Strengths: Good hardware platform, easy deployment, reporting suites for all main industry regulations included, support for unlimited log data sources
Weaknesses: Some log sources require manual definitions
Verdict: A simple yet powerful log management and analysis solution that will keep your auditors happy and your business on the right side of the law
Businesses storing personal information have a duty to show compliancy with data protection regulations and failing to adhere to best practices can be a costly mistake. Take PCI DSS (Payment Card Industry Data Security Standard), for example. Developed by all major credit card companies, this requires businesses that process, store and transmit card data to show compliancy with these regulations at the risk of losing privileges - fatal in these times of economic turmoil.
When auditors come a-calling, it pays dividends to be able to prove compliancy - and log data management is the way to do it. LogRhythm is an appliance-based solution and a key feature is that the price includes reporting suites not only for PCI DSS but also for US laws such as Sarbanes-Oxley and FISMA (Federal Information Security Management Act).
On review is the flagship LR-2000-XM, supplied as a Dell PowerEdge 2950 2U rack server endowed with a pair of quad-core Xeons and 16GB of memory. Redundancy and fault tolerance are well covered: internal storage is handled by six 300GB SAS drives configured in a RAID-5 array while power is handled by a pair of hot-swap supplies.
LogRhythm runs on Windows Server 2003 R2 on the appliance and can receive data from an extensive range of log sources such as Windows drive mapping and Event Logs, syslog, syslog-ng, Cisco NetFlow, ODBC connectors for database logs and Check Point OPSEC/LEA collections. Note that the price includes support for unlimited log data sources.
LogRhythm 4.1 offers plenty of new features, with Second Look at the top of the list. When the appliance collects data, it parses it and stores metadata for each field, allowing log data to be archived efficiently to make best use of local storage. Second Look allows old logs to be imported back into appliance and rules run to add new metadata to them.
Some security breaches are the result of a series of apparently unrelated events; its host-based contextualisation allows you to track these. To watch out for an insider copying business-critical data, set LogRhythm to watch for out-of-hours authentications followed by file transfers to an external IP address.
The appliance is managed using a console utility that is well designed and liberally sprinkled with wizards. We found deployment in the lab easy enough as we just told our test systems and devices to send their log data to the appliance. LogRhythm can identify Windows servers from their traffic, allowing it to gather information such as the OS version and Windows event logs.
A number of our test systems were sending syslog data and we needed to manually update their entries to specify their device type. However, LogRhythm advised us that for customer deployment it would do this as part of its service.
Your first port of call is the My Personal Dashboard screen that shows graphs of all log activity and can highlight security breaches or problems. For the latter, you can define classes for events and choose from operational, security and audit categories.
Points of interest can be easily investigated: you select an event - such as a peak on the graph - and the Log/Event Analyser shows all related information. Raw data is displayed by the Log Viewer and you can drill down into individual events and view extra information, such as metadata.
You can keep an eye out for specific security events, such as multiple authentication failures, by using LogRhythm's Alarm Rules that will issue notifications when an event is triggered. These can be sent via SNMP trap, SMTP or local console alerts or by creating custom notifications.
Forensics investigations are easy to conduct as a wizard helps select a log source, a time period and an event type. Filters refine the information further and tasks can be scheduled to run regularly, if required. You can keep a close eye on events as they happen, as the Tail feature allows you to watch multiple log streams in real time.
Data protection regulations insist on log data being kept for a specific period of time. Archiving is essential to ensure the appliance storage is managed efficiently and LogRhythm supports a wide range of local and network storage locations, including IP and FC SANs and NAS. An impressive range of storage management tools is provided, allowing you to determine archiving for log data at the device, event and rule level.
Naturally, all data stored on the appliance is digitally signed to prove it hasn't been tampered with; this also applies to archived data. When data is restored from an archive, LogRhythm applies checksums to ensure its integrity.
Access controls need to be good, as these are also a part of regulatory compliance, and LogRhythm allows you to designate users as administrators or analysts. The latter are only allowed to access log data and run reports; and roles can restrict analyst access further to selected devices or groups and specific log data sources.
As an enterprise-level log management solution, there's little to touch the LR-2000-XM. The extensive reporting facilities and compliancy packages make it particularly good value. It's easy to use and new features add another dimension to security log analysis.