, but not in the same way. The SIEM solutions are the opposite, hard to use, require maintence in order to anwser your questions and a team to keep it running.

                     

                    The use cases are just not comparable