Strengths: Very swift deployment, extremely user-friendly, extensive reporting and alerting facilities, can be customised with different regulatory reporting suites
Weaknesses: Additional report suites add to the price
Verdict: LogLogic makes light work of compliance with a comprehensive monitoring and reporting solution that is remarkably easy to implement and use
LogLogic has traditionally offered a simple solution to help businesses prove compliance with a range of appliances that provide all log data gathering and reporting tools needed for regulatory requirements. The vendor's focus has traditionally been on the enterprise, but the latest MX2010 appliance combines all the features of its larger LX and ST brethren in a more affordable option for mid-sized businesses. The only payback is a reduced storage capacity for log messages and a lower maximum throughput of 1,000 messages per second.
The MX2010 is a single platform, and the various models are differentiated by the report suite you purchase. Choices cover all the main regulatory areas, with suites for aspects such as PCI DSS (Payment Card Industry Data Security Standard), SOX (Sarbanes-Oxley) and ITIL (IT Infrastructure Library).
We found the PCI version extremely easy to deploy in the lab. Systems generating log data just need to be pointed to the appliance, which will automatically identify the device type from its traffic and start storing and analysing its log data. The MX2010 can handle a multitude of data sources, with support for syslog, syslog-ng, SNMP, logs via HTTP and HTTPS streams, FTP, SFTP, SCP, Windows drive mapping and JDBC connectors for database logs. The beauty of this approach is that it is completely agentless and can gather information from any device capable of writing log data.
The home page of the management interface opens with a tidy status screen showing message throughput, CPU utilisation, hard-disk usage and the number and types of messages. Usefully, log data is categorised as it comes into the appliance, and you can see the status of log source devices and unapproved messages.
The real-time viewer shows all log messages as they come in and filters allow you to sort out the wheat from the chaff. You can select specific source devices and types, filter by severity rating and use phrases and expressions. The MX2010 keeps raw data for a year and reporting data for three months, with the predefined real-time reports providing a wealth of information on areas such as access controls, connectivity, database, mail, web and user activity.
The advanced options make LogLogic's reporting even more powerful. For example, we created a custom report that looked for attempts by outsiders to access our customer data via FTP, Telnet or SSH. The information presented could then be interrogated further. We could see all devices where this traffic had been seen and drill down deeper to look at individual IP addresses. The web activity reports can be used to check what sites users are accessing to create general usage reports, as well as where users are under investigation for breaches of AUPs.
The PCI report suite is accessed from the custom report menu option, where you're presented with a wide range of choices. Essentially, these suites take the data from various real-time reports and present it in the appropriate format for a compliance report. It takes all the hard work out of understanding and translating regulatory requirements, so when auditors ask you for, say, a report on all password changes on your Windows servers, you just hit the report run button, save the results in CSV, HTML or PDF formats and send them on their way.
Logs stored on the appliance are digitally signed so it can be proved they haven't been tampered with. The search facility is essentially a forensics tool that can be used to interrogate the raw log data stored on the appliance and is similar to Google searches in that it is indexed to improve performance. Select an event from an index search and you can also see log events prior to this and those immediately after.
For index searches, only "and", "or" and "not" terms are supported, but LogLogic's contextual analysis offers many more expressions. Regular expression searches will take longer but are more powerful and can be scheduled to run regularly.
The MX2010 provides a wide range of alerting facilities, where you define filters that look at the log data in real time and can be used to spot critical events. When an alert is triggered, messages can be sent by email and SNMP trap or to a syslog server. Administrative access controls are extensive, allowing you to fine-tune what users can see and do on the appliance. The device also acts as its own logging source, so access can also be reported on, with a choice of SOAP or XML APIs to fit in with existing compliancy reporting procedures.
Many businesses have already found to their cost that data protection regulations cannot be taken lightly. One of the biggest challenges is proving compliance and, although representing a significant outlay, LogLogic's MX2010 provides the perfect monitoring and reporting solution.