Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Product review: LogLogic LX

Learn about LogLogic's LX event log management product installation, configuration and reporting features in this review.


LogLogic's LX

Price: Starts at $50,000

Although device logs can contain a wide variety of information, little attention was given to the review and management of these logs until regulations like SOX, HIPAA and PCI made it mandatory. Now companies are finding there is far more to gain from reviewing and auditing logs than just compliance.

LogLogic offers enterprise-class appliances for analyzing and archiving log data that enable organizations to achieve compliance, while offering decision support and improved availability. We reviewed the LX 2010, one of the LX family of appliances for real-time log data collection and analysis. (The ST series interfaces with NAS and WORM devices for mass storage.)

Installation/Setup B+  
LX 2010 is a beast of an appliance with a 2 TB RAW (1 TB in RAID 10) storage capacity, dual 2.4 AMD Opteron processors and 4 GB of memory. The setup is as simple as it gets, supported by a hardened Linux kernel, MySQL database, Apache Web server and Java.

The only thing left for the user is mounting the hard drive in the slots in allotted order and changing the default IP address on the Ethernet interface used to access the Web-based management console, which is easily done through the GUI or CLI.

An appliance can be used to manage multiple LX and/or ST deployments. The access control feature allows you to restrict network access based on source IP address and destination port, similar to access lists used by routers or firewalls. The GUI provides controls to access different parts of the system, and menu items display according to the level of privileges granted to a specific user.

Configuration B+  
LogLogic supports most of the widely deployed devices in the industry. At a sustainable rate of 4,000 messages per second, the LX 2010 can become the syslog and/or SNMP server for all servers and devices in the network. Logs can also be imported via HTTP, HTTPS, SCP, FTP or SFTP. Multiple log formats covering virtually all types of devices are supported--but not all log types. For instance, for firewall/VPN products with proprietary log formats, only Check Point Software Technologies, Cisco Systems, Juniper Networks and Nortel are supported. Email (Exchange) and database (Oracle) server support is also limited.

Configuring log sources is straightforward. Adding devices requires configuration changes on the source devices as well. The documentation provides step-by-step instructions for setting up the log transfer rules and frequency. We configured a few syslog devices, Windows servers using LogLogic's own open-source Lasso tool, a couple of Cisco routers and a Check Point firewall. Since most of the configuration happens on the log sources themselves, adding and setting up devices on LX 2010 usually takes less than a minute.

Reporting B+  
Reporting is the most important component of this product. Two excellent status dashboard screens show the current mps rate, alerts, system performance and total message counters. Another screen shows all added devices and their message counters. The Real-Time Viewer tab shows log messages as they are received.

LogLogic offers many built-in real-time reports for access control, connectivity, database event logs, IBM i5/OS, IDS, email and Web activity. Administrators can create keyword or regular expression searches to produce custom reports to monitor network security and health. The ability to replay old log data should prove very useful for incident response.

LogLogic's LX 2010 offers much-needed help to companies in the areas of log review, analysis and archiving. It can help organizations not only with compliance but also with detection and prevention of dangerous events.

Testing methodology: Logs were obtained from Windows and UNIX servers, Cisco routers, Check Point firewalls and other networking devices generating logs in syslog format.

Article 3 of 16

Dig Deeper on SIEM, log management and big data security analytics

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All