LogLogic sent its 2U-high MX3020 appliance (version 4.9.1 software), which combines the feature sets of the company's LX and ST boxes, thus encompassing log collection, reporting, archiving, and forensics functions, and adds one or more compliance suites. The test unit came with five Ethernet interfaces and 2TB of RAID10 storage, and it was easily the quietest and coolest, as in low temperature, appliance tested. Setup was a breeze.

LogLogic's management interface is accessed via HTTPS and opens by default to a summary statistics dashboard. All the statistics you'd expect are shown, including message rates, CPU utilisation, and disk space. The GUI was clean, easy to understand, and responsive. The only missing element is the ability to quickly drill down into more detail via context-sensitive graphs, which many of the competitors have.

 Monitored clients can be added manually, one at a time, or through the use of queries, or by allowing the MX3020 to inspect inbound message streams to see if it can identify the source devices. Similar devices or clients can be collected together into a device group for easier management. LogLogic has more than 70 predefined device types (definitions ease message parsing), including most of the popular vendors and generic Syslog.

The Log Source Status screen image below shows a sampling of device types. Most client connections are agentless, although there is an open source client for Microsoft Windows computers and clients for mainframes and other esoteric systems.

Incoming events can be viewed in the Real-Time Viewer, and all events can be searched in the Index Search screen. The MX3020 has a special section dedicated to showing firewall and VPN events, which some administrators will find useful.

You can search events by typing in search expressions, using built-in search filters, or creating your own search filters. Search filters can be created using keywords, regular expressions, or Boolean expressions, and they can be saved and shared with other LogLogic users. Search filters can even be marked as read-only or modifiable. An additional In Context tab allows an administrator to quickly see the previous 10 events surrounding the results of a particular filter, a nice touch.