The Trustwave SIEM appliance (formerly Intellitactics SAFE LP) has a relatively quick and easy initial setup, which includes setting the IP address and uploading a licensing file. There are five sizes of the appliance to choose from. My 1U test unit came with dual processors, dual power supplies, 10GB of RAM, 4TB of RAID5 disk space, and four Ethernet interfaces. It boots with Red Hat Linux 4.2.15. Booting was noticeably slower than competing appliances, often taking five minutes before I could log on to the management console.

The HTTPS management console contains three main tabs (Admin, SAFE, and Favorites) under which all the options are contained. The Admin tab is used to configure the device and log management options. The SAFE section is used to view collected information and to run reports. The Favorites option allows you to quickly access commonly used views, dashboards, and graphics. Every page and option is covered by easily accessible help files, although the help files' explanations of the options could be improved. The interface and documentation still contain some of the Intellitactics branding left over from Trustwave's purchase.

I also encountered a few minor technical issues. For example, a configuration screen indicated that high availability was enabled when it was not. And once or twice, the Trustwave SIEM kicked me out to the main log-on screen without warning.

Trustwave SIEM supports generic syslog, like every competitor, and it comes with hundreds of preconfigured device definitions, known as data adapters, for agentless collection. In most cases, capturing logs is as simple as enabling the particular data adapter and inputting one or more related host IP addresses or domain names. As you explore the different data adapters, each automatically becomes a new tab for easy referencing. Of course, bulk import is allowed.

Trustwave has excellent online instructions for configuring Windows hosts so that the SIEM appliance can monitor and collect log files, although I did find some of the instructions slightly lacking when it comes to the latest Windows versions. Trustwave also has a Windows agent that can be used to send logs to the SIEM appliance via the Syslog protocol.