NitroSecurity sent me the 3U NitroView ESM 5000 (Model 5750), which combines an event receiver, log analysis, network analysis, SIEM functions, and console, and the 1U NitroView LogCaster 2000 (Model 2250) ELM, the log receiver appliance.
The orange-faced NitroSecurity appliances run Debian Linux 2.6. Equipped with dual power supplies and multiple fans, the LogCaster was the loudest product of this review. Taking a phone call in the near vicinity was difficult, but the noise will not be a problem in most data centres.
The initial install was fairly easy and didn't require a locally attached keyboard or mouse. Simply put in the (required) static IP address information through the external LCD control buttons and log on via HTTPS. After logging on for the first time, it was just as easy to link the two appliances together.
The NitroView console is based upon Adobe Flex, the open source, Flash-based rich Internet application framework, and NitroSecurity uses Flex's adaptability to the nth degree in this product line. The vendor claims that Flex allows the interface and results returned to be as snappy with many millions of records as it is with a few thousand, but testing this claim was not part of my review.
The default console is attractive if a bit busy, but also incredibly useful. The left side of the main console contains the source tree. Where you click on the tree determines which devices and event sources you end up querying and configuring. The right side of the console contains the filter window, which displays active filters for particular views. The downside of the feature-rich GUI is that it's among the most complicated I've used. I was often referring to help files to assist with options the first time around.
The product's central selling point is that multiple graphs and displays of data can be easily set out side-by-side, and the dozens of views can be highly customized. Admins will have no problem choosing what they want to see in a single view, and adding new charts and data views is a snap. Graphs and data in a single view can be related and synchronised, or completely unrelated, it's your choice. Clicking on any point in one of the context-sensitive graphs updates any related graphs.
Any data element in a chart can be drilled into or out for more detail or context. For example, on a chart showing a weekly volume indicator, you can select a particular week to see the figures for each day. Select a particular day and see the figures for each hour. Select a particular hour to drill down to the individual events.