LogRhythm sent its 2U high LR2000-XM (version 5.0) appliance with two quad-core Intel Xeon 2.53GHz processors, 24GB of RAM, four internal NICs, and an eight-drive RAID array with 2TB of storage (the max is 8TB). The LR2000 is a little different than its competitor appliances in that it runs 64-bit Microsoft Windows Server 2003 R2 SP2 instead of a Linux or Unix distro. In place of a web interface, you manage the appliance by connecting to it locally or using RDP and starting the LogRhythm console program.
The install is slightly more cumbersome than the competition, requiring a Windows setup and activation, two licensing files, and some minor INI file editing. LogRhythm technical support can walk you through the whole process in 30 minutes.
The feature-rich console contains hundreds of options, although day-to-day operations will usually consist of clicking on various graphics and typing in keyword search queries. The menu options change depending on the user type, of which there are three: Global Admin, Global Analyst, and Restricted Analyst. A Global Admin enjoys full control over the system. A Global Analyst can manipulate data from any source, print all reports, and configure a narrower set of options. A Restricted Analyst can be limited to seeing and manipulating particular event sources. This is a nice feature that allows administrative duties to be carved up based on responsibilities and expertise.
The LogRhythm console, like the other appliances, shows operational stats and event log information. It stands out from the crowd in the amount of information it displays on a single screen and the ability to check on multiple other appliances from the same interface. Event sources can be added manually in a variety of ways or, in some cases, by using active scanning tools.
The Windows Host Wizard can discover all the Windows machines in a particular domain or organisation unit. The latter feature demonstrates the strength of LogRhythm's Active Directory integration. Windows machines must allow access to the Remote Registry service in order for the scanning wizard to work, a requirement that can pose a problem in environments with overly restrictive host-based firewalls. Syslog machines can simply be pointed to the appliance. One shortcoming in the version 5.0 software I tested, the inability to capture SNMP traps, has been addressed in version 5.1, which also includes 30 additional enhancements.
A typical events summary screen greets you when you log on to the console. It summarises events by number and time period, and allows you to zero in on specific interests, such as a particular logon name as shown below. Both structured and unstructured log data can be viewed and queried using the Log Miner or Investigator features. Log Miner is used for viewing events and their various fields of data, while the Investigator wizard helps the analyst develop the query and select the data sources for Log Miner to show in graphical and event form. LogRhythm's Active Directory integration helps analysts unearth events related to particular Windows users and computers, even if they are not currently showing up in the captured data.
One of the best features of LogRhythm comes when you click on a graph displayed in any of the screens. Each graph is context sensitive and will quickly reveal the underlying data or a different, more focused view of the selected data point. Each view becomes another place to pivot to see the data in a different way. It's hard to overstate the power of this one feature, which made data analysis remarkably easy, it's a pivot table on steroids. The screen image below shows another example set of graphs. Clicking on any colored area of the graphs allows you to pivot to that particular data set.
Collected data can be shown in real time (not a feature every product allows) using the Tail Wizard, allowing analysts to see all incoming traffic or filter the view of incoming data for specific attributes on the fly. This is a great feature for capturing data about a particular event while it is happening.
Older, archived data can be re-analysed using the SecondLook wizard. As long as the archived data (stored in its raw, non-normalised form) can be reached locally or on a network share, it can be re-imported and analysed. The ability to re-import archived data is fairly standard among the solutions, but most of the products require you to re-import all of the archived data. The SecondLook wizard allows you to specify a filter to re-import particular parts of the older data, a nice touch.
LogRhythm comes with many predefined alarm rules, and an unlimited number of alarms can be created. Each alarm is given a status, such as New for current and needing attention or Archived for alarms that have been handled. Clicking on any alarm will reveal the underlying event data and give the analyst another entry point for data pivot tables.
LogRhythm also comes with more than 100 predefined reports in the form of free Report Packs. Report Packs are part of large compliance packages that not only include reports but also preconfigured alarms for the specific regulatory mandate they support.
The LogRhythm product can also be deployed outside the appliance using custom software. In addition, LogRhythm offers file integrity monitoring for a separate cost. Overall, LogRhythm provides a solid, feature-rich log management solution that allows for easy collection and data analysis.