There has been explosive growth in the log management market for a couple of reasons. One is the overwhelming complexity of deciphering log data from hundreds or thousands of nodes. Regulatory compliance is another major driver. We took a close look at two log management appliances, LogLogic's LX2010 and LogRhythm 4.0, to see how they stacked up.
On the whole, we were very impressed with the LX2010, but it's expensive compared with LogRhythm and others.
IT managers--and system admins, for that matter--hate logs, because they seemingly go on forever and often provide an overabundance of useless information. Administrators get lost looking for one or two important log entries scattered through a log file with tens of thousands of entries. LogLogic's simple-to-use Boolean search capabilities can help find that needle in a haystack.
We tested LogLogic's LX2010, a dual-processor, 2U appliance that comes fully equipped with 2 TB of internal storage (RAID-10), dual power supplies, two bonded Gigabit NICs for log collection, and a 10/100 port for the Web-based management user interface. The 2010 can be deployed as a centralized solution for small and midsize businesses, but it's often deployed as a remote-office log collector in a hub-and-spoke configuration, with the flagship ST2010 or ST3010 appliance serving as the hub.
As an intelligent syslog server, the 2010 automatically detected and categorized incoming logs as we configured each of 10 Cisco PIX firewalls to connect to the LogLogic 2010. To ship our Windows server logs over to the 2010, it was necessary to install a LogLogic proprietary version of Lasso, an open source-based product that was built as a gateway between Microsoft's event-logging format and syslog. Once complete, the 2010 automatically recognized and grouped all the server log data accordingly.
The 2010 isn't a security event manager, or SEM, per se, but it can be configured to alert IT in the event of a failed condition, so in a way it can perform some of the same core functions of a good SEM. Ad hoc reports can be e-mailed or saved to CSV and/or PDF formats for easy distribution to management. We also loved the way the 2010 aggregated all of our PIX firewall logs and aggregated all connection information, including which hosts were talking to which, on what port, and at what time.
Ready for the sticker shock? The fully loaded LX2010 we tested lists for $68,995. The lower-end LX series, which is limited to 1,024 log sources and 1,000 log messages per second, lists for $14,995.
-- Randy George