LogRhythm does a good job of putting needed information in one's hands accurately and quickly; it supplies alerts for predefined events and data for compliance reporting.
Any serious IT compliance regime has to include processes
for analyzing and interpreting the extensive, detail-packed log files produced
by applications, servers and network equipment. This only sounds easy when
you're not the one who has to go through these records on a regular basis; it's
exponentially more difficult when you're trying to figure out what's going on
inside your systems while it's still happening, and when you're faced with an
in-progress crisis, the stakes can't get any higher.
The solution is to automate the chore of analysis and interpretation, but
this requires a tool set that's highly scalable and capable of providing
accurate results in a hurry. In this case, power is good, but ease of use is
LogRhythm in its namesake log management software provides a powerful and
straightforward apparatus for collection and examination, but this comes at a
cost: The published price for the company's LogRhythm LRX appliance is $25,000
for the 1U (1.75-inch) Windows-based system, and it increases for more complex
installations. Customers also have the option of supplying their own hardware,
What one gets in return is a log parsing and management system based on
Microsoft SQL Server that's designed to work with a wide range of operating
systems and applications. If it generates a log file, the LogRhythm software
can handle all but the most exotic cases without any special effort. When
necessary, the company's engineers will work to develop an appropriate parser
for the customer's needs.
A LogRhythm installation begins with a server (the Event Manager) running
SQL Server 2005 and LogRhythm's ARM (Alarm
and Response Manager) process; this machine manages the deployment's
configuration and receives log entries that are considered noteworthy. In
LogRhythm's jargon, these important or interesting logs are referred to as
"events" and are used to generate alarms or other responses that are
defined for the event.
But the Event Manager is just the brain of the operation. A LogRhythm
deployment also relies on a SQL Server-based Log Manager, which runs the
Mediator Server process. This collects log messages and, by applying predefined
rules to the messages, determines whether they qualify as events to be
forwarded to the Event Manager for further action. In a sizeable deployment,
customers will find it necessary to run multiple Log Managers.
LogRhythm claims that the architecture is horizontally scalable to any
conceivable degree, and the software can be deployed in a SAN
(storage area network) environment or as a series of virtual machines. The
software's own data integrity checks can verify that logs passed across trusted
network boundaries or recovered from tape haven't been tampered with.
The other pieces of LogRhythm are the graphical .NET-based
console for deployment management and interactive access to LogRhythm's stored
data, which communicates with the Event and Log Managers via SQL Server
protocols, and the System Monitor agents, which communicate with the Log
Manager via a proprietary, encryptable application protocol. The monitor agents
are typically installed on targeted systems, and a Log Manager system will
usually also have a System Monitor installed. System Monitors provide file
integrity checks as well, when these are enabled.
As noted above, the LogRhythm software doesn't just accept or collect logs
from application, file and print servers; it also works with a variety of
network security devices, such as Check Point firewalls, Cisco IDS (intrusion
detection system) platforms and McAfee ePolicy Orchestrator, to provide a
comprehensive view of what's going on in a network and when.
LogRhythm can process operating system and application logs from numerous
Linux and Unix systems, as well as Windows event logs. It also handles standard
syslog records and data sent with the NetFlow protocol. LogRhythm provides
alarm or event notification to IT personnel via SMTP or SNMP, and includes a
small truckload's worth of prepackaged reports intended to address the
requirements of a variety of reporting schemes, including HIPAA (Health
Insurance Portability and Accountability Act), PCI and Sarbanes-Oxley Act.