2 Log Managers Show State Of The Art2 Log Managers Show State Of The Art

LogRhythm 4.0
IT systems can generate a ton of log events--not all of which are useful--in the name of compliance. The common thinking has been to collect and save all log data because storage is cheap, while difficulty in locating log data when demanded by auditors or from legal requests can get expensive.

Today's log management systems maintain two different types of logs: raw logs that come straight from network devices; and processed data, which the log manager indexes for searching and reporting.

Log managers like LogRhythm can both store raw messages and extract important data, such as IP address, user name, message importance, and message classification. Processed data is indexed for searching and reporting. Raw message data may or may not be useful for searching, so LogRhythm lets you decide if you want to keep it in the live database, archive it in case you need it in the future, or drop it.

The biggest changes in LogRhythm 4.0 are in its data management. Settings are defined either by log manager, the server collecting the log messages; or by log source, the program or application generating the logs, such as Windows events or Unix syslog. Log sources, storage and processing parameters can be configured independently.

LogRhythm 4.0's other new features include log server monitoring for CPU load, memory usage, and message volume, so you can track system performance in real time. The upgraded hardware includes quad-core processors and double the RAM of earlier versions. Users can now access LogRhythm using Active Directory credentials, and communication between components is secured via SSL.

Previous versions of LogRhythm archived log messages in batches, which meant there was a time lag between when a message was received and when it was archived, and the log message had to be stored in the online database to be archived. In LogRhythm 4.0, log archiving is independent of log processing, and archiving occurs in real time. Logs can be archived without being sent to the online database, and the archive is kept current. Both features, independent archiving and archiving in real time, improve performance and reliability.

Version 4.0 also has simplified configuring the time that messages are kept in the online database. The Long Time to Live (LTTL) option, defined on a per-log-manager basis, controls how long messages are kept online. The Short Time to Live (STTL) option, defined on a log source, overrides the log manager time to live. A log manager might set a LTTL at 14 days and a STTL on a chatty log source at one day.

Using the Drop Log function, nothing is written to the online database, while the Drop Raw function writes the metadata to the online database and drops the raw log. These features are enabled on a per-source basis, so you can define exactly how data is stored and archived. Further customization can be had through message processing policies, which override the Log Source definitions.

For example, Windows file system auditing generates numerous messages. You might opt to store only the metadata for authenticated users online and archive the raw data. But messages from the Guest account should store both the raw and metadata online so you can access them later.

It stands to reason that if you're going to collect all that data, you might as well use it, and LogRhythm 4.0 enables companies to do just that. In our tests, LogRhythm's search and grouping tools ably dug through large data sets, and we found its real-time searching tool easy to use.

Rather than performing keyword searches, events are parsed into columns from which you can filter based on keywords and regular expressions. Filter results are displayed live as you type.

-- Mike Fratto