LogLogic LX Release 4.0

I have used the LX/ST combination for research that involves large log sets and, while I like the product a lot, I have to admit that there have been a few limitations. One of those limitations is the types of logs that it can handle. The other is the way it has handled raw log content. Both of these limitations have been rendered obsolete in release 4.0.

This latest release has lots of new features, but the most obvious are the way it handles different types of logs and the way it looks at raw logs. The latter is, perhaps, the most interesting from a forensic perspective. The ability to analyze large sets of data for content always has been the Holy Grail of digital forensic analysis. However, nowhere is this more vexing than with very large log sets.

Large log sets from an intrusion detection system (IDS), such as Snort, contain huge amounts of data. Buried deep within that data may be the evidence you need to establish that an employee has been sending bits of confidential information to friends or co-conspirators. While there are products available that are intended to stop that type of activity, they may not be able to provide clear evidence of wrong-doing. The LX in its new release can examine extremely large log sets for exactly that type of information.

Additionally, the LX can correlate multiple instances to provide a history of the behavior in question. All of this is preserved, reported and the analysis activity logged, and the original raw logs are protected, thus maintaining chain of custody.

Similar analysis on other types of security-related events is a snap. Moreover, the PX is a perfect tool for ensuring regulatory compliance. This was a strong capability in earlier releases, but the added correlation and reporting capabilities of release 4.0 simply add power here. In addition to seeing the search data, you can drill down and see the entire source log if necessary.

Implementation is quick and easy. Although users will not need to reinstall the entire system (the new release comes as an upgrade), we opted to do a fresh install. We installed on our legacy (release 3.X) appliance and the entire installation took under a half hour. The results were flawless. During installation, the LX transfers control to an external serial-connected console and the product cannot be installed or managed at the platform level remotely for security reasons. The web interface is not available until the installation is complete.

The command line is reminiscent of configuring a Cisco router, so users familiar with that process will see several familiar commands. We inserted the disk with the new implementation on it into the CD drive and, after warning us that we would lose all our data if we continued (we had taken that into account), the installer loaded a new operating system, configured it and installed the new LX application. Once that was done and we configured the network connection information, the device came right up and we connected to the web interface from another computer.

One unique function of the LX preserved in this version is that it watches itself.

It sees itself as a device on the network so when you fire it up for the first time you will see the beginnings of log collection. Since it has not been "introduced" to any devices on the network yet, it starts by watching its own connections.

Connection to feeder devices — such as IDSs, firewalls and syslog servers — is simple, and the appliance can accept blocks of logs introduced to it for bulk analysis. This, usually, is the way I use it in my research since I collect logs from a variety of sources. This has real forensic value as well since logs may be collected from a variety of sources and, after work copies are made, the originals can be preserved in a chain of custody. The work copies, then, can be fed to the LX for correlation and analysis.

The LogLogic LX release 4.0 is a top-flight product and we continue to award it our Approved for SC Labs rating, the highest rating that we award. Over the coming year it will continue to be our log analysis workhorse.

Product: LogLogic LX Release 4.0
Company: LogLogic, Inc., www.loglogic.com
Availability: Now
Price: LX 2000: $49,999; LX1000: $24,999.
What it does:  The LX is a log collector and correlator with a slew of functions for analyzing large log sets from multiple sources.
What we liked: We liked the improved reporting and log analysis features. As a network forensic tool, the LX excels because it can read raw log data and report both header and data payload information when present in the logs.
What we didn’t like: There is really nothing not to like here, but if pressed we would have to point out that this tool is most effective when the user is well-versed in the network. The LX won’t solve your network problems all by itself, but it absolutely will enable your security analysts to be more efficient and accurate than ever before. The key is that the security analyst must have the skills to interpret what the LX presents.