Product Details
LR1000 v. 3.5
This Product Review is in the following Category:
Security Management, Assessment, Incident Response
This Product Review is in the following Sub-category:
IT Forensics
|
Version: | |
|---|---|---|
| Vendor: | LogRhythm | |
| Website: | www.logrhythm.com | |
| Price: | $30,000, plus support | |
| Date: | 1-Apr-07 | |
| Author: | Peter Stephenson |
This is one of those "almost there" products that will, we are certain, give competitors a run for their money fairly soon. The LR1000 is a log analysis appliance and has a lot to recommend it. Fundamentally, this product gathers logs, analyzes them and produces specialized reports. The device can be monitored in near real time as a network management tool during an event, or it can be used to analyze logs after an event for network forensic content.
The LR1000 can accept logs from virtually any source, including Windows, syslog and all of the popular IDSs and firewalls, and can collect them with or without an agent on the remote device. The device normalizes time stamps on collected logs while retaining the original time stamp for forensic traceability. Logs are normalized and even custom logs can be fed to the appliance.
The primary purpose of the LR1000 is to manage logs in a network management environment. While the forensic capabilities of the product are secondary, care is given to providing both forensic capability and evidence management during the log collection and analysis process.
Documentation for the product is good and LogRhythm provides remote walk-throughs to help new and prospective users assimilate the product quickly. Installation was quick and straightforward and we had no trouble implementing it in our lab.
Some areas where we could see minor room for improvement in the forensic arena are depth of log analysis, especially in raw logs and chain of custody management. Both of those capabilities are almost there, though, and the only thing missing is full traceability all the way to the packet content level if that level is available in the raw log, and a cleaner way to prove chain of custody. These are forensic requirements, though, and chain of custody and full raw log analysis generally are not requirements for typical log management.
Support for the LR1000 and its sister products (LR500 and LR2000) is available. We were impressed with the pre-sales support from the company. Pricing is about in the middle of the pack for similar products, and we find that it is a better than average value for the money.
Other product reviews from this Supplier
LOGRHYTHM v4.0Related product reviews in this subcategory
GlobalAdmin Enterprise Security SuiteCyberAngel
NetSwift iGate
LapTrak (Mobile Security group test)
Magi Enterprise (Telecommuting group test)
This product is in the following Group Test
Forensic tools 2007
Product Rating
Features |
**** |
Ease of Use |
**** |
Performance |
***** |
Documentation |
**** |
Support |
**** |
Value for Money |
**** |
Overall Rating |
**** |
For: A strong emerging competitor in the forensic area; already a strong product for network management; easy to use with very comprehensive reporting.
Against: We would like to see a bit more attention to forensic issues, especially chain of custody.
Verdict: This is a competent, scalable product. Buy it for network management and use it as one of your network forensic tools.
