I found the LogLogic MX appliance to be among the easiest-to-use management products, and it has all the functionality most administrators would need for basic log management. The GUI is simple and uncluttered. I didn't find myself looking to help manuals nearly as much as I did in other products.
LogLogic sent its 2U-high MX3020 appliance (version 4.9.1 software), which combines the feature sets of the company's LX and ST boxes, thus encompassing log collection, reporting, archiving, and forensics functions, and adds one or more compliance suites. The test unit came with five Ethernet interfaces and 2TB of RAID10 storage, and it was easily the quietest and coolest -- as in low temperature -- appliance tested. Setup was a breeze.
LogLogic's management interface is accessed via HTTPS and opens by default to a summary statistics dashboard. All the statistics you'd expect are shown, including message rates, CPU utilization, and disk space. The GUI was clean, easy to understand, and responsive. The only missing element is the ability to quickly drill down into more detail via context-sensitive graphs, which many of the competitors have.
Monitored clients can be added manually, one at a time, or through the use of queries, or by allowing the MX3020 to inspect inbound message streams to see if it can identify the source devices. Similar devices or clients can be collected together into a device group for easier management. LogLogic has more than 70 predefined device types (definitions ease message parsing), including most of the popular vendors and generic Syslog.
The Log Source Status screen image below shows a sampling of device types. Most client connections are agentless, although there is an open source client for Microsoft Windows computers and clients for mainframes and other esoteric systems.
Incoming events can be viewed in the Real-Time Viewer, and all events can be searched in the Index Search screen. The MX3020 has a special section dedicated to showing firewall and VPN events, which some administrators will find useful.
You can search events by typing in search expressions, using built-in search filters, or creating your own search filters. Search filters can be created using keywords, regular expressions, or Boolean expressions, and they can be saved and shared with other LogLogic users. Search filters can even be marked as read-only or modifiable. An additional In Context tab allows an administrator to quickly see the previous 10 events surrounding the results of a particular filter, a nice touch.
Adaptive baseline alerts take a week or so to measure overall message volume baselines across a collection of devices, and can then alert when events cross above or below the defined baseline thresholds.
The LogLogic MX3020 comes with many predefined, editable standard reports, which can be adjusted on the fly when executed in real time, published on a schedule, and made available in multiple formats: HTML, CSV, PDF, and so on. Normally, the MX comes with one compliance suite (COBIT, NERC, PCI, and more), while additional compliance suites -- including search filters, alerts, and reports tailored to compliance requirements -- can be purchased. LogLogic also offers a Compliance Manager product that adds workflow and sign-off capabilities surrounding compliance features. I did not review the Compliance Manager or any of the add-on products.
Reports and their graphs are context-sensitive and allow drilling down into more detail and tighter timeframes with a click of the mouse. LogLogic's appliances would be improved if the same functionality were incorporated into graphical displays.
One especially interesting report, the Application Distribution, takes collected firewall stats to show a historical record of devices and the TCP/IP ports they use. The data contained in this report can be sliced and diced a number of ways to assist in an investigation. All logs are signed with a SHA-256 hash.