|
LogLogic Takes Appliance Approach to Log Management
Published: July 26, 2006
by Alex Woodie
It can be a bear to keep track of all your different systems' logs. Servers, printers, switches, databases, firewalls--they all create mounds of operational data, most of which you never want to see, but some of which could be very important to your company. Enter LogLogic, a Silicon Valley company that sells an X86-based appliance that consolidates log data from hundreds of systems and then helps managers extract meaningful information from them.
There are some pretty serious problems with the way logs are managed today, says LogLogic's chief marketing officer Andy Lark, who formerly was the CMO of a little hardware company called Sun Microsystems. First, log data is spread across the data center, housed in different and incompatible systems that are not easily penetrated. "You've got mountains and mountains of log data, and if you want to collect any intelligence, you've got to write a script," he says.
Correlating events also becomes tricky when logs and their formats don't work well together, which exacerbates cubicle-vision among administrators. "If I'm a firewall administrator and I'm worried about desktop security protection, then I'm only worried about security logs," he says. But what about the Oracle database logs?
Basically, companies' log management systems are kept in silos of information unto themselves. "It's the same place where accounting systems were 30 years ago," Lark says.
LogLogic addresses several aspects of the log management problem with two lines of rack-mountable, X86-based appliances, including the frontline LX series and the back-end ST series. The LX series does log data collection, search and reporting, real-time alerting, security and access control, and short-term (less than 90 days) storage. The ST series, meanwhile, provides long-term storage and reporting for regulatory compliance, and works with two regulatory packages, one for Sarbanes-Oxley, and another for PCI guidelines affecting the electronic payment industry, although the company's solutions are also used in GLBA and HIPAA remediation.
The first step in setting up LogLogic LX appliances is to collect log data, which the appliances do without agents, Lark says. The second step is to set up alerts for monitoring and tracking anomalous activity occurring across previously unconnected systems (like the hacker traversing the firewall into Oracle financials).
Log data on the LX and ST series is secured so that administrators can restrict employee access to all or parts of the log data, and to ensure a chain of custody over the log data is maintained. Alerts from LogLogic systems can be sent to top-tier systems management products, such as Hewlett-Packard's OpenView or IBM's Tivoli suite, Lark says.
Customers count several benefits from LogLogic, Lark says. "If I want to see everything five users have done on the Web and e-mail for 30 days, that could take one to five days to get done [manually]. It's a significant task." With LogLogic, such a report could be whipped up in a matter of minutes, Lark says. "It significantly reduces forensics time."
The ST appliances can cut down on the time, money, and stress of regulatory compliance, Lark says. "By having an established product that maps to all your IT controls . . . it straight out reduces audit costs," he says. For example, the appliance could be used to generate a COBIT report that shows all the users who have recently been terminated from the network.
LogLogic says it can monitor practically any kind of log, including the major ERP systems like SAP and Oracle and the major business platforms such as OS/400, mainframe, Unix, Linux, and Windows servers for a start. All told, the company claims to support 4,000 log data sources. Those systems that don't offer clean log interfaces, such as homegrown applications, can be hooked up to LogLogic's appliances via an XML mapping interface, Lark says.
Microsoft Windows systems are of particular interest to the company and its Project Lasso, which the company describes as "an open source project that promotes rapid development of innovative technologies for monitoring any kind of Windows event," according to its Web site. "It is our aim that Project Lasso represents a viable open source alternative to, or complement to, Microsoft's more proprietary Windows event collection infrastructure form."
Lark says there are misconceptions about log data management. "People shouldn't think of log data management as something separate from what they've been doing, but as an integral part of the activities they've been undertaking on a daily basis," he says. "If you're an IT director, security officer, or business owner, [you need answers to questions like] how many times do my users log on and have a failed log on, or what's going on with the firewall, or we terminated these five users last week, we might have an info leak.
"Those seem more like relatively straightforward questions, but they require people to look at log data. So we need a greater appreciation and understanding of log data management. We're paying employees millions to [manually] do log management, but moreover, with regulatory requirements, you have a fiduciary responsibility to manage the log data."
|
