LogRhythm LR1000 v3.5
Strengths: A strong emerging competitor in the forensic area, already a strong product for network management, easy to use
Weaknesses: We would like to see a bit more attention to forensic issues
Verdict: A competent, scalable product. Buy it for network management and use it as one of your network forensic tools
The LR1000 is a log analysis appliance and has a lot to recommend it. Fundamentally, this product gathers logs, analyses them and produces specialised reports. The device can be monitored in near real time as a network management tool during an event, or it can be used to analyse logs after an event for network forensic content.
The LR1000 can accept logs from virtually any source, including Windows, syslog and all of the popular IDSs and firewalls, and can collect them with or without an agent on the remote device. The device normalises time stamps on collected logs while retaining the original time stamp for forensic traceability. Logs are synchronised and even custom logs can be fed to the appliance.
The main purpose of the LR1000 is to manage logs in a network management environment. While the forensic capabilities of the product are secondary, care is given to providing both forensic capability and evidence management during the log collection and analysis process. We were impressed by the thoughtfulness that obviously went into this product.
Documentation is good and LogRhythm provides remote walk-throughs to help new users. Installation was quick and simple. There are three versions of the appliance scaled for different size implementations, and multiple devices can work together over a large network for scalability.
Some areas where we could see minor room for improvement in the forensic arena are depth of log analysis, especially in raw logs, and chain of custody management. Both of those capabilities are almost there, though, and the only thing missing is full traceability all the way to the packet content level if that level is available in the raw log, and a cleaner way to prove chain of custody. These are forensic requirements, though, and chain of custody and full raw log analysis generally are not requirements for typical log management. However, log management in a forensic environment can be tricky, since logs are easy to manipulate.
Support for the LR1000 and its sister products (LR500 and LR2000) is available, and we were impressed with the pre-sales support from the company. Pricing is about in the middle of the pack for similar products and we find that it offers better than average value for the money.