A new chapter at work

Ok, so I dropped off the planet for a few weeks. Shortly after my last blog post, my boss called to congratulate me on a promotion to manager. While not totally unexpected, it was still a shock. Needless to say, since then I have been planning, reading, listening, and sitting in a lot more meetings that I used to.

Out of all the things I could say, I'd like to highly endorse the Manager Tools website and podcasts. These guys not only know what they are doing, but really convey that knowledge in a way that you can put to use immediately.

ArcSight Logger in front or behind ESM?

This is something I pondered on for quite a while. The mystery was not solved, but revealed quite clearly at the recent user conference. There was a breakout session with architects of the various pieces (ESM, Logger, SmartConnectors, etc) and they discussed the variations.

To me it simply boiled down to this: If you want high performance above all else, put Logger in front of ESM. If you being able have all your correlated events properly connected with EventIDs, then put Logger behind ESM.

For most companies, having Logger in front of ESM may well be what the doctor ordered. This will make sure you have the highest performance and best assurance of not losing events if the database or ESM can not keep up.

If anyone else has other thoughts or I got this confused, let me know in the comments!

2008 ArcSight User Conference

ArcSight hosted it’s annual user conference just outside Washington, DC. This year the hotel had a shuttle to the Pentagon City Metro stop which was nice.

The keynote was from the MCI/WorldCom whistleblower, Cynthia Cooper. She tells a great story and really gives you something to think about. It really is amazing to hear about some of the decisions people have to make everyday. I have been lucky not having to deal with anything that heavy, but hope I would make the right decisions if that time ever comes.