LogLogic’s LX2010
On the whole, we were very impressed with the LX2010, but it’s expensive compared with LogRhythm and others. IT managers–and system admins, for that matter–hate logs, because they seemingly go on forever and often provide an overabundance of useless information. Administrators get lost looking for one or two important log entries scattered through a log file with tens of thousands of entries. LogLogic’s simple-to-use Boolean search capabilities can help find that needle in a haystack.
We tested LogLogic’s LX2010, a dual-processor, 2U appliance that comes fully equipped with 2 TB of internal storage (RAID-10), dual power supplies, two bonded Gigabit NICs for log collection, and a 10/100 port for the Web-based management user interface. The 2010 can be deployed as a centralized solution for small and midsize businesses, but it’s often deployed as a remote-office log collector in a hub-and-spoke configuration, with the flagship ST2010 or ST3010 appliance serving as the hub. As an intelligent syslog server, the 2010 automatically detected and categorized incoming logs as we configured each of 10 Cisco PIX firewalls to connect to the LogLogic 2010. To ship our Windows server logs over to the 2010, it was necessary to install a LogLogic proprietary version of Lasso, an open source-based product that was built as a gateway between Microsoft’s event-logging format and syslog. Once complete, the 2010 automatically recognized and grouped all the server log data accordingly. The 2010 isn’t a security event manager, or SEM, per se, but it can be configured to alert IT in the event of a failed condition, so in a way it can perform some of the same core functions of a good SEM.
THE UPSHOT CLAIM: LogLogic aims to deliver a new level of visibility, reporting, and analytics to the massive number of logs that are typically distributed among a wide range of enterprise IT systems. Using a simple yet powerful LogLogic reporting engine that’s well suited for forensic and troubleshooting chores, administrators can locate important information often contained in logs that would otherwise be difficult to find through manual searches.
LogRhythm 4.0
IT systems can generate a ton of log events–not all of which are useful–in the name of compliance. Today’s log management systems maintain two different types of logs: raw logs that come straight from network devices; and processed data, which the log manager indexes for searching and reporting. Log managers like LogRhythm can both store raw messages and extract important data, such as IP address, user name, message importance, and message classification. Settings are defined either by log manager, the server collecting the log messages; or by log source, the program or application generating the logs, such as Windows events or Unix syslog.
LogRhythm 4.0’s other new features include log server monitoring for CPU load, memory usage, and message volume, so you can track system performance in real time. Previous versions of LogRhythm archived log messages in batches, which meant there was a time lag between when a message was received and when it was archived, and the log message had to be stored in the online database to be archived. In LogRhythm 4.0, log archiving is independent of log processing, and archiving occurs in real time. Using the Drop Log function, nothing is written to the online database, while the Drop Raw function writes the metadata to the online database and drops the raw log.
Log management vendors such as LogLogic, Prism, and Q1 Labs are adding features to simplify the process, including data mining and analysis capabilities.
http://www.informationweek.com/news/management/compliance/showArticle.jhtml?articleID=212000974