LogRhythm Balances Power With Simplicity: Review

Any serious IT compliance regime has to include processes for analysing and interpreting the extensive, detail-packed log files produced by applications, servers and network equipment. This only sounds easy when you’re not the one who has to go through these records on a regular basis; it’s exponentially more difficult when you’re trying to figure out what’s going on inside your systems while it’s still happening, and when you’re faced with an in-progress crisis, the stakes can’t get any higher.

The solution is to automate the chore of analysis and interpretation, but this requires a tool set that’s highly scalable and capable of providing accurate results in a hurry. In this case, power is good, but ease of use is paramount.

Power and simplicity

LogRhythm in its namesake log management software provides a powerful and straightforward apparatus for collection and examination, but this comes at a cost: The published price for the company’s LogRhythm LRX appliance is $25,000 (£16,000) for the 1U (1.75-inch) Windows-based system, and it increases for more complex installations. Customers also have the option of supplying their own hardware, if desired.

What one gets in return is a log parsing and management system based on Microsoft SQL Server that’s designed to work with a wide range of operating systems and applications. If it generates a log file, the LogRhythm software can handle all but the most exotic cases without any special effort. When necessary, the company’s engineers will work to develop an appropriate parser for the customer’s needs.

A LogRhythm installation begins with a server (the Event Manager) running SQL Server 2005 and LogRhythm’s ARM (Alarm and Response Manager) process; this machine manages the deployment’s configuration and receives log entries that are considered noteworthy. In LogRhythm’s jargon, these important or interesting logs are referred to as “events” and are used to generate alarms or other responses that are defined for the event.

But the Event Manager is just the brain of the operation. A LogRhythm deployment also relies on a SQL Server-based Log Manager, which runs the Mediator Server process. This collects log messages and, by applying predefined rules to the messages, determines whether they qualify as events to be forwarded to the Event Manager for further action. In a sizeable deployment, customers will find it necessary to run multiple Log Managers.

LogRhythm claims that the architecture is horizontally scalable to any conceivable degree, and the software can be deployed in a SAN (storage area network) environment or as a series of virtual machines. The software’s own data integrity checks can verify that logs passed across trusted network boundaries or recovered from tape haven’t been tampered with.

The other pieces of LogRhythm are the graphical .NET-based console for deployment management and interactive access to LogRhythm’s stored data, which communicates with the Event and Log Managers via SQL Server protocols, and the System Monitor agents, which communicate with the Log Manager via a proprietary, encryptable application protocol. The monitor agents are typically installed on targeted systems, and a Log Manager system will usually also have a System Monitor installed. System Monitors provide file integrity checks as well, when these are enabled.

As noted above, the LogRhythm software doesn’t just accept or collect logs from application, file and print servers; it also works with a variety of network security devices, such as Check Point firewalls, Cisco IDS (intrusion detection system) platforms and McAfee ePolicy Orchestrator, to provide a comprehensive view of what’s going on in a network and when.

LogRhythm can process operating system and application logs from numerous Linux and Unix systems, as well as Windows event logs. It also handles standard syslog records and data sent with the NetFlow protocol. LogRhythm provides alarm or event notification to IT personnel via SMTP or SNMP, and includes a small truckload’s worth of prepackaged reports intended to address the requirements of a variety of reporting schemes, including HIPAA (Health Insurance Portability and Accountability Act), PCI and Sarbanes-Oxley Act.