Comparison: LogSentinel vs Splunk vs Loggly, etc.

Logs – every system has them, but companies don’t usually pay much attention to them. At least not until a problem occurs. Log aggregation solutions come handy in many scenarios – tracing production issues, alerting on service degradation, fixing bugs, forensics, fraud detection.

We’ve argued, however, that logs have a dual nature – on the one hand they contain data about the functioning of the system; data, that’s useful for developers to diagnose and fix issues. On the other hand, they are effectively an audit trail of everything that has happened.

Log collection vendors may tell you that you can use the same product for both of these natures of logs. But that has many issues:

  • Differentiating events with business meaning from system/application logs. It’s hard for an auditor or a business person to look through logs where 80% of the data is “we’ve initialized service X”, “exception in service Y”, “database connection pools size is approaching the configured limit”, and so on, and only 20% is related to business events – “who did what”
  • Investigating behavior – application logs make it hard to drill down into the behaviour of a particular user, role or department.
  • Security – typical logs lacks any additional security, i.e. anyone with admin access can modify them, back-date them or delete them without being detected.
  • Compliance – simply having logs is not compliant with standards and laws like ISO 27001, PCI-DSS, HIPAA, PSD2, as we’ve previously argued

Below you can find a feature comparison between LogSentinel and major log collection vendors, as well as vendor of “integrity guarantee” and compliance packages. Obviously, when we are making the comparison, there are many dimensions to select from, but we do believe that these shown here are the most important when it comes to audit logs, security and compliance.

Certainly a simple table cannot represent all the complexity on the market. For example log collecting solutions claim to be PCI-DSS, ISO 27001 and HIPAA compliant, and many certification bodies do consider that okay. In our interpretation of the standards, that’s wrong and gives companies a false sense of security – that’s why the table has yellow color for these rows.

Furthermore, products like GuardTime and Tierion aren’t necessarily audit log solutions – they can be used as such, but they are more focused on the integrity aspect, which means they lack the analytical features (they don’t usually care about the content of the logs, as long as their integrity is guaranteed).

And finally, the products listed below are not mutually exclusive. The feature comparison below is based on the “secure audit trail” use case, but log collection has a wider scope. As mentioned above, you always have applications and system logs and they are distinct from the audit logs. You can have your log collector deployment and only forward a subset of these logs to LogSentinel, thus getting the best of both worlds – secure and compliant audit trail and rich analytical capabilities for logs.

Real information security is rarely about installing a product. Even almost never about the warm feeling that “fact sheets” generate, claiming compliance and endless possibilities. Information security is about a set of measures and tools, properly applied to the problem at hand. And when it comes to audit logs, we believe LogSentinel is the best tool for the job.

LogSentinel Loggly Splunk Logz.io Oracle Audit Vault Tierion GuardTime
SaaS Yes Yes Yes Yes No Yes Yes
On-premise Yes No Yes No Yes No Yes
Tamper-evident logs Yes No No No No Yes Yes
Timestamp (RFC 3161) Yes No No No No No Yes
Signing Yes No No No No No Yes
Searcheable encryption Yes No No No No No No
Easy integration Yes Yes Yes Yes Oracle products No No
Fraud detection Yes Yes Yes Yes Yes No No
Rich dashboard Yes Yes Yes Yes No No No
Alerts Yes Yes Yes Yes Yes No No
Long retention period Yes Archiving Archiving Archiving Yes Yes Yes
Custom log parsing Yes Yes Yes Yes No No No
Rich data analysis Custom queries Yes Yes Yes Custom queries No No
ISO 27001 compliant Yes Claimed Claimed Claimed Claimed Yes Yes
PCI-DSS compliant Yes Claimed Claimed Claimed Claimed Yes Yes
HIPAA compliant Yes Claimed Claimed Claimed Claimed Yes Yes
PSD2 compliant Yes Assumed Assumed Assumed Assumed Yes Yes