Product Reviews

LogRhythm: Event Logs for All

LogRhythm will feel more comfortable to users with some database experience, but there's no debating the product's powerful capabilities.

• By Stuart Fordham
• 06/01/2010

Being an unashamed geek, I was pleased to have the option to have either a remote connection to the LogRhythm test lab or a physical machine. Naturally, I chose the physical machine, which turned LogRhythm into an appliance. (Who doesn't like getting new shiny things in the mail?) The server loaned to me was a standard 2U rack-mount server, running Microsoft SQL Server 2005 and the LogRhythm software on a Microsoft Server base (Windows Server 2008 in this instance). It was ready to rock, and upon boot was awaiting a few final setup tweaks, such as setting an admin password, inputting regional options and rebooting. Then, it was ready.

I was eager to get up and running. Not having the passwords for the preconfigured LogRhythm accounts used to administer the console wasn't a hindrance; due to the SQL Server back-end, it was easy to reset them. Once you bring up the console, it's easy to navigate. By default, there are three panels at the top showing graphs of operations, security and audit events logged by time; below them is an aggregated event list. All are empty just after installation. At this stage, I decided to wait for my call with LogRhythm before going forward.

During the call, the appliance was tweaked for improved performance. At this stage, it was clear that someone with familiarity with SQL -- or databases in general -- would pick up this system much more quickly than would someone without database experience. The system layout and the steps needed to perform tasks, such as search and generating reports, are much like searching a database. Part of the walkthrough includes adding clients to be monitored. This is possible via a number of methods: adding clients line-by-line, with a list in a text file or by scanning a subnet. I chose the scanning option, and the speed at which the server picked up clients was impressive. Granted, the subnet scanned wasn't overly large, with fewer than 50 hosts, but it would be possible to scan a large subnet in a reasonable amount of time.

A nice feature of LogRhythm is that it doesn't require any agent to be installed on the log-source device, making deployment and subsequent log retrieval painless. That comes in especially handy when dealing with a large number of hosts, as this product is designed to do.

A Minor Annoyance
At this point, I sat back and watched as the logs started to roll in. Once the logs had all been gathered, I switched the server off and went home. Work got in the way of this review for about a week, so the server sat next to me untouched. During a brief quiet period, I fired up the server and logged back in to the LogRhythm console, only to find that my previously gathered logs were missing.

Here's an important aspect of the appliance's architecture: During the setup of the appliance, a number of configuration files (basic text files) were edited to point the appliance to the database server and set the relevant IP addresses. But if you leave a server on DHCP (as I did), you'll need to find these files and edit them if the server's leased to a new IP address. Finding them isn't a problem, as the appliance only has a couple of directories you need: one in Program Files and one in Program Files x86. The reason for the reliance on these configuration files is that you may not necessarily have the database back-end running on the same physical machine as the LogRhythm console. It would've been nice to have these configuration requirements editable within the console itself, as it would've eliminated a potential cause for confusion. However, the current configuration will rarely need changing.

With the correct configuration in place and the server on a static IP address, I could again see the logs. There's an impressive list of log sources that LogRhythm can pull in. The obvious examples include Windows Server logs, Exchange application logs, SQL logs, logs from any ODBC-compliant database (such as Oracle, IBM DB2, Informix and MySQL) and any ASCII-based .TXT file. That's great for users with Apache Web servers, Linux boxes or homegrown applications. The appliance also provides an integrated syslog server to collect from network devices, such as routers and firewalls.

Experience Recommended
Although the console interface would really suit someone with knowledge of SQL, there are some nice features that free users from being restricted to SQL syntax. A key feature is the Common Event name filter. If you can't remember the event ID assigned to a user creation, then you can just select from a list of plain-English options, such as Account Creation, making searching much easier. After all, who can remember thousands of event IDs? (Incidentally, there are 624 in Windows Server 2000 and 2003, and 4,720 in Windows Server 2008.)

The folks at LogRhythm worked hard to make this console easy to use and configure, even for non-technical people. The personal dashboard, for instance, can be configured for each user; someone looking at your organization's security might only have the security graph showing. The dashboard is also configurable to provide discretionary access control for separation of duties.

The personal dashboard is where most people will spend their time. There are three graphs at the top of the screen showing operations, security and audit events, all by classification; the graphs were broken down into events in the last 10 minutes, 1 hour and 24 hours. Below the graphs is an aggregated event list. Clicking on any one of these takes you into the Log/Event Analyzer window; this shows another graph with the event logged by time and by type, and statistics on impacted hosts, originating hosts and vendor IDs. The graph layouts make it a breeze to quickly view possible issues. Once you're familiar with the layout, it's easy to scan the window and have an idea of what's occurring without having to read a ton of information.

Searching is wizard-driven; clicking on the Investigate button brings up and takes you through seven pages in which you configure your search. The search parameters are a snap to configure, using a mix of SQL-like statements as well as the previously mentioned Common Event Name filter. There's also a quick search bar at the bottom of the dashboard, and you can use the tail function (similar to the corresponding Unix command) to provide real-time filters. Searches are fast, and I can't think of anything missing from the available criteria options that would've been useful.

This is where the real power of the console starts to appear. The layout allows the user to easily see trends and unusual activity thanks to colorful time-based graphs. Upon finding an avenue of investigation, it's simple to then drill down into the activity. For example, looking at something as simple as log-in times brings up a bar chart of log-in times. Seeing odd log-in times, you can drill down into that time period and, seeing that they originate from one specific user, drill down again into that user's activity, expanding the search to include all activity from the user within those time periods. Browser-like buttons provide forward and backward navigation between searches.

This appliance is really a forensic investigator's dream. All the logs are available in their aggregated format, and the appliance maintains all the raw logs for legal and compliance reasons. There are a number of pre-built investigations included that create interactive reports based upon compliance requirements.

Should you need to create a report that's not included already -- even though there's a long list of pre-built reports -- then custom reporting is as simple as searching and includes options to export and send findings in a PDF, e-mail or link format. The standard reports cover all major compliance regulations. Data is archived in a binary file and can be stored, retrieved and searched from anywhere within your organization.

So how does LogRhythm compare with a product such as Splunk from Splunk Inc.? Initially it seems choosing Splunk is the less-expensive option -- prices start at $5,000 for the Enterprise Edition -- compared to LogRhythm, which starts at $20,000. However, once you factor in the cost of a server on which to run Splunk, there probably won't be much difference in the end.

Well-Built Basics
LogRhythm is an excellent product. Feature-wise, you can't go wrong with it. It's all there, and pulling data out, whether necessary for compliance with an external company or for delving into security logs, is fast. LogRhythm is configurable and can be set up to monitor, alert and report on all events in your infrastructure, customized to each user's preference. If you want a product that forgoes fanciness in favor of functionality, LogRhythm is for you.