LogLogic Aims to Ease Log Data Crunch
February 6, 2007 Alex Woodie
LogLogic is preparing a new release of its log management offering aimed at helping IT professionals and end users alike. When version 4 of its software ships by the end of the quarter, it will include a new indexing engine, which should make it easier for users to search through the millions of log messages generated by servers, applications, and network devices. It will also include a new Web portal interface designed to empower end users to do their own log research instead of taking up all of IT’s time.
LogLogic ships prepackaged reporting software with its collection of rack-mountable, X86-based appliances, which support thousands of applications and network devices generating log messages in the data center, including the iSeries and most any other type of server you can think of. Log data gets pushed down to these appliances, where it’s sifted through in real time to find any immediate problems, such as a security breach. Another appliance holds long-term data and is used for compliance initiatives.
When we last wrote about LogLogic, the company offered prepackaged reports aimed at helping customers use their log data to help satisfy industry requirements, such as Sarbanes-Oxley, PCI, GLBA, and HIPAA. More recently, the company realized customers needed to manage their log data along the lines of industry best practices, so it introduced prepackaged reports for FISMA, ITIL, ISO, and COBIT.
The shift was made in response to what has become a “perfect storm” in the data center, says LogLogic marketing chief Andy Lark. “A perfect storm has emerged [heralding] a change in IT management practices,” he says. The day to day life of an operator has shifted in an important and sometimes subtle way, and is now under the jurisdiction of compliance. “You can’t not store log data. You have to have best practices,” he says.
On the one hand, the number of federal and industrial regulations and standards that companies must comply with just keeps growing. Unfortunately, department managers are dumping onto IT professionals much of the legwork needed to generate reports demonstrating compliance.
“We’re under so much pressure now from auditors and HR. There’s just an unending number of requests,” Lark says. “But they don’t understand that every request goes back to getting at the log data. Every vendor provides some logging tool, but users don’t have time to understand how every vendor’s log tool works, they don’t have the time to extract data from 50 different log tools . . . I want to use one tool…that enables me to get at the data.”
LogLogic is instituting a change, with an upcoming release of its software, aimed at resolving this conflict. Chief among the changes is a second way to process log data. Previously, the appliances relied on a parsing engine that used rules to weed out the chaff and isolate the important log messages. But that doesn’t work so well when customers were pointing at the LogLogic appliances with all kinds of legacy systems using different log message standards. The company’s solution was to introduce a second engine that would index all log messages, so users could perform searches against the data store and come up with meaningful conclusions from data contained in the log messages.
“It’s caused us to evolve our architecture for log management and intelligence,” Lark says. “We were focused on parsing. [But] it became clear that an iSeries user isn’t just focused on iSeries servers, but the applications on it. And they’re generating in a unique format. So it becomes about indexing that data, and making it searchable, and how we generate search-based reports. . . . So we ended up evolving a dual-processing engine.”
Another upcoming change in its products also has to do with making it easier to extract meaningful information from log data. With version 4, LogLogic is developing what it calls a service oriented architecture (SOA) version of its product. In effect, the SOA version will enable users to build Web portals that will allow managers and auditors to get needed information themselves, instead of constantly pestering IT for it.
“Some of our leading-edge customers . . . wanted to be able to use a standard API to build Web portals to extend to the user inside the enterprise,” Lark says. “Lets say you’re the firewall manager and the security desk was constantly requesting activity data. You can build a standard” way to allow them to get that info off a Web portal.
The SOA feature, like the rest of the version 4 release, is still in beta tests, and should be available by the end of the quarter, Lark says.
In the end, LogLogic’s goal hasn’t changed so much as it’s evolved. “We’re seeing a lot more interest from customers being able to match and fully understand what went on from firewall all the way to the database on the server,” Lark says. “They’re looking for a complete fingerprint of user activity across the IT organization.”