Another solution that combines log management and event management functionality, LogRhythm's XM appliance is long on features and flexibility. It combines a wealth of data views, easy pivot tables, viewing and filtering of real-time data, and the ability to enhance both discovery and analysis with strong Active Directory integration.
LogRhythm sent its 2U high LR2000-XM (version 5.0) appliance with two quad-core Intel Xeon 2.53GHz processors, 24GB of RAM, four internal NICs, and an eight-drive RAID array with 2TB of storage (the max is 8TB). The LR2000 is a little different than its competitor appliances in that it runs 64-bit Microsoft Windows Server 2003 R2 SP2 instead of a Linux or Unix distro. In place of a Web interface, you manage the appliance by connecting to it locally or using RDP and starting the LogRhythm console program.
The install is slightly more cumbersome than the competition, requiring a Windows setup and activation, two licensing files, and some minor INI file editing. LogRhythm technical support can walk you through the whole process in 30 minutes.
LogRhythm XM: Log collection and management
The feature-rich console contains hundreds of options, although day-to-day operations will usually consist of clicking on various graphics and typing in keyword search queries. The menu options change depending on the user type, of which there are three: Global Admin, Global Analyst, and Restricted Analyst. A Global Admin enjoys full control over the system. A Global Analyst can manipulate data from any source, print all reports, and configure a narrower set of options. A Restricted Analyst can be limited to seeing and manipulating particular event sources. This is a nice feature that allows administrative duties to be carved up based on responsibilities and expertise.
The Windows Host Wizard can discover all the Windows machines in a particular domain or organization unit. The latter feature demonstrates the strength of LogRhythm's Active Directory integration. Windows machines must allow access to the Remote Registry service in order for the scanning wizard to work, a requirement that can pose a problem in environments with overly restrictive host-based firewalls. Syslog machines can simply be pointed to the appliance. One shortcoming in the version 5.0 software I tested -- the inability to capture SNMP traps -- has been addressed in version 5.1, which also includes 30 additional enhancements.
A typical events summary screen greets you when you log on to the console. It summarizes events by number and time period, and allows you to zero in on specific interests, such as a particular logon name as shown below. Both structured and unstructured log data can be viewed and queried using the Log Miner or Investigator features. Log Miner is used for viewing events and their various fields of data, while the Investigator wizard helps the analyst develop the query and select the data sources for Log Miner to show in graphical and event form. LogRhythm's Active Directory integration helps analysts unearth events related to particular Windows users and computers, even if they are not currently showing up in the captured data.
One of the best features of LogRhythm comes when you click on a graph displayed in any of the screens. Each graph is context sensitive and will quickly reveal the underlying data or a different, more focused view of the selected data point. Each view becomes another place to pivot to see the data in a different way. It's hard to overstate the power of this one feature, which made data analysis remarkably easy -- it's a pivot table on steroids. The screen image below shows another example set of graphs. Clicking on any colored area of the graphs allows you to pivot to that particular data set.
LogRhythm XM: Flexible views
Collected data can be shown in real time (not a feature every product allows) using the Tail Wizard, allowing analysts to see all incoming traffic or filter the view of incoming data for specific attributes on the fly. This is a great feature for capturing data about a particular event while it is happening.
Older, archived data can be re-analyzed using the SecondLook wizard. As long as the archived data (stored in its raw, non-normalized form) can be reached locally or on a network share, it can be re-imported and analyzed. The ability to re-import archived data is fairly standard among the solutions, but most of the products require you to re-import all of the archived data. The SecondLook wizard allows you to specify a filter to re-import particular parts of the older data -- a nice touch.
LogRhythm comes with many predefined alarm rules, and an unlimited number of alarms can be created. Each alarm is given a status, such as New for current and needing attention or Archived for alarms that have been handled. Clicking on any alarm will reveal the underlying event data and give the analyst another entry point for data pivot tables.