I absolutely love LEM and the capabilities it has. As a service provider LEM is one of the products we use to offer Log and Event management services to help support our customers. LEM provides a quick ROI and shows extremely well in front of customers and works extremely well for our customers that have regulatory compliance needs. The problem I run into is using LEM as a solution for Log & Event management in a non regulatory compliant environment where the customer is more focused on operational management and diagnostics; this is where Splunk overshadows LEM.
Make no mistake about it, I much prefer LEM over Splunk. For all of the things that LEM does, I think it does most of them better than Splunk; the problem is the things that Splunk does that LEM doesn't. Splunk has a more scalable architecture and has no limit on what logs it can consume and process for operational management and diagnostics. When I have to tell customers that I am limited on what logs I can consume with LEM and the logs that are important to them are not supported, Splunk enters the conversation . I fully believe that with focus on a few key areas LEM could easily outshine LEM, or at least step out of it's shadow and make a showing in the Gartner's Leaders quadrant.
LEM already does a great job in the security and regulatory compliance realm; focus on expanding FIM to include Linux and Networking and it will dominate on that front.
For operational management and diagnostic implementations we have a bit of work to do so I can keep Splunk out of the conversation...
- Make it so that LEM can consume any type of log, no matter what!
- This doesn't necessarily need to do the normalization that is provided by the connectors, just get those logs into LEM and make them searchable and reportable
- If our user base is large enough having a studio where customers can build their own connectors could really help as well, your user and community base will help if you provide them the means
- Create a more scalable architecture that allows me to drop collectors into DMZ's as an aggregation point that then sends it's logs back to the master
- This helps with secure distributed environments and/or multi-site deployments
- Anomaly Detection!
- This is certainly less important than the two items above; however, this would provide a huge value not only in the security realm but also in the operational realm
Thanks for reading and I look forward to any and all feedback you may have!