GFI Software GFI EventsManager 2012
Strengths: Easy-to-use SIEM that can function without agents or complex infrastructure requirements.
Weaknesses: Lacks NetFlow capture and threat correlation analytics.
Verdict: Capable product that nails much of what SIEM is all about.
SummaryGFI Software is one of the smaller vendors in the SIEM market. However, size doesn't matter if you build quality into a product like GFI has done with its GFI EventsManager 2012. Although it may sound like something a wedding planner may use, EventsManager 2012 is aimed directly at the SIEM market segment.
The product is designed to do exactly as the name implies - manage events - and in the case of SIEM, those events can originate from any number of network-attached devices in the typical enterprise, whether they are servers, PCs, firewalls, appliances and so forth.
GFI EventsManager takes a KISS (keep it simple & short)-approach to gathering data, while not sacrificing any robustness of the data collected. The product's log and event management capabilities prove to be more than adequate and incorporate an impressive array of filters, classifications and triggers. A notable capability is the product's ability to work without using any Windows agents. Rather, GFI has built in the ability to read native Windows events from Windows systems without the need to install a software client on the subject system.
Installation proved straightforward - as with most products today, the installation is wizard driven. However, the product is designed to run on a Windows Server-class system, but also can be run on Windows XP in a pinch. Nevertheless, there are some prerequisites that must be met, such as having .NET installed on the system acting as a server. Luckily, GFI does an excellent job of documenting those requirements, and provides a straightforward getting-started document that helps to smooth out any installation speed bumps.
EventsManager sports an excellent interface that proves to be both intuitive and loaded with actionable information. The GUI gathers up related information and displays it in a fashion that makes it easy to see correlations between events and devices, as well as using color coding to highlight the priority of alerts. However, that clean interface design proves to be a necessity simply because EventsManager does not have a threat correlation engine. In the big scheme of things that proves to be much less important than one would think, because GFI makes it easy for an administrator to correlate threats.
EventsManager offers a robust reporting engine that allows administrators to define a multitude of reports with custom parameters, which helps to ease auditing chores and streamlines the event discovery process. Perhaps, one of the product's biggest strengths lies in its ability to associate and define critical events and then choose to automatically alert administrators about critical events or even launch scripts to auto-remediate specific problems.
All things considered, GFI EventsManager proves to be very apt at what it is designed for, managing events driven by the SIEM methodology. Strong reporting tools and an interactive GUI round out the product, making it one to consider for most any SIEM project.