Testing the LogRhythm LRX2
Rubber, meet road Bringing a LogRhythm appliance online begins with much the same process as any other Windows server. My lab testing used a single LogRhythm appliance-the 2U (3.5-inch) LRX2-that hosted both the Event Manager and Log Manager functions, running Version 5.1.1 of the software. The appliance arrives from the company with Windows Server 2003, SQL Server and the LogRhythm software in a preinstalled and unconfigured state; after supplying the machine with basic network details such as host name, domain membership and an IP address, I was ready to dive into the actual setup of the LogRhythm components.That is, unless you're me. In my first run with the LRX2, the company somehow provided me with a defective evaluation license that in effect ruined the installation. After spending the better part of a couple of days going back and forth with LogRhythm's support engineers, we agreed that the company would ship out a second unit and a usable license file. On this second attempt, I was able to bring the system up without incident, and it was processing logs in a couple of hours. (LogRhythm has since reworked its procedures for evaluation units to ensure that future licenses are cut in a known good configuration.) Mac OS X Server is the only brand-name server platform for which LogRhythm doesn't provide a system-specific log collection agent, but an agent for that OS is slated for Release 6 of the software. I found it relatively easy to configure the Xserve that I keep in the eWEEK Labs workroom to pass log entries to the LogRhythm host, which parsed them using a generic syslog filter for BSD, the basis for Mac OS X. With a working system in hand and all needed services online, the LogRhythm appliance was then set to its primary task of log collection. This can be done by having logs pushed from the system in question, as I did with the Xserve, or pulled by a monitor agent, as one would do in an Active Directory domain. In the latter case, one configures the agent to run as a service, with the privileges necessary to collect logs from the Windows machines of the domain. With the system collecting events, I found it fairly intuitive to use the console interface for interactive work with the data, in much the same way that one would when trying to analyze data to evaluate processes or to verify a sequence of actions. It's easy to set up canned searches for frequently used inquiries, and although it's probably a good idea for a user to have some background in data analysis to make the examination of log data more efficient, LogRhythm does an excellent job of insulating the user from the construction of SQL Server queries while still allowing valuable levels of detail. There are a few things about LogRhythm that need to be addressed in future releases: A complete rework of the documentation would be a good place to start, since the company is already working on simplifying the setup process. I don't see the point in having hardware installation directions in the console's online help file, and the offline PDF documentation-currently a page-for-page translation of the WinHelp document-could stand to be broken up into discrete components that are usable away from the LogRhythm console. But such quibbles aside, I have to admit that LogRhythm has successfully tackled the truly difficult parts of log analysis; it automates a great deal of the drudgework involved in report processing and allows IT personnel to focus on problem resolution. In short, it's not cheap, but it's money well spent.
For this release, that means tweaking a handful of config files with a text editor to inform the software of the networking basics (although the next major release of the LogRhythm components is expected to include a graphical setup utility that fills in those details at initial launch). At the end of this process, the system console pulls in a license file, and at that point you're ready to bring up the various LogRhythm services.