Businesses that are handling sensitive data (for which read all of them) have plenty of best practice guidelines to keep them on the right side of the law, but a critical factor is proving to auditors that they have achieved regulatory compliance. Managing and analysing log data from the key network devices is playing an increasingly important role in this process and LogRhythm combines log management and analysis, plus event management, into a single solution.
The product is offered primarily as an appliance-based solution and our review unit was supplied as a 1U Dell PowerEdge rack server. However, as LogRhythm runs on Windows Server 2003 R2, it can easily be installed as a software only solution on a platform of your choice, and prices for this start at £12,500. We deployed our appliance as an all-in-one solution, but if you wish you can distribute functions such as log gathering across multiple servers running LogRhythm agents.
LogRhythm accepts log data from a wide range of sources and supports syslog, syslog-ng, SNMP, FTP, SFTP, SCP, Windows drive mapping plus JDBC connectors for database logs, and a new and welcome feature in this latest version is support for CheckPoint's OPSEC logging. Deployment is made even easier, as all you need to do is tell your source devices where to send their log data and LogRhythm will automatically identify them from their traffic. Logs stored on the appliance are all digitally signed on receipt, so it can be proved they haven't been subsequently tampered with, and archives are also digitally signed to ensure their integrity.
Rather than use a web browser, the software is managed locally or remotely with a dedicated console, which we found easy enough to get to grips with. The 'My Personal Dashboard' tab offers a running commentary on all log related activity and provides customisable graphical views on just about any type of log related activity and potential security breach that you care to mention.
Each event can be drilled down into, where, for example, you can select a spike on a graph and the Log/Event Analyser shows you just the related events. The Log Viewer displays raw data and selecting a single event shows more detailed information including metadata.
The Investigate function provides a solid range of forensics tools and new queries can be created quite easily using a wizard. You can choose a log source and time period, pick from a list of event types, add filters to fine tune the results and schedule them to run at regular intervals. The LogRhythm Tail feature will prove very useful, as it can be configured to monitor selected log streams in real time.
Alarm Rules allow you to keep an eye out for specific events such as multiple authentication failures and issue notifications when an event is triggered. These can be sent via SNMP trap, SMTP, local console alert and as trouble tickets for the Remedy help desk solution. The company also offers a facility to create custom notifications.
The Report Center includes a wide range of predefined reports which can all be customised to suit specific requirements, and its here that we found the jewel in LogRhythm's crown, as the standard product includes report packages for PCI DSS, HIPAA, SOX, FISMA and GLBA. The packages run all the relevant reports for each standard, produce them to a format acceptable to qualified auditors, and the results can be exported to PDF, Excel, Word and Crystal Reports.
LogRhythm is capable of making light work of log data management and its analysis. It's very easy to deploy, offers an impressive range of features, and the additional standards compliancy report packages really do make it look like excellent value. NC

Product: LogRhythm 4.0
Supplier: Digital Pathways Ltd
Tel: 0870 321 4002
Web site: www.digpath.co.uk
Price: As reviewed with 100 log sources, £16,100 excluding VAT