Strengths: Feature-rich SIEM, does not require a database licence, helping scalability
Weaknesses: Depth of features will take some time to get used to. Not designed specifically for forensic use
Verdict: Solid product with useful features, good value for money
EventTracker is a robust security information and event log management (SIEM) tool with a lot of features. It has extensive event tracking, with the ability to report these events. Prism Microsystems has successfully incorporated real-time analysis into one product that sets itself apart from other SIEM tools. Although not explicitly a forensic tool, it has a lot of functionality that is very useful in a network forensic environment.
Setup was straightforward. Post-installation, it was merely a matter of configuring the agents and pushing them to systems on the network. It has a substantial number of pre-defined rules, involving minimal configuration on the user's behalf. It has an easy-to-navigate control panel. While it does provide a number of useful features, it will take some getting used to.
EventTracker has many abilities which prove it to be an excellent performer. It can monitor and manage events from Windows (Vista/XP/2003/2K/NT) syslog and syslog-ng, Solaris BSM, z/OS, SNMP and flat file logs. Generating reports based on selectable criteria is both an easy and effective performance feature. Available disk space is effectively used through the use of a secure (SHA1) format that compresses log data.
Documentation is solid. There are multiple guides which cover a variety of topics, including installation guides, user guides, upgrade guides, as well as release notes. The installation guide provides a step-by-step walkthrough, including many helpful screenshots.
Prism has an in-depth support system. It features a FAQ page, online help page, extensive product documentation and feature usage. In addition, Prism Microsystems provides a series of video-based training tutorials. These help users to further their proficiency with the product and offer email and phone support.
With the first year of support included in the licence fee and a typical 50-server setup being approximately £14,000, the price is not unreasonable by any means. EventTracker is loaded with useful features, but will require some getting accustomed to. However, once you are familiar with its way of working, we see this as an excellent forensics and incident analysis tool.