Log management is one thing, making use of them is another. A couple of years ago I was doing an investigation for a client on about 4 gigs of logfiles from 3 webservers, a router, and an IDS. After that I was on a mission to find something that I can use to aid in post event analysis and not over think the process for me. While there are alot of good tools out there that aggregate log files and do correlation, they are not very well suited for post incident response handling. The very features that help you do dashboard reporting actually inhibit you when conducting an investigation. Normalization of data is useful if you need reporting and alerting, but an investigator needs to see the data his way, quickly, and untarnished.
Thats where Splunk comes in. If you havent SPLUNKED then you dont know what you are missing.
The best of the web 2.0 applications I have ever seen, Splunk is like an Ajax enabled google for log files. Powerful, intuitive, and best of all, not patronizing.. Leaves you feeling like you have good multitool that doesnt try to think for you.
Check them out - www.splunk.com
you wont ever look at an investigation the same way again.
- Ray Zadjmool QSA