From my experience with LEM/SEM, unless you have a small organization, Solarwinds is right, LEM/SEM is not the tool for what you want to do. Once you are getting above about 1.2 million events every 10min, SEM begins to have performance issues, and it's even worse if you start building filters with the all events. In most medium size businesses, if you're logging handshakes, connection builds and teardowns, etc. plus all of the other logs that are normally sent or retrieved from other tools, you will easily go over a million events every 10 minutes. We work with our engineers to strictly enforce sending security/audit logging to SEM to try to keep events under 1.5 million events every 10 min. and performance doing searches, and even just running flash is pretty sketchy at best. Your milage may differ, but that's been my experience.
↧