Log management review: NitroSecurity NitroView ESM and ELM

Unlike the other products in this review that combine log management and event management functionality, NitroSecurity wraps the two feature sets in two separate appliances. Because NitroSecurity's NitroView Enterprise Log Manager (ELM) data is viewable only through a linked NitroView Enterprise Security Manager (ESM), my review of its log management functionality required testing both appliances.

NitroSecurity sent me the 3U NitroView ESM 5000 (Model 5750), which combines an event receiver, log analysis, network analysis, SIEM functions, and console, and the 1U NitroView LogCaster 2000 (Model 2250) ELM, the log receiver appliance.

[ Which log management solutions have the right stuff? See "InfoWorld review: Meeting the network security and compliance challenge." ]

The orange-faced NitroSecurity appliances run Debian Linux 2.6. Equipped with dual power supplies and multiple fans, the LogCaster was the loudest product of this review. Taking a phone call in the near vicinity was difficult, but the noise will not be a problem in most data centers.

The initial install was fairly easy and didn't require a locally attached keyboard or mouse. Simply put in the (required) static IP address information through the external LCD control buttons and log on via HTTPS. After logging on for the first time, it was just as easy to link the two appliances together.

NitroSecurity NitroView: Rich features, rich GUIThe NitroView console is based upon Adobe Flex, the open source, Flash-based rich Internet application framework, and NitroSecurity uses Flex's adaptability to the nth degree in this product line. The vendor claims that Flex allows the interface and results returned to be as snappy with many millions of records as it is with a few thousand, but testing this claim was not part of my review.

The default console is attractive if a bit busy, but also incredibly useful. The left side of the main console contains the source tree. Where you click on the tree determines which devices and event sources you end up querying and configuring. The right side of the console contains the filter window, which displays active filters for particular views. The downside of the feature-rich GUI is that it's among the most complicated I've used. I was often referring to help files to assist with options the first time around.

The product's central selling point is that multiple graphs and displays of data can be easily set out side-by-side, and the dozens of views can be highly customized. Admins will have no problem choosing what they want to see in a single view, and adding new charts and data views is a snap. Graphs and data in a single view can be related and synchronized, or completely unrelated -- it's your choice. Clicking on any point in one of the context-sensitive graphs updates any related graphs.

Any data element in a chart can be drilled into or out for more detail or context. For example, on a chart showing a weekly volume indicator, you can select a particular week to see the figures for each day. Select a particular day and see the figures for each hour. Select a particular hour to drill down to the individual events.

You can click the properties icon on any graph to see the data sorted a different way or to create a brand-new graph. You can choose the event sources, fields to include, filters, update interval, sort order, graph type, and more. Multiple graphs and data views can be combined and sized into a particular console view. Admins can easily create multiple views and switch among them with one mouse click. Each user can choose their own default view. Only one product in this review, LogRhythm, was in the same class as NitroSecurity in providing versatile views and graphs.

NitroSecurity NitroView: Log collection, alerting, and reportingData sources can be added to each LogCaster receiver through the NitroView ESM console. NitroSecurity has prebuilt connectors to more than 325 data sources, handing the incoming data and normalizing it. NitroView uses WMI and individual per-host logon credentials to contact Windows machines, and it can act as a syslog server. Multiple hosts can be added all at once using an import file or a passive auto-learn functionality that utilizes a firewall for discovering valid hosts. However, NitroSecurity's auto-discovery process was not as seamless as its counterparts in some of the other products.

Events can be individually browsed to see all captured information, and filters can be created on the fly. Filters can be built graphically, simply by using a mouse, including complex filters with logical ANDs and ORs (see image below). Once filters are created, they can easily be applied to all the existing views or removed with a single click of a mouse.

The NitroView ELM has data storage groups, just like ArcSight and Splunk, where each incoming event source can be placed. Drive storage can be internal or external (using SANs or NetBIOS shares). Parsed and indexed logs are also stored in original raw form and digitally hashed, and they can be compared later on for forensic needs. NitroView has fairly strong default security requirements, supports FIPS, and allows you to assign fairly granular permissions to different administrative groups. Auto-updating functionality updates rules, the application, and the underlying OS.

Alerting is handled in the ESM product. Notifications can be sent using email, SNMP, and syslog; SMS was noticeably missing. NitroView ESM can send Remedy-formatted emails, and it even contains its own, albeit basic case-tracking component if you don't already have a more usable tracking system.

NitroView ESM and ELM come with dozens of predefined reports, including the usual Windows, PCI, SOX, GBLA-type reports, along with a few application-level reports. My favorite reports were those that cited "deviations from the baseline." This is a great idea. Essentially you use NitroView to capture and establish a baseline of normal event patterns. Then you can easily create reports and views to show abnormal events and trends.

See additional log management reviews:

Compare log management product features

Read the log management evaluation guide

This article, "Log management review: NitroSecurity ESM and ELM," was originally published at InfoWorld.com. Follow the latest developments in information management and security at InfoWorld.com.

Read more about data explosion in InfoWorld's Data Explosion Channel.

This story, "Log management review: NitroSecurity NitroView ESM and ELM" was originally published by InfoWorld.

Copyright © 2010 IDG Communications, Inc.

  
Shop Tech Products at Amazon