This article can also be found in the Premium Editorial Download "Information Security magazine: Comparing seven top integrated endpoint security suites."
Download it now to read this article plus other related content.
Price: Starts at $50,000
Although device logs can contain a wide variety of information, little attention was given to the review and management of these logs until regulations like SOX, HIPAA and PCI made it mandatory. Now companies are finding there is far more to gain from reviewing and auditing logs than just compliance.
LogLogic offers enterprise-class appliances for analyzing and archiving log data that enable organizations to achieve compliance, while offering decision support and improved availability. We reviewed the LX 2010, one of the LX family of appliances for real-time log data collection and analysis. (The ST series interfaces with NAS and WORM devices for mass storage.)
The only thing left for the user is mounting the hard drive in the slots in allotted order and changing the default IP address on the Ethernet interface used to access the Web-based management console, which is easily done through the GUI or CLI.
An appliance can be used to manage multiple LX and/or ST deployments. The access control feature allows you to restrict network access based on source IP address and destination port, similar to access lists used by routers or firewalls. The GUI provides controls to access different parts of the system, and menu items display according to the level of privileges granted to a specific user.
Configuring log sources is straightforward. Adding devices requires configuration changes on the source devices as well. The documentation provides step-by-step instructions for setting up the log transfer rules and frequency. We configured a few syslog devices, Windows servers using LogLogic's own open-source Lasso tool, a couple of Cisco routers and a Check Point firewall. Since most of the configuration happens on the log sources themselves, adding and setting up devices on LX 2010 usually takes less than a minute.
LogLogic offers many built-in real-time reports for access control, connectivity, database event logs, IBM i5/OS, IDS, email and Web activity. Administrators can create keyword or regular expression searches to produce custom reports to monitor network security and health. The ability to replay old log data should prove very useful for incident response.
Testing methodology: Logs were obtained from Windows and UNIX servers, Cisco routers, Check Point firewalls and other networking devices generating logs in syslog format.
This was first published in November 2007