LogLogic’s turnkey appliance-based system for the capture and processing of log data should appeal to any enterprise that is required to demonstrate compliance with corporate governance regulations such as Sarbanes-Oxley and the Payment Card Industry (PCI) Data Security Standard.

The LogLogic appliances we reviewed were from the high end of the firm’s two product families. The LX Series 2010 appliance performed real-time log collection and analysis functions, while the ST Series 3010 system that we daisy-chained to the LX2010 automated the archiving of the logs, applying certificated timestamps to protect them against tampering.

After attaching the two appliances to IT Week Labs network, both the LX2010 and ST3010 were loaded with eight Seagate Barracuda serial ATA (Sata) hard disks and two power supply modules. The appliances were ready to run after disk synchronisation, which took between 10 and 15 minutes.

Both appliances are 2U high and use AMD 2.4GHz dual-core Opteron processors. Due to its role as the archival and log forensics appliance, the ST3010 has 2GB of memory and 4TB of storage ­ twice that of the log-collecting LX2010 appliance. The LX2010’s 2TB of disk storage is set up as Raid 1+0, while the 4TB used by the ST3010 is configured as Raid 5+1, which maximises both fault-tolerance and availability.

We managed the initial setup through a standard serial console. After we had got the LX2010 to autodiscover our IT assets and set up both appliances to access an NTP server, we were able to continue managing the appliance using either a web browser from our Windows Server 2003 system, or a free Telnet/SSH client such as Putty.
To make our test as realistic as possible, we set up a script to populate the appliances with significantly more log data than would normally be generated by IT Week Labs network infrastructure.

Interface
The LX2010’s web interface is divided into two sections. The upper section holds the dashboards, real- time log data views and alerts, together with all the reporting options, while the lower section holds the administration and maintenance features.
The top half of the interface has eight tabs down the side, which drill down into numerous sub-tabs. The main tabs are: Dashboards, Real-Time Viewer, Search, Alerts, Custom Reports, Real-Time Reports, Summary Reports and Preferences.

Clicking on the Management Station dashboard brings up a graph of the number of log messages processed by the LX2010 over time, and also the number of messages processed per second, which could allow IT managers to see any abnormal log activity. Any outstanding alerts and a table of messages skipped, unapproved, truncated or dropped can also be seen.

The System Status dashboard gives a graph of CPU and disk usage, while the Log Source Status dashboard can be used to check what systems have been found and are currently generating log data to be processed by the appliance. We could see, for example, Microsoft Exchange and Microsoft Internet Security for Acceleration servers, Juniper firewalls and Cisco VPN 3000 concentrators.

The LogLogic appliances were also there, and administrators accessing the appliances to create reports or schedule alerts also have all their activity and interactions with the appliances logged.

The Real-Time Viewer lets users see log data as it is actually processed by the appliances. Users can also choose to customise the Viewer to show specific logs. For instance, we could define what type of device we wanted to see logs from, such as Cisco Pix firewalls. Or we could choose to look for a pre-defined log message, such as “Microsoft DNS: Critical Errors”. We could choose an exact phrase occurring in a log message or use Boolean logic to pull out specific log messages.

LogLogic’s Search tab can be used to automatically produce a report on network connection attempts over any user-defined timescale. We produced a report detailing connection attempts through a Juniper NetScreen firewall and exported it as a comma-separated value (CSV) list. Advanced options also allow users to define what type of data, such as source IP address, destination IP address and port number, appears on the list. Boolean logic can also be applied to further enhance the search, and the search configuration can be saved as a custom report.

The alerting features can be configured to flag up a wide variety of potential problems. For example, admins can set up the system to send out alerts when server disk usage is over 80 per cent, or when changes have been made to switch configurations, or even when users are writing data to CDs.

Reporting options
The reporting options are also comprehensive, and there are many report templates available. Users can also define their own custom reports and schedule these to run
at hourly, daily, weekly or monthly intervals. The resulting report
can then be emailed as a CSV, HTML or a PDF file.

In conclusion, LogLogic’s system has a wealth of features that should allow enterprises to get on top of any regulatory compliance obligations they need to meet. It was easy to use the pre-defined report templates and also to create customised reports. It was also easy to define specific alerts to notify security or general IT personnel about critical conditions in enterprise network and IT infrastructure.

On top of the cost of the appliances, enterprises face separate charges for LogLogic’s pre-defined compliance monitoring and reporting packages. These cover a range of governance topics, including Sarbanes-Oxley, Itil and the PCI data security standard, and cost £7,500 + VAT each.

LogLogic offers a range of support services, including 24x7 cover and user training.