LogRhythm LR-500-XM Review London
The comprehensive log monitoring and reporting tools offered by LogRhythm will make it much easier for businesses to tighten security and prove regulatory compliance. The appliance is very easy to deploy and scores highly for value as the price includes all the key standards compliancy report packages.
Data Provided by:
Provided By:
LogRhythm LR-500-XM Review
There are plenty of standards designed to protect personal and sensitive data and businesses that don’t take regulatory compliance seriously are finding this can be a costly mistake. Log data management and analysis are important parts of the process and LogRhythm combines these functions into an appliance based solution and augments them with detailed log and event analysis.
LogRhythm is deployed as an appliance running Windows Server 2003 R2 and it offers a number of hardware solutions. On review we have the entry-level LR-500-XM, which is delivered as a good quality Dell PowerEdge 1950 1U rack server. The price shown includes support for 100 log sources but this can be upgraded as required.
We deployed our appliance as an all-in-one solution running the Log Manager and Event Manager components but you can distribute functions such as log gathering across multiple servers running LogRhythm agents. LogRhythm offers Log Manager agents for Windows, Unix and Solaris host systems and these don’t need to be dedicated to this task.
LogRhythm accepts log data from a wide range of sources and support includes syslog, syslog-ng, Windows drive mapping and Event Logs, ODBC connectors for database logs, flat files such as ASCII text, Cisco NetFlow and CheckPoint OPSEC/LEA collections.
The software is managed locally or remotely with a dedicated console, which we found easy to get to grips with. The console can be installed on any remote system and supports all versions of Windows. Deployment is simple enough as you tell your source devices where to send their log data to and LogRhythm will automatically collect this traffic.
Devices such as Windows servers can be automatically identified by their traffic so the appliance can add information such as the OS and version, hostname, associated IP address and Windows Event Logs. Other devices such as security appliances and routers that may be sending syslog data will need to be updated manually to specify the device type. LogRhythm does this as part of its customer deployment service so no user intervention is required.
Logs stored on the appliance are all digitally signed on receipt so it can be proved they haven’t been subsequently tampered with and archives are also digitally signed to ensure their integrity. Archive locations can be any type of storage device such as DAS, NAS, IP SAN and FC SAN.
The console opens with the My Personal Dashboard tab, which provides graphical views on virtually any type of log related activity and potential security breach. Events are shown by functions such as operational, security and audit functions and you can decide how device log data events are to be classified.
You can select events and drill down for more information. Select a spike on a graph and the Log/Event Analyser will show you only those related events. The Log Viewer displays raw data and selecting a single event shows more detailed information including metadata.
Forensics tools are accessed from the Investigate screen where query creation is helped along by wizard based routines. You can choose a log source and time period, pick from a list of event types, add filters to fine tune the results and schedule them to run at regular intervals. The LogRhythm Tail feature can be configured to monitor multiple log streams enabling you to run forensics investigations in real time.
Reporting is very good as the LogRhythm Report Center offers a wide range of predefined reports, which can be customised to suit. A key feature is LogRhythm includes all report packages for PCI DSS, HIPAA, SOX, FISMA and GLBA as standard – LogLogic, for example, considers them options and charges accordingly.
The latest LogRhythm 4.1 software offers a number of new features and first up is Second Look. When data is collected it is parsed and metadata for various fields is maintained on the appliance. This means original log data can be archived quickly to ensure space on the appliance is put to best use.
Second Look enables archived logs to be imported back into the appliance and additional rules run against them to update their metadata. It’s also worth noting that when archived data is restored it goes into a separate database on the appliance and is check-summed to make sure it hasn’t been tampered with.
LogRhythm’s host based contextualization enables you to follow a set of seemingly unrelated incidents that together could be considered a security breach. For example, this function could be used to monitor a specific user authentication followed by a transfer of a file over a certain size to an external IP address outside normal business hours.
Access controls to log data are extensive with administrators having full access, whilst analyst accounts enables these users to see log data and reports but not administer the appliance. Roles restrict access further as these contain specific devices, groups of devices and log data sources. A good example would be restricting analysts to viewing the Windows security event log on specified systems but not their application log.
For storage management, you have full control over how all log and event information is stored. You can decide at the device, event and rule level whether data should be archived, how long it should be kept on the appliance, when it can be discarded or if it should be kept at all. This flexibility over how log data should be retained enables local storage to be managed more efficiently thus negating the need to upgrade to higher capacity and higher cost hardware platforms.
The comprehensive log monitoring and reporting tools offered by LogRhythm will make it much easier for businesses to tighten security and prove regulatory compliance. The appliance is very easy to deploy and scores highly for value as the price includes all the key standards compliancy report packages.
LogRhythm is deployed as an appliance running Windows Server 2003 R2 and it offers a number of hardware solutions. On review we have the entry-level LR-500-XM, which is delivered as a good quality Dell PowerEdge 1950 1U rack server. The price shown includes support for 100 log sources but this can be upgraded as required.
We deployed our appliance as an all-in-one solution running the Log Manager and Event Manager components but you can distribute functions such as log gathering across multiple servers running LogRhythm agents. LogRhythm offers Log Manager agents for Windows, Unix and Solaris host systems and these don’t need to be dedicated to this task.
LogRhythm accepts log data from a wide range of sources and support includes syslog, syslog-ng, Windows drive mapping and Event Logs, ODBC connectors for database logs, flat files such as ASCII text, Cisco NetFlow and CheckPoint OPSEC/LEA collections.
The software is managed locally or remotely with a dedicated console, which we found easy to get to grips with. The console can be installed on any remote system and supports all versions of Windows. Deployment is simple enough as you tell your source devices where to send their log data to and LogRhythm will automatically collect this traffic.
Devices such as Windows servers can be automatically identified by their traffic so the appliance can add information such as the OS and version, hostname, associated IP address and Windows Event Logs. Other devices such as security appliances and routers that may be sending syslog data will need to be updated manually to specify the device type. LogRhythm does this as part of its customer deployment service so no user intervention is required.
Logs stored on the appliance are all digitally signed on receipt so it can be proved they haven’t been subsequently tampered with and archives are also digitally signed to ensure their integrity. Archive locations can be any type of storage device such as DAS, NAS, IP SAN and FC SAN.
The console opens with the My Personal Dashboard tab, which provides graphical views on virtually any type of log related activity and potential security breach. Events are shown by functions such as operational, security and audit functions and you can decide how device log data events are to be classified.
You can select events and drill down for more information. Select a spike on a graph and the Log/Event Analyser will show you only those related events. The Log Viewer displays raw data and selecting a single event shows more detailed information including metadata.
Forensics tools are accessed from the Investigate screen where query creation is helped along by wizard based routines. You can choose a log source and time period, pick from a list of event types, add filters to fine tune the results and schedule them to run at regular intervals. The LogRhythm Tail feature can be configured to monitor multiple log streams enabling you to run forensics investigations in real time.
Reporting is very good as the LogRhythm Report Center offers a wide range of predefined reports, which can be customised to suit. A key feature is LogRhythm includes all report packages for PCI DSS, HIPAA, SOX, FISMA and GLBA as standard – LogLogic, for example, considers them options and charges accordingly.
The latest LogRhythm 4.1 software offers a number of new features and first up is Second Look. When data is collected it is parsed and metadata for various fields is maintained on the appliance. This means original log data can be archived quickly to ensure space on the appliance is put to best use.
Second Look enables archived logs to be imported back into the appliance and additional rules run against them to update their metadata. It’s also worth noting that when archived data is restored it goes into a separate database on the appliance and is check-summed to make sure it hasn’t been tampered with.
LogRhythm’s host based contextualization enables you to follow a set of seemingly unrelated incidents that together could be considered a security breach. For example, this function could be used to monitor a specific user authentication followed by a transfer of a file over a certain size to an external IP address outside normal business hours.
Access controls to log data are extensive with administrators having full access, whilst analyst accounts enables these users to see log data and reports but not administer the appliance. Roles restrict access further as these contain specific devices, groups of devices and log data sources. A good example would be restricting analysts to viewing the Windows security event log on specified systems but not their application log.
For storage management, you have full control over how all log and event information is stored. You can decide at the device, event and rule level whether data should be archived, how long it should be kept on the appliance, when it can be discarded or if it should be kept at all. This flexibility over how log data should be retained enables local storage to be managed more efficiently thus negating the need to upgrade to higher capacity and higher cost hardware platforms.
The comprehensive log monitoring and reporting tools offered by LogRhythm will make it much easier for businesses to tighten security and prove regulatory compliance. The appliance is very easy to deploy and scores highly for value as the price includes all the key standards compliancy report packages.
Author: Dave Mitchell