Log management review: LogRhythm LR2000-XM
Another solution that combines log management and event management functionality, LogRhythm's XM appliance is long on features and flexibility. It combines a wealth of data views, easy pivot tables, viewing and filtering of real-time data, and the ability to enhance both discovery and analysis with strong Active Directory integration.
LogRhythm sent its 2U high LR2000-XM (version 5.0) appliance with two quad-core Intel Xeon 2.53GHz processors, 24GB of RAM, four internal NICs, and an eight-drive RAID array with 2TB of storage (the max is 8TB). The LR2000 is a little different than its competitor appliances in that it runs 64-bit Microsoft Windows Server 2003 R2 SP2 instead of a Linux or Unix distro. In place of a Web interface, you manage the appliance by connecting to it locally or using RDP and starting the LogRhythm console program.
[ Which log management solutions have the right stuff? See "InfoWorld review: Meeting the network security and compliance challenge." ]
The install is slightly more cumbersome than the competition, requiring a Windows setup and activation, two licensing files, and some minor INI file editing. LogRhythm technical support can walk you through the whole process in 30 minutes.
LogRhythm XM: Log collection and managementThe feature-rich console contains hundreds of options, although day-to-day operations will usually consist of clicking on various graphics and typing in keyword search queries. The menu options change depending on the user type, of which there are three: Global Admin, Global Analyst, and Restricted Analyst. A Global Admin enjoys full control over the system. A Global Analyst can manipulate data from any source, print all reports, and configure a narrower set of options. A Restricted Analyst can be limited to seeing and manipulating particular event sources. This is a nice feature that allows administrative duties to be carved up based on responsibilities and expertise.
The LogRhythm console, like the other appliances, shows operational stats and event log information. It stands out from the crowd in the amount of information it displays on a single screen and the ability to check on multiple other appliances from the same interface. Event sources can be added manually in a variety of ways or, in some cases, by using active scanning tools.
The Windows Host Wizard can discover all the Windows machines in a particular domain or organization unit. The latter feature demonstrates the strength of LogRhythm's Active Directory integration. Windows machines must allow access to the Remote Registry service in order for the scanning wizard to work, a requirement that can pose a problem in environments with overly restrictive host-based firewalls. Syslog machines can simply be pointed to the appliance. One shortcoming in the version 5.0 software I tested -- the inability to capture SNMP traps -- has been addressed in version 5.1, which also includes 30 additional enhancements.
- ArcSight Logger 4.0
- GFI EventsManager v.8.2
- LogLogic MX3020 v.4.9.1
- LogRhythm LR2000-XM v.5.0
- NitroSecurity NitroView ESM and ELM
- Splunk 4.1.2
- Trustwave SIEM
Compare log management product features
Read the log management evaluation guide
This article, "Log management review: LogRhythm LR2000-XM," was originally published at InfoWorld.com. Follow the latest developments in information management and security at InfoWorld.com.
Read more about data explosion in InfoWorld's Data Explosion Channel.
This story, "Log management review: LogRhythm LR2000-XM" was originally published by InfoWorld.
Copyright © 2010 IDG Communications, Inc.