LogLogic LX2010 4.0

A variety of regulations require companies to squirrel away computer event logs, just in case. But once you overcome the challenges inherent in storing and managing all that log data (perhaps by using log aggregation and storage products from companies like ArcSight, LogLogic, and netForensics), what then? We say, if you're going to collect and store all that data, you might as well put it to good use -- any cache as massive as a central log collection cries out for data mining and reporting. Who knows what tasty network operations or security event management tidbits you could recover.

To that end, many log management vendors are building simple search and reporting tools into their products, allowing IT to search events without having to deploy a full-blown SIM (security information management) suite. In version 4.0 of its eponymous product, LogLogic adds event index searching and reporting, a Web services API for integration with external applications, and predefined report templates aimed at reporting requirements for PCI and COBIT.

We installed the LogLogic 2010 appliance in our Syracuse University Real-World Labs' and pointed our internal servers and infrastructure logs at it. We collected upwards of 60 million log entries, most of them raw syslog events, and proceeded to check out the new features.Word Search

Index searching, brought to the masses courtesy of the Splunk log analyzer, enables IT to search raw syslog data without having to write custom parsers. The LogLogic appliance processes incoming syslog messages by creating a keyword index of the message text. Indexes can be searched and used for custom reports. For example, we typed in a Boolean expression "ive AND "Failed Login" " to search for failed logins in our SSL VPN gateway. We could also build custom reports based on keyword searches easier than writing parsing rules; LogLogic has a limited number of log parsers for common network infrastructure devices, servers, and security appliances.

Digging through the index is not as simple as it is with Splunk, which auto-fills the next search terms based on the most-used index and sorts results in multiple ways to aid in interactively narrowing searches. In LogLogic, you'll need to know the string or keywords you want to search for, then build the Boolean expression.

Report packages available with 4.0 use parsed and raw log data for audit reporting to satisfy specific compliance reporting requirements, including PCI and COBIT/SOX. We reviewed a number of the reports' search criteria, and LogLogic has done a good job tailoring queries to the most common requirements. To get complete reporting coverage, expect to add new reports and spend time customizing queries to match your raw logs. If you have Microsoft Active Directory or Check Point, Cisco, or Juniper firewalls, or other devices for which LogLogic has created log parsers, chances are they're in a canned report. Otherwise, you will have to build your own. For example, none of the canned reports found logins for our Juniper Secure Access SSL VPN Gateway, so we had to get creative.

DATA CENTER
Immersion Center

NEWS | REVIEWS | BLOGS | FORUMS TUTORIALS | STRATEGY | MORE

At the very least, you will have to audit each report template to ensure that it's presenting the information required for your specific organization. Building reports isn't that hard if you know what information needs to be reported on and how it's presented in LogLogic. The difficulty is finding the appropriate search strings.It may be time well spent, however. LogLogic charges $14,999 per individual compliance and control suite. That means, report sets for PCI, HIPAA, and SOX would total $44,997 list. Sure, larger companies may get volume discounts, but this is still a pricey feature. A better strategy might be to expend the effort to create one report that would satisfy all regulatory requirements rather than managing multiples.

Webify Me

Also new to 4.0 is a Web services API that allows external applications to interact with the LogLogic appliance for tasks such as generating reports, creating and using search criteria, and performing basic device management. One nit: For network devices, application interaction is too often limited to sending an e-mail, SNMP trap, or syslog message to a destination. That's not really integration.

Data Privacy
Immersion Center

NEWS | REVIEWS | BLOGS | FORUMS TUTORIALS | STRATEGY | MORE

In contrast, LogLogic's Web services API looks fairly robust. While we didn't implement a Web services request, we could have, for example, tied into a help desk so that when a new ticket is opened, a search request with the relevant search parameters would grab event logs automatically. In addition, APIs can be set up to create, view, and update alerts, and we could build a portal to summarize data for users. The report-and-search-service API has a full set of interfaces for generating reports.

Mike Fratto is a senior technology editor based in NWC's Syracuse University Real-World Labs. Write to him at [email protected].