You can have both and configure Log Insight to forward events to Q-Radar, see some reasons: 12 Reasons Why You Should Use The Log Insight Forwarder - VMware Cloud Management - VMware Blogs---
Senior Infrastructure Specialist
Q-Radar is a SIEM and primarily meant for security analysis. Log Insight is a general purpose log analytics platform for troubleshooting and root cause analysis. In general, Log Insight is easier to use meaning that anyone at you company can consume the events without needing to have proprietary knowledge on how to use or configure the logging platform. Generally, Log Insight is used as the aggregator of all logs within environment -- as you need a central place in order to correlate -- and then event forwarding is configured on LI to send just the security logs to the SIEM. I hope this helps!
We do have both, but the question I had was can a user see the same info via the Q-Radar interface as the LogInsight?
Thanks, but aside from it being easier do they essentially provide the same service? If I have the devices forward the logs to Q-Radar, would that give me the same ability to troubleshoot as Insight?
They are not the same thing. QRadar targets SIEM events -- the features are SIEM focused. LI targets troubleshooting and RCA -- the features are focused on this. You can technically do troubleshooting and RCA in QRadar and SIEM in LI, but that is not what they are designed for. Feature-wise each product is different. For example, LI has built in machine learning to do event summarization, schema discovery, and event trending. LI also has rich agent collection including parsers + server-side agent configuration. So in short, yes they are similar, no they are not the same, in my experience most people have a central collection and analysis tool (LI) and a separate SIEM tool (QRadar). I hope this helps!
The question should not be if it is possible to see the same info as Log Insight? Because the anwser would always be "yes" - It the same data you are basing your facts on. But its like asking if you can see the same if you build your own log solution, sure you can, but it hell of a job to replicate Log Insight or a SIEM solution.
So to anwser you, we need to know your usecase, and usualy the team using s SIEM solution isnt the same as the one using a syslog solution be it Log Insight or not. SIEM is the securitys domain and Log Insight is for day-to-day operations.
The force of Log Insight is the ease to use, the content packs which provide acual information about events/incidents that operational teams need, in order to secure proper opertion of the datacenter and doesnt require a team to keep it running. It can be used for some of the operations that SIEM solutions do, but not in the same way. The SIEM solutions are the opposite, hard to use, require maintence in order to anwser your questions and a team to keep it running.
The use cases are just not comparable