Copyright © 1996-2012 BalaBit IT Security Ltd.
March 27, 2012
Abstract
Return of Investment calculator for syslog-ng PE and syslog-ng OSE
Table of Contents
The syslog-ng ROI calculator compares the TCO of syslog-ng Premium Edition (PE) and syslog-ng Open Source Edition (OSE):
-
Calculates the long-term costs of maintaining a logging infrastructure based on syslog-ng OSE. It estimates the man-days costs of:
initial and periodical code compiling
installation of the compiled packages
upgrading to new versions.
-
Shows the approximate license fee of an appropriate syslog-ng PE-based solution, including:
initial installation
upgrading to new versions
support fees of the BaseSU support package.
-
Aggregates the total costs for the selected platforms and the other log source hosts for each year, for a three-year period. The costs of a year are added to the costs of the previous year to calculate the TCO of the product.
The total man-day cost estimates include not only the fee of the employee, but also the related indirect costs, like rent for office space and other additional costs. You can adjust the man-day costs in the calculator using a slider.
The exact details of the model behind the ROI calculator may not always be appropriate for your organization or environment. We envisioned the following:
Logging is not only important, but essential for your organization, and you consider it as a part of your core network infrastructure. Maybe because you need to satisfy internal policies, compliance requirements, or your production systems and servers are business-critical and you want to ensure that you can swiftly troubleshoot problems to minimize downtime. Whatever the cause, you need to have reliable logging that are available when needed and you have to trust their contents.
Your organization has a heterogeneous network, meaning that it runs a wide range of UNIX/Linux platforms: several different operating systems running on different hardware architectures. Maybe even different versions of the same operating system.
-
You install syslog-ng on every client possible. This has the following benefits:
Simplifies the maintenance and configuration of your logging infrastructure by reducing the number of tools and configuration formats you have to know and support in-house. Therefore, it is also important that you can install the same version of syslog-ng on every supported platform.
Improves the reliability of your system logging infrastructure, because the syslog-ng application is stable, reliable, and minimizes the risk of losing messages.
Allows you to securely collect logs using TLS encryption and certificate-based mutual authentication from every platform.
-
You want to keep your logging infrastructure up-to-date. Many operating system vendors provide support for the logging tool that is installed by their operating system. But note the following:
This support is usually limited to the specific version of the logging tool that is installed by default.
These operating systems usually include only a legacy version of the tool, that can easily miss several features required to maintain a secure logging infrastructure.
Different versions of the operating system often contain different versions of the logging tool, making it difficult to maintain a consistent logging infrastructure.
In contrast, BalaBit provides vendor support for several years for the long-term supported (LTS) versions of syslog-ng Premium Edition, for every supported platform.
The calculator works with the following model for syslog-ng Open Source Edition and syslog-ng Premium Edition.
![[Note]](./note.png) |
Note |
|---|---|
This model is only an estimate of the real-life tasks and costs, it does not and cannot cover every aspect of building and deploying syslog-ng software packages. Therefore, the time and cost requirements in your environment may differ from the ones used in this model. For details about the reasons and assumptions for this model, see Section 1.1, The scenario. |
For calculating the TCO of syslog-ng Open Source Edition, the basis of the calculations is one engineer day, that is, the cost of having someone skilled in compiling and deploying packages and their dependencies for Linux and UNIX. The following tasks are considered:
For the first year:
Creating a build-environment for syslog-ng OSE
Compiling syslog-ng OSE and its dependencies from the source code
Deploying the compiled packages on the client machines (estimated to take half the time of the binary compilation)
Recompiling syslog-ng OSE to include new fixes and patches accumulated during the year (estimated to take half the time of the initial compilation)
Deploying the updated packages on the client machines
For the second and third years:
Recompiling syslog-ng OSE to include new fixes and patches accumulated during the year
Deploying the updated packages on the client machines
For the second and third years, two recompilations are estimated.
The recompilation and the deployment of new packages is estimated to take half the time of the binary compilation. Therefore, in case of a Linux platform and 1-5 servers, the cost will be calculated as follows: initial binary compilation + recompilation = 2+1 = 3 days. This calculation is applied to each selected operating system and is summed up as the annual cost. For the second and third years, two recompilations are estimated.
According to the above model, the estimated costs of the initial binary compilation and deployment on Linux platforms are as follows.
| Number of syslog-ng clients | Initial compiling on Linux [days] | Deployment [days] | Total effort [days] |
|---|---|---|---|
| 1-25 | 2 | 2 | 4 |
| 25-50 | 2 | 3 | 5 |
| 50-100 | 2 | 4,5 | 6,5 |
| 100-150 | 2 | 6 | 8 |
| 150-200 | 2 | 8 | 10 |
| 200-250 | 2 | 9 | 11 |
| 250-300 | 2 | 11 | 13 |
| 300-500 | 2 | 12 | 14 |
| 500-750 | 2 | 14 | 16 |
| 750-1000 | 2 | 16 | 18 |
| 1000-2000 | 2 | 18 | 20 |
| 2000-3000 | 2 | 22 | 24 |
| 3000+ | 2 | 25 | 27 |
Table 1. Compiling and deployment estimates of syslog-ng OSE for Linux operating systems
For UNIX operating systems (for example, Solaris or IBM AIX) it is considerably more difficult to compile syslog-ng OSE, because these operating systems are generally more restrictive. Also, it requires considerable effort to create and maintain a build-environment that can compile recent applications, like the current version of syslog-ng OSE and its dependencies. Therefore, compiling on UNIX is estimated to take three times the effort of compiling on Linux. If compiling for 100+ hosts, this multiplier is decreased to 1,5 to account for the fact that most of the problems related to compiling and deployment will surface on the first few dozen of clients.
According to the above model, the estimated costs of the initial binary compilation and deployment on UNIX platforms are as follows.
| Number of syslog-ng clients | Initial compiling on UNIX [days] | Deployment [days] | Total effort [days] |
|---|---|---|---|
| 1-25 | 6 | 6 | 12 |
| 25-50 | 6 | 9 | 15 |
| 50-100 | 6 | 13,5 | 19,5 |
| 100-150 | 6 | 15,75 | 21,75 |
| 150-200 | 6 | 18,75 | 24,75 |
| 200-250 | 6 | 20.25 | 26.25 |
| 250-300 | 6 | 23.25 | 29.25 |
| 300-500 | 6 | 24.75 | 30.75 |
| 500-750 | 6 | 27.75 | 33.75 |
| 750-1000 | 6 | 30.75 | 36.75 |
| 1000-2000 | 6 | 33.75 | 39.75 |
| 2000-3000 | 6 | 39.75 | 45.75 |
| 3000+ | 6 | 44.25 | 50.25 |
Table 2. Compiling and deployment estimates of syslog-ng OSE for UNIX operating systems
When compiling syslog-ng OSE to multiple Linux or UNIX platforms, it is assumed that the time needed to compile and deploy syslog-ng gradually decreases for the second and third platforms, as the special quirks of a version become more familiar. To consider this learning curve, the calculator decreases the required effort by 10 percent for every platform after the first platform, up to the maximum of 50 percent for the sixth platform. This is calculated separately for Linux and UNIX platforms, because according to our experiences, Linux and UNIX platforms differ significantly from the build-environment point of view.
Calculations for the TCO of syslog-ng Premium Edition (PE) include the license price of syslog-ng Premium Edition for the selected number of clients, and the annual price of the BaseSU vendor support package. Note the following assumptions:
The price of syslog-ng Premium Edition depends on the total number of syslog clients that send logs to the central syslog-ng server, not only on the syslog-ng clients. You can list the devices that do not run syslog-ng but send logs to the central server in the field.
The pre-compiled binaries of syslog-ng Premium Edition are thoroughly tested and are prepared to handle a wide range of installation and upgrading scenarios, for example, silent installation. Therefore it is assumed that their deployment is faster and takes only one-tenth of the time required to deploy OSE packages.
The license cost is calculated for a single syslog-ng Premium Edition (PE) server that receives the log messages of every client. (A separate license is needed for every syslog-ng PE server. Its price depends on the number of clients sending logs to the server.)
The following tasks are considered:
For the first year:
Deploying the pre-compiled binary packages on the client machines
Deploying updated packages on the client machines when a new maintenance version is released
For the second and third years:
Deploying updated packages on the client machines when a new major or maintenance version is released
For the second and third years, two update deployments are estimated.
For the first year, the license price and BaseSU support package is as follows (all prices are in USD and subject to change without further notice):
| Total number of syslog clients | License and support price [USD] | Deployment [days] |
|---|---|---|
| 1-25 | $3210 | 0.2 |
| 25-50 | $4540 | 0.3 |
| 50-100 | $8160 | 0.45 |
| 100-150 | $11010 | 0.6 |
| 150-200 | $13210 | 0.8 |
| 200-250 | $14850 | 0.9 |
| 250-300 | $16040 | 1.1 |
| 300-500 | $21390 | 1.2 |
| 500-750 | $25670 | 1.4 |
| 750-1000 | $27380 | 1.6 |
| 1000-2000 | $31310 | 1.8 |
| 2000-3000 | $34950 | 2.2 |
| 3000+ | $39310 | 2.5 |
Table 3. TCO of syslog-ng Premium Edition, including the license price and the annual BaseSU support package
These prices include the binaries and vendor support for every supported platform. The syslog-ng Premium Edition application is currently supported on over 40 platforms, including recent and legacy Linux- and Unix-variants, BSD, HP-UX, IBM AIX, Microsoft Windows XP, Server 2003, Vista, Server 2008, Windows 7, Sun Solaris, and Tru64. Read the complete list of supported platforms. For the second and third years, only the annual support package costs are calculated.
|
Note |
|---|---|
Starting with February 13, 2012, using the multithreading option of for increased performance on hardware that has four or more CPUs/cores requires a separate license option. This license option is available as an add-on for the unlimited license (3000+ client hosts). The ROI calculator does not calculate this license option, the calculations are based on the number of syslog clients. |
The syslog-ng Open Source Edition (syslog-ng OSE) application is the most popular and widespread alternative system logging application used in the world, having replaced syslogd on tens of thousands of systems. It has several features surpassing syslogd, including reliable message transferring using the TCP protocol, transfer messages securely using TLS, the ability to send log messages directly to an SQL database like MySQL or PostgreSQL, and the possibility to control the flow of messages to handle minor server outages. But only syslog-ng PE has the more advanced features of buffering the messages on the hard disk, storing messages in encrypted log files, reading messages from arbitrary files, and support for Microsoft Windows and IBM System i operating systems.
The following tables offer a brief summary over the various advantages of using syslog-ng Premium Edition (PE) over syslog-ng Open Source Edition (OSE).
| syslog-ng Open Source Edition | syslog-ng Premium Edition | |
|---|---|---|
| Support | Requires in-house UNIX and syslog-ng specialist to prepare packages to be deployed throughout the enterprise. | BalaBit vendor support up to 7/24 and guaranteed SLAs. Generic in-house operational expertise is enough. |
| Integrating new platforms | Require an in-house UNIX and syslog-ng specialist to port and build the source code to the new platform. | BalaBit is continuously adding support for new operating systems, operating system versions, and hardware architectures. These are automatically available for syslog-ng PE users, minimizing the costs of integrating new platforms to your syslog infrastructure. |
| Legacy Platforms | Preparing packages on legacy platforms is possible, but takes exponentially increasing effort based on the age of the platform. | Vendor support for legacy platforms such as Solaris 8, RHEL 2 or Windows 2000. |
| Maintenance | Requires attention to security and stability issues. Versions of OSE are supported only for a limited timeframe. | Long term SLA, regular bug and security fixes by the vendor for every supported platform, decreasing the operational risks for IT managers. |
| Quality Assurance | As is, in-house testing before deployment is essential. | Each release is thoroughly tested by the vendor. |
| Functionality | Different versions of syslog-ng OSE are available for different platforms, and the list of available features depends on the supplier of the package. Even the functionality of the same version differs between platforms. | Unified across all supported platforms (over 40). |
Some of the most notable differences between the features of syslog-ng Premium Edition (PE) and syslog-ng Open Source Edition are listed below.
| syslog-ng Open Source Edition | syslog-ng Premium Edition | |
|---|---|---|
| Encrypted, signed, timestamped log storage | - | Easily meet log related compliance requirements: sensitive data is available only for authorized personnel having the appropriate encryption key. |
| Disk-based buffering and client-side fail-over | - | Reliable log transport helps to avoid losing messages in case of log server or network failures and meets security and compliance requirements. |
| Windows and IBM System i support | - | Collect log messages from over 40 platforms including Windows and IBM System i by using a single system. Note that the IBM System i agent is licensed separately from syslog-ng Premium Edition. |
For a more detailed, feature-oriented technical comparison of syslog-ng PE and syslog-ng OSE, visit the Comparing syslogd, syslog-ng OSE, and syslog-ng PE page.
The above considerations show that although the initial costs of buying syslog-ng Premium Edition are slightly higher than using syslog-ng Open Source Edition, these costs pay off and can result in considerable savings after the first year.
BalaBit IT Security Ltd. is a developer of network security solutions satisfying the highest standards. BalaBit was founded and is currently owned by Hungarian individuals. Its main products are the syslog-ng system logging software, which is the most widely used alternative syslog solution of the world; the syslog-ng Store Box logserver appliance; Zorp, a modular proxy gateway capable of inspecting over twenty protocols, including encrypted ones like SSL and SSH, and the Shell Control Box, an appliance that can transparently control, audit, and replay SSH, RDP, VNC, Citrix, and Telnet traffic.
To learn more about commercial and open source BalaBit products, request an evaluation version, or find a reseller, visit the following links:
 |
[1] All questions, comments or inquiries should be directed to Copyright © 2012 BalaBit IT Security Ltd. Some rights reserved. This document is published under the Creative Commons Attribution Noncommercial No Derivative Works (byncnd) 3.0 license. All other product names mentioned herein are the trademarks of their respective owners. The latest version is always available at the BalaBit Documentation Page. |