ArcSight Logger lineage
Two decades of forensic log analytics deployed in regulated environments. The cold-storage companion to ArcSight ESM is now the long-retention tier inside the broader SecOps line.
OpenText • Security operations
OpenText Security Log Analytics
Security Log Analytics carries the ArcSight Logger lineage with long-retention log analytics for hunt, investigation, and compliance, paired with Core Threat Detection and Response or Enterprise Security Manager so the SOC has hot detection plus cold forensic depth.
When Merito stands up Security Log Analytics, the engagement designs hot/cold tiering against the customer's compliance retention windows, places high-value data classes in hot SIEM and high-volume classes in cold storage, and operationalizes hunt and IR query workflows on the long-retention tier.
- Best for
- SOC leaders extending log retention beyond hot SIEM windows, Compliance leaders subject to multi-year log retention mandates, Threat hunting team leads using long-retention data for hunt
- Hosting
- Hybrid
- Time to value
- First log sources onboarded in two to four weeks. Hot/cold tiering policy and hunt workflows live in four to eight weeks. Enterprise rollout typically runs three to nine months.
- Security posture
- GDPR, HIPAA-aligned design, PCI DSS-aligned design
- Last reviewed
- 2026-04-26
What it is
OpenText Security Log Analytics in the enterprise stack
Security Log Analytics carries the ArcSight Logger lineage. Logger has been the long-retention forensic log store for ArcSight ESM customers for two decades, providing the cold storage tier behind the hot SIEM. OpenText now ships the engine as Security Log Analytics inside the SecOps line, with native integration into Core Threat Detection and Response (SaaS SIEM) and Enterprise Security Manager (on-prem SIEM). The product covers the long-retention half of the SOC: hunt, post-incident investigation, and compliance reporting on data older than the SIEM's hot retention.
Long retention is the load-bearing requirement. Hot SIEM economics break down at retention windows beyond 90 to 180 days, but compliance regimes routinely require 1, 3, or 7-year retention on security logs. Programs running hot SIEM only either pay punishing prices to extend retention or lose the data to compliance gaps. Security Log Analytics handles the long-retention tier economically, so the program keeps audit-ready data for hunt and investigation without inflating SIEM costs.
Cross-product correlation with the rest of the SecOps line is the platform claim. Hot detection runs in Core TDR or Enterprise Security Manager; cold forensic data sits in Security Log Analytics. The boundary between hot and cold is configurable: high-value data classes (security events, IAM logs, sensitive application logs) stay hot longer; low-value or high-volume classes move to cold faster. Programs running the full SecOps line get hot SIEM with cold forensic depth; programs running only hot SIEM are spending too much for too little retention.
What kills Security Log Analytics adoption is hot/cold boundary drift. Programs that adopt the product without designing the ingestion-and-retention policy end up with everything in hot SIEM (defeating the purpose) or everything in cold storage (losing detection coverage). Merito's engagement designs the data-class policy: which logs go hot, which go cold, when the boundary moves, and how compliance retention windows map to operational tiers. Without that, the product becomes a backup tape of logs nobody queries.
Ideal use cases
- Long-retention forensic log storage paired with Core Threat Detection and Response or Enterprise Security Manager
- Compliance retention for SOC 2, HIPAA, PCI DSS, and SOX-aligned multi-year log retention
- Threat hunting on data older than hot SIEM windows
- Post-incident investigation and timeline reconstruction
- Cost-efficient log analytics across high-volume sources
What it is best at
Where OpenText Security Log Analytics earns its seat
Cost-efficient long retention
Handles 1-, 3-, or 7-year retention windows economically. Programs avoid hot SIEM pricing on data that does not need real-time detection.
Native pairing with hot SIEM
Native integration with Core Threat Detection and Response and Enterprise Security Manager. The hot/cold boundary is configurable per data class.
Hunt-ready query performance
Beyond storage into queryable analytics. Threat hunters and IR investigators run cold-storage queries for hunt and timeline work.
Compliance retention evidence
Audit-ready evidence for multi-year retention mandates under SOC 2, HIPAA, PCI DSS, and SOX.
Core capabilities
OpenText Security Log Analytics capabilities, grouped by outcome
Long-retention storage and analytics
What Security Log Analytics actually does on the cold tier.
Multi-year log retention
1-, 3-, 7-year retention windows on high-volume logs at economical price points.
Hunt-ready query performance
Beyond cold-archive storage into queryable analytics for hunt and IR investigation.
Hot-to-cold tiering
Configurable boundary between hot SIEM detection and cold forensic storage.
Compression and indexing
Index-aware storage that keeps queries fast on high-volume retained data.
Hunt and investigation
Cold storage that the SOC actually uses.
Threat hunting workflow
Hunt programs anchored on long-retention data with adversary-tradecraft context from Core Adversary Signals.
Post-incident timeline reconstruction
IR queries across multi-year retention for timeline reconstruction and root-cause analysis.
Compliance hunting
Compliance-driven hunts (regulated retention queries, audit responses, legal hold).
Integration and operations
Cold storage inside the SecOps line.
Hot SIEM integration
Native pairing with Core TDR and Enterprise Security Manager for hot/cold tiering.
Adversary content integration
Hunt queries enriched with Core Adversary Signals MITRE content.
Threat-intel enrichment
OpenText Threat Intelligence IOCs applied to long-retention data for retroactive matching.
Compliance reporting
Audit-ready evidence for SOC 2, HIPAA, PCI DSS, SOX retention mandates.
Where it fits in the stack
How OpenText Security Log Analytics connects to the rest of your landscape
OpenText SecOps line (native)
Native- OpenText Core Threat Detection and ResponseHot SIEM integration with cold forensic tiering.
- OpenText Enterprise Security ManagerOn-prem SIEM integration with cold forensic tiering.
- OpenText Core Adversary SignalsHunt queries enriched with adversary-tradecraft content.
- OpenText Threat IntelligenceIOC matching across long-retention data for retroactive detection.
- OpenText Network Detection and ResponseLong-retention NDR flow and metadata storage.
Log sources and platforms (certified)
Certified- Network devices, firewalls, IDS/IPSNetwork telemetry ingestion across major vendors.
- Cloud audit logs (AWS, Azure, GCP)Cloud-native log retention for hybrid programs.
- Operating systems and authenticationWindows, Linux, AIX, mainframe, AD/LDAP, Kerberos retention.
- Application logsCustom application log retention with parser libraries.
Custom integrations
Custom- Internal log sources and proprietary applicationsCustom log ingestion and parser development.
- Custom hunt platformsInternal hunt-platform integration and bespoke query workflows.
- Federal compliance retentionFederal-aligned retention policy and compliance evidence.
Deployment and implementation
How it rolls out
- Hosting
- Hybrid (North America, EMEA, APJ)
- Implementation complexity
- Moderate
- Typical time to value
- First log sources onboarded in two to four weeks. Hot/cold tiering policy and hunt workflows live in four to eight weeks. Enterprise rollout typically runs three to nine months.
- Prerequisites
- Hot SIEM landscape (Core TDR, ESM, or third-party)
- Log volume and retention requirements per data class
- Named SOC and compliance owner
- Hunt and IR program operating shape
- Compliance retention mandate inventory
- What Merito usually handles
- Security Log Analytics runs as SaaS, on-prem, or BYOC. Merito handles ingestion-and-retention policy design, hot/cold tiering, hunt workflow operationalization, and SecOps line integration.
Licensing and packaging
How it is bought
- Model
- Subscription
- What to expect
- OpenText Security Log Analytics is licensed by log volume retained, retention window, and deployment shape. Pricing depends on retention duration, ingestion rate, and SecOps integration. License acquisition flows through Merito; tiering and hunt design are scoped under a separate engagement.
- Editions and modules
Security Log Analytics SaaS
SaaS-deployed long-retention log analytics paired with Core Threat Detection and Response.
Best for: Cloud-native SOCs running OpenText SecOps line in SaaS.
Security Log Analytics on-prem
On-prem long-retention log analytics paired with Enterprise Security Manager.
Best for: Regulated programs running ESM on-prem.
Security Log Analytics hybrid
Mixed cloud and on-prem long-retention storage.
Best for: Programs running mixed SOC architecture.
- Common expansion areas
- Add Core Threat Detection and Response or Enterprise Security Manager for hot SIEM pairing
- Add Core Adversary Signals for hunt-program adversary content
- Add Threat Intelligence for retroactive IOC matching
- Add Network Detection and Response for long-retention NDR data
Merito services
How Merito helps you win with OpenText Security Log Analytics
Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.
01
Security Log Analytics Implementation
Ingestion-and-retention policy design, hot/cold tiering, hunt workflow operationalization, SecOps line integration.
Explore service02Upgrade and Migration
ArcSight Logger version upgrades and modernization.
Explore service03MAPS Assessment
SOC program scoping for Security Log Analytics alongside Splunk, Devo, and Cribl.
Explore service04DevOps Consulting
Hunt program operationalization and SecOps integration.
Explore service05Premium Support
Named engineer, priority SLAs, and release-time coverage for Security Log Analytics.
Explore service06Managed Services
Long-term run support including ingestion-and-retention policy maintenance, hunt-program evolution, and SecOps integration upkeep.
Explore service07Training and Enablement
Role-based training for SOC analysts, threat hunters, and compliance leads.
Explore service08Staff Augmentation
Merito-placed SOC engineers and OpenText specialists embedded on long-running programs.
Explore serviceOpenText Security Log Analytics licensing
License the cold tier. Design the hot/cold boundary. Same engagement.
Security Log Analytics pricing arrives with ingestion-and-retention policy design, hot/cold tiering, hunt operationalization, and SecOps line integration that turn long-retention storage into hunt-ready forensic depth rather than backup tape.
Merito point of view
Hot SIEM is too expensive for cold data. Cold storage is too slow for hot detection.
Merito has audited SOC programs paying punishing prices to keep two years of logs in hot SIEM, and others losing data to compliance gaps because hot SIEM retention only covers 90 days. The right shape is hot SIEM for detection plus a long-retention tier for hunt, IR, and compliance. Security Log Analytics is the long-retention tier; programs running hot SIEM alone are spending too much for too little retention.
Merito recommends Security Log Analytics specifically for programs running OpenText SecOps line, when compliance retention windows are real, and when hunt-program maturity justifies cold-storage analytics. For programs picking Splunk-anchored SOC architectures, Splunk's federated search across hot and cold tiers is competitive. For programs picking specialist log analytics breadth, Devo and Cribl are competitive depending on the program shape. Merito surfaces those alternatives honestly during scoping.
Hot/cold boundary design is the load-bearing operational decision. Programs that adopt Security Log Analytics without designing the data-class policy end up with everything in hot SIEM (defeating the purpose) or everything in cold storage (losing detection coverage). Merito treats the boundary design as central work in the implementation rather than a checkbox.
What buyers usually underestimate
- Adopting Security Log Analytics without designing the hot/cold tiering policy.
- Treating cold storage as backup tape rather than queryable analytics.
- Skipping hunt-program operationalization, leaving the long-retention data unused.
- Running hot SIEM only and paying punishing prices for inadequate retention.
- Migrating off mature Splunk-anchored architectures without an honest assessment of delta value.
Related from Merito
Continue exploring OpenText Security Log Analytics on Merito
Related solutions
Related services
Related products
- OpenText Core Threat Detection and ResponseHot SIEM paired with Security Log Analytics for cold forensic depth.
- OpenText Enterprise Security ManagerOn-prem SIEM paired with Security Log Analytics for cold forensic depth.
- OpenText Core Adversary SignalsAdversary content for hunt queries on long-retention data.
- OpenText Threat IntelligenceIOC feeds for retroactive matching across long-retention data.
- OpenText Cybersecurity (vendor portfolio)Full OpenText Cybersecurity catalog across AppSec, IAM, SecOps, Data Security, and DFIR.
Frequently Asked Questions
OpenText Security Log Analytics FAQs
Consultation request
Talk to Merito about OpenText Security Log Analytics
Share your hot SIEM landscape, retention compliance mandates, and hunt-program maturity. A Merito OpenText specialist follows up within one business day.
ArcSight Logger lineage
Long-retention forensic depth
Two decades of forensic log analytics. Multi-year retention at economical price points.
Hot/cold tiering
SIEM plus forensic depth
Native pairing with Core TDR and Enterprise Security Manager. Configurable per data class.
Next step
Pair hot SIEM with cold forensic depth.
A Merito Security Log Analytics engagement starts with hot/cold tiering policy and hunt operationalization. Hot SIEM alone is too expensive for retained data; cold storage alone is too slow for detection.