Unlike the other products in this review that combine log management and event management functionality, NitroSecurity wraps the two feature sets in two separate appliances. Because NitroSecurity's NitroView Enterprise Log Manager (ELM) data is viewable only through a linked NitroView Enterprise Security Manager (ESM), my review of its log management functionality required testing both appliances.
NitroSecurity sent me the 3U NitroView ESM 5000 (Model 5750), which combines an event receiver, log analysis, network analysis, SIEM functions, and console, and the 1U NitroView ELM 2000 (Model 2250), the log receiver appliance.
The orange-faced NitroSecurity appliances run Linux. Equipped with dual power supplies and multiple fans, the ESM was the loudest product of this review. Taking a phone call in the near vicinity was difficult, but the noise will not be a problem in most data centers.
The initial install was fairly easy and didn't require a locally attached keyboard or mouse. Simply put in the (required) static IP address information through the external LCD control buttons and log on via HTTPS. After logging on for the first time, it was just as easy to link the two appliances together.
The product's central selling point is that multiple graphs and displays of data can be easily set out side-by-side, and the dozens of views can be highly customized. Admins will have no problem choosing what they want to see in a single view, and adding new charts and data views is a snap. Graphs and data in a single view can be related and synchronized, or completely unrelated -- it's your choice. Clicking on any point in one of the context-sensitive graphs updates any related graphs.
Any data element in a chart can be drilled into or out for more detail or context. For example, on a chart showing a weekly volume indicator, you can select a particular week to see the figures for each day. Select a particular day and see the figures for each hour. Select a particular hour to drill down to the individual events.
You can click the properties icon on any graph to see the data sorted a different way or to create a brand-new graph. You can choose the event sources, fields to include, filters, update interval, sort order, graph type, and more. Multiple graphs and data views can be combined and sized into a particular console view. Admins can easily create multiple views and switch among them with one mouse click. Each user can choose their own default view. Only one product in this review, LogRhythm, was in the same class as NitroSecurity in providing versatile views and graphs.
Events can be individually browsed to see all captured information, and filters can be created on the fly. Filters can be built graphically, simply by using a mouse, including complex filters with logical ANDs and ORs (see image below). Once filters are created, they can easily be applied to all the existing views or removed with a single click of a mouse.
The NitroView ELM has data storage groups, just like ArcSight and Splunk, where each incoming event source can be placed. Drive storage can be internal or external (using SANs or NetBIOS shares). Parsed and indexed logs are also stored in original raw form and digitally hashed, and they can be compared later on for forensic needs. NitroView has fairly strong default security requirements, supports FIPS, and allows you to assign fairly granular permissions to different administrative groups. Auto-updating functionality updates rules, the application, and the underlying OS.
Alerting is handled in the ESM product. Notifications can be sent using email, SNMP, and syslog; SMS was noticeably missing. NitroView ESM can send Remedy-formatted emails, and it even contains its own, albeit basic case-tracking component if you don't already have a more usable tracking system.
NitroView ESM and ELM come with dozens of predefined reports, including the usual Windows, PCI, SOX, GBLA-type reports, along with a few application-level reports. My favorite reports were those that cited "deviations from the baseline." This is a great idea. Essentially you use NitroView to capture and establish a baseline of normal event patterns. Then you can easily create reports and views to show abnormal events and trends.