I recently spent some time with Trent Heisler at LogRhythm getting an update on their new LogRhythm 4.0 log management solution. LogRhythm is one of my site’s sponsors and I think you will find as I have that the log management/SEM vendors that sponsor my Security Log Secrets webinars are the best ones out there in the Windows security log space. If you aren’t strong on Windows security logs – why sponsor events on how to analyze Windows security logs?
LogRhythm 4.0 is no exception. I hate boring product reviews that plod their way through installation, setup, support, yada yada. Instead a quick take on what I find outstanding:
* Well designed classification of incoming log events
* Log data normalization! – read on to find out what I mean
* 3 ways to handle incoming log data
Well designed classification of incoming log events
Designing a dashboard requires a deep understanding of 1) the technical data you are trying to summarize and 2) the higher level analysis need of the user viewing the dashboard. You can tell that LogRhythm was designed by an information security professional and that’s what Chris Petersen, founder of LogRhythm is – Infosec pro first – programmer second. LogRhythm’s dashboard does a really good job of classifying and “rolling-up” data into an informative at-a-glance view of incoming log events. Events are typed first as Operational, Security and Audit. I could see right away that Operational events are more about service availability and resource utilization, but I wondered what LogRhythm considered to be the difference between Security and Audit events. The answer makes sense. Security events are those that indicate something suspicious or most likely to require investigation and response – stuff like failed logon events, port scans or changes to security policy. But as you know, there are many more security related events that simply need to be recorded and available for future review – stuff like routine maintenance to user accounts and groups – that’s what gets typed as Audit events. It’s difficult for software developers to make generalization decisions for the wide variety of customers and environments out there but LogRhythm has done a good job.
Within each of the 3 major types events are further classified. And this is where we come to one of the most impressive and unique value points of LogRhythm – normalization of events across platforms.
Log Data Normalization
Again to showing that the people at LogRhythm are security log nerds and not just coders is the powerful normalization of events that LogRhythm applies as events come in. Here’s what I mean by normalization: Take authentication events as an example. Every device, application, database and operating system out there handles logon requests. Authentication either succeeds or fails for basically the same reasons – bad user name, bad password, account disabled, locked out, etc. But every product out there reports authentication events differently. On Windows a successful authentication is either 672 or 680, but it’s something completely different for Linux, for Oracle and so on. LogRhythm has built-in intelligence on all of its supported log types that identifies authentication successes and failures and assigns them a common “meta” event ID regardless of the platform that generated the event. And before you ask, don’t worry they don’t drop the original log data.
3 ways to handle incoming log data
Every log management solution can collect logs nowadays – what’s important is what you can do with the log data once you have it centralized. And again you can tell that LogRhythm had put a lot of thought into what an Infosec pro needs to do with log data. Basically they provide 3 ways to analyze and respond to log data:
* Alarms – Alarms, you would expect, look for events matching specified criteria and can alert you in all the usual ways from pager messages, to email and so forth. The one thing I’m surprised LogRhythm still can’t do is run an admin-supplied script in response to a specified alarm but Trent confirmed that feature is coming in the next revision to the product.
* Forensics – If you are a security log geek like me that has to chew threw reams of data to figure out what happened you’ll love the 2 sections in the Forensics area of LogRhythm: Investigations and Reports. With investigations you can quickly build queries against LogRhythm’s log data warehouse. You can easily define criteria based on specific elements within log event messages and pull specific fields out of the description of events to be columns in your result set. If you know the Windows security log you know why this is so important. Investigations are tailored for flexible ad-hoc, immediate analysis while reports are intended for the production of routine reviews and summarizations of log data. You can easily convert investigations to reports and vice-versa.
* Real-time analysis – If you are run a Security Operations Center or any time you need to know what’s happening right now across your enterprise you love the Real-time section of LogRhythm which does a nice job of showing summarized events in real-time. In particular I like the “Tail” feature which is a reference to *NIX’s tail command. LogRhythm’s tail is a scrolling view of log events as they come in from devices and systems across your network – kind of like the cascade view of data in the Matrix only you can actually read the data in Tail especially once you set some filters ups. For instance let’s say that you get an alarm alerting you to a single suspicious event concerning Bob. You can open a Tail window and filter by logon Bob. LogRhythm will immediately start reporting to you any event from any system on the network connected with Bob. Remember LogRhythm’s data normalization? Here again it pays off by allowing you to watch what Bob is doing in realtime across all the computers and devices on your network. (As a side note, this point once again shows why it’s so important to have consistent naming conventions for user accounts across all your systems.)
New features in 4.0
LogRhythm has made a number of infrastructure improvements that don’t necessarily have a lot of glitz but are very important to meeting enterprise level storage, availability and performance requirements. Like most log management products out there, LogRhythm has both a database for reporting and a long term archive. In 4.0 LogRhythm now archives in real-time. In previous versions of LogRhythm, archiving was performed in batch. Logs would be archived up to 24 hours after being written to the on-line database. This model had 2 disadvantages: 1) there was a period of time when the log was not present in the archiving system. 2) In order for a log to be archived, it had to be written to the on-line database. In LogRhythm 4.0, logs are archived immediately after being processed. You can also choose to have logs either archived only (not parsed and normalized into the database for reporting) which is cool for system logs that don’t need any reporting – just long term archival. There are lots of other new features that improve deployment and monitoring the health of LogRhythm components across larger networks, security through SSL encryption and single sign-on with Active Directory, performance via support for SQL Server 2005 and new features that improve LogRhythm’s already powerful analytics.
As you can see, LogRhythm deserves a look and probably a place on your short list.