LogRhythm LR1000 v3.5
April 01, 2007
- Ease of Use:
- Value for Money:
- Overall Rating:
- Strengths: A strong emerging competitor in the forensic area, already a strong product for network management, easy to use
- Weaknesses: We would like to see a bit more attention to forensic issues
- Verdict: A competent, scalable product. Buy it for network management and use it as one of your network forensic tools
The LR1000 is a log analysis appliance and has a lot to recommend it. Fundamentally, this product gathers logs, analyses them and produces specialised reports. The device can be monitored in near real time as a network management tool during an event, or it can be used to analyse logs after an event for network forensic content.
The LR1000 can accept logs from virtually any source, including Windows, syslog and all of the popular IDSs and firewalls, and can collect them with or without an agent on the remote device. The device normalises time stamps on collected logs while retaining the original time stamp for forensic traceability. Logs are synchronised and even custom logs can be fed to the appliance.
The main purpose of the LR1000 is to manage logs in a network management environment. While the forensic capabilities of the product are secondary, care is given to providing both forensic capability and evidence management during the log collection and analysis process. We were impressed by the thoughtfulness that obviously went into this product.
Documentation is good and LogRhythm provides remote walk-throughs to help new users. Installation was quick and simple. There are three versions of the appliance scaled for different size implementations, and multiple devices can work together over a large network for scalability.
Some areas where we could see minor room for improvement in the forensic arena are depth of log analysis, especially in raw logs, and chain of custody management. Both of those capabilities are almost there, though, and the only thing missing is full traceability all the way to the packet content level if that level is available in the raw log, and a cleaner way to prove chain of custody. These are forensic requirements, though, and chain of custody and full raw log analysis generally are not requirements for typical log management. However, log management in a forensic environment can be tricky, since logs are easy to manipulate.
Support for the LR1000 and its sister products (LR500 and LR2000) is available, and we were impressed with the pre-sales support from the company. Pricing is about in the middle of the pack for similar products and we find that it offers better than average value for the money.
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
Junior Penetration Tester, Hertfordshire, to £35k + benefits
Infosec People - England, Hertfordshire
Cyber Security Architect
CYBER EXECS - London (Greater)
SOC Analyst, Aldershot, £47-56k + package
Infosec People - Hampshire, England, Aldershot
Senior Security Engineer
Loveworklife Recruitment - United Kingdom
Sign up to our newsletters
SC Magazine UK Articles
- Tesco Bank allegedly ignored warnings of hack from Visa
- Investigatory Powers and Digital Economy Bills could threaten economy
- Updated: A million German routers knocked offline by failed Mirai botnet attack
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- Microsoft update left Azure Linux virtual machines open to hacking
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- ICYMI: CEO Sacked; MS Zero-day; Passwords dropped; Ransomware wild, charging hack
- 9.2 million medical records for sale on darkweb
- ICYMI: Tesco warned; IP Bill threatens economy; German routers offline; Azure trojan; Gooligan fraud
- Data centres are on the move - where will they end up?
- 90% of ITDMs believe IAM is crucial to digital transformation success
- Research: Hacked companies could see customer exodus if breached
- Misconfigured drive exposes locations of explosives used by oil industry