LogLogic Makes Sense of Log Data

 
 
By eweek  |  Posted 2006-07-17
 
 
 

LogLogic Makes Sense of Log Data


IT managers who want to divine application, system and network problems with log data should consider the latest version of LogLogics namesake platform.



Click here to read the full review of LogLogic 3 Release 2.

2


IT managers who want to divine application, system and network problems with log data should consider the latest version of LogLogics namesake platform.

LogLogic 3 Release 2 became available in February and costs a competitive $49,000 on the LogLogic LX2000 appliance that eWEEK Labs used during testing. The $9,999 Compliance Suite PCI Edition module includes more than 50 reports designed to help organizations comply with PCI (Payment Card Industry) regulations.

Click here to read a review of Quests InTrust 9.0 is an event-log management tool.

There is also a COBIT (or Control Objectives for Information and Related Technology) 4.0 & Sarbanes-Oxley Edition of the Compliance Suite, which includes more than 100 reports.

The LogLogic platform takes log data from a wide range of sources, including Microsofts Exchange, firewalls, IDSes (intrusion detection systems) and network devices such as routers and switches.

During tests, we aggregated data from a variety of log sources into an LX2000 device installed in our San Francisco labs. The sources included Juniper Networks and Cisco Systems firewalls and VPN concentrators, Microsoft Exchange e-mail servers and Cisco network gear.

We found that LogLogic 3 reports quite effectively. For example, it sorted out all the repelled network traffic blocked by our firewalls, along with all the administrative user accounts used to access our Linux servers.

LogLogic hardware comes in two families—LX and ST. The LX appliances parse processes and compress log message data for fast alerting and reporting; the ST devices focus on secure, long-term log message collection and storage and include interfaces to NAS (network-attached storage) devices for unfiltered, raw message storage.

LogLogic 3 works by listening on UDP (User Datagram Protocol) Port 514 for syslog messages. As recommended by LogLogic, we let our system run in auto-discover mode until all our log-issuing devices and applications were discovered. After a complete list of these log sources was created, we turned off auto-discover to prevent any malicious use of Port 514.

After LogLogic 3 discovered all our log sources, we let it listen passively to gather the data necessary to create reports. The software also can pull log data from sources using a variety of transport mechanisms, including Secure FTP and HTTPS (HTTP Secure).

LogLogic officials claim it takes just 10 minutes to install the software and 10 seconds to get results. This is true at the most basic level of operation.

However, because the product provides for several levels of user privilege—from those who can access and configure all aspects of the system to those who can view only alerts and reports—we spent several hours just fine-tuning user log-ins. The same applied to alert configuration.

For meaningful results, real-time alerts, real-time reports and trend reports all require fairly extensive configuration. For example, we modified a PCI-specific report that tracked the creation of log-on accounts. We had to specify which applications, systems and network devices should be tracked and then had to test all these elements to ensure that the alerts and reports showed information correctly.

Once the alerts and reports were tuned, however, we could see how LogLogic 3 would help to streamline compliance. We didnt undergo an actual PCI audit during tests, but the reports and alerts provided by the LogLogic 3 system clearly aligned with PCI evidence requirements.

We think that LogLogic 3 will play a significant role in reducing what we call "audit friction" while simultaneously pinpointing possible security problems, such as the creation of unauthorized accounts on systems that contain sensitive data.

Next page: Evaluation Shortlist: Related Products.

Page 3


GFIs GFILANguard Security Event Log Monitor

A software-only tool that, as the name implies, focuses on security reports and alerts (gfi.com/lanselm)

Network Intelligences Envision

A comprehensive security and compliance family of log management software and appliance-based tools (www.network-intelligence.com/products/envision/ed.asp)

SenSages SenSage 3.5

Software that uses enterprisewide event data to perform security analytics and is coupled tightly with event correlation tools to determine the root cause of network problems (www.sensage.com/English/Products/Overview.html)

Source: eWEEK Labs reporting

Technical Director Cameron Sturdevant can be reached at cameron_sturdevant@ziffdavis.com.

Check out eWEEK.coms for the latest news, commentary and analysis on regulatory compliance.

Rocket Fuel