LogRhythm LR1000 v. 3.5
Strengths: A strong emerging competitor in the forensic area; already a strong product for network management; easy to use with very comprehensive reporting.
Weaknesses: We would like to see a bit more attention to forensic issues, especially chain of custody.
Verdict: This is a competent, scalable product. Buy it for network management and use it as one of your network forensic tools.
This is one of those "almost there" products that will, we are certain, give competitors a run for their money fairly soon. The LR1000 is a log analysis appliance and has a lot to recommend it. Fundamentally, this product gathers logs, analyzes them and produces specialized reports. The device can be monitored in near real time as a network management tool during an event, or it can be used to analyze logs after an event for network forensic content.
The LR1000 can accept logs from virtually any source, including Windows, syslog and all of the popular IDSs and firewalls, and can collect them with or without an agent on the remote device. The device normalizes time stamps on collected logs while retaining the original time stamp for forensic traceability. Logs are normalized and even custom logs can be fed to the appliance.
The primary purpose of the LR1000 is to manage logs in a network management environment. While the forensic capabilities of the product are secondary, care is given to providing both forensic capability and evidence management during the log collection and analysis process.
Documentation for the product is good and LogRhythm provides remote walk-throughs to help new and prospective users assimilate the product quickly. Installation was quick and straightforward and we had no trouble implementing it in our lab.
Some areas where we could see minor room for improvement in the forensic arena are depth of log analysis, especially in raw logs and chain of custody management. Both of those capabilities are almost there, though, and the only thing missing is full traceability all the way to the packet content level if that level is available in the raw log, and a cleaner way to prove chain of custody. These are forensic requirements, though, and chain of custody and full raw log analysis generally are not requirements for typical log management.
Support for the LR1000 and its sister products (LR500 and LR2000) is available. We were impressed with the pre-sales support from the company. Pricing is about in the middle of the pack for similar products, and we find that it is a better than average value for the money.