Long-time readers will, perhaps, recall that Ihave an ongoing appreciation for the LogLogic log management andintelligence platform. Last year we awarded it our Approved for SC Labsdesignation and this year I am pleased to have had the opportunity toget a look at the 4.0 beta in advance of its release.
TheLogLogic LX is a log capture, management, correlation and analysis toolthat has application in security management, intelligence gathering andforensic analysis of network-based events. Its companion product, theST, archives and manages large log sets for rapid access and analysisby the LX. I have used the LX/ST combination for research thatinvolves large log sets and, while I like the product a lot, I have toadmit that there have been a few limitations. One of those limitationsis the types of logs that it can handle. The other is the way it hashandled raw log content. Both of these limitations have been renderedobsolete in release 4.0. This latest release has lots of newfeatures, but the most obvious are the way it handles different typesof logs and the way it looks at raw logs. The latter is, perhaps, themost interesting from a forensic perspective. The ability to analyzelarge sets of data for content always has been the Holy Grail ofdigital forensic analysis. However, nowhere is this more vexing thanwith very large log sets. Large log sets from an intrusiondetection system (IDS), such as Snort, contain huge amounts of data.Buried deep within that data may be the evidence you need to establishthat an employee has been sending bits of confidential information tofriends or co-conspirators. While there are products available that areintended to stop that type of activity, they may not be able to provideclear evidence of wrong-doing. The LX in its new release can examineextremely large log sets for exactly that type of information. Additionally,the LX can correlate multiple instances to provide a history of thebehavior in question. All of this is preserved, reported and theanalysis activity logged, and the original raw logs are protected, thusmaintaining chain of custody. Similar analysis on other types ofsecurity-related events is a snap. Moreover, the PX is a perfect toolfor ensuring regulatory compliance. This was a strong capability inearlier releases, but the added correlation and reporting capabilitiesof release 4.0 simply add power here. In addition to seeing the searchdata, you can drill down and see the entire source log if necessary. Implementationis quick and easy. Although users will not need to reinstall the entiresystem (the new release comes as an upgrade), we opted to do a freshinstall. We installed on our legacy (release 3.X) appliance and theentire installation took under a half hour. The results were flawless.During installation, the LX transfers control to an externalserial-connected console and the product cannot be installed or managedat the platform level remotely for security reasons. The web interfaceis not available until the installation is complete. The commandline is reminiscent of configuring a Cisco router, so users familiarwith that process will see several familiar commands. We inserted thedisk with the new implementation on it into the CD drive and, afterwarning us that we would lose all our data if we continued (we hadtaken that into account), the installer loaded a new operating system,configured it and installed the new LX application. Once that was doneand we configured the network connection information, the device cameright up and we connected to the web interface from another computer. One unique function of the LX preserved in this version is that it watches itself. Itsees itself as a device on the network so when you fire it up for thefirst time you will see the beginnings of log collection. Since it hasnot been "introduced" to any devices on the network yet, it starts bywatching its own connections. Connection to feeder devices —such as IDSs, firewalls and syslog servers — is simple, and theappliance can accept blocks of logs introduced to it for bulk analysis.This, usually, is the way I use it in my research since I collect logsfrom a variety of sources. This has real forensic value as well sincelogs may be collected from a variety of sources and, after work copiesare made, the originals can be preserved in a chain of custody. Thework copies, then, can be fed to the LX for correlation and analysis. The LogLogic LX release 4.0 is a top-flight product and we continue to award it our Approved for SC Labs rating, the highest rating that we award. Over the coming year it will continue to be our log analysis workhorse. Product: LogLogic LX Release 4.0
Company: LogLogic, Inc., www.loglogic.com
Availability: Now
Price: LX 2000: $49,999; LX1000: $24,999.
What it does: The LX is a log collector and correlator with a slew of functions for analyzing large log sets from multiple sources.
What we liked:We liked the improved reporting and log analysis features. As a networkforensic tool, the LX excels because it can read raw log data andreport both header and data payload information when present in thelogs.
What we didn’t like: There is reallynothing not to like here, but if pressed we would have to point outthat this tool is most effective when the user is well-versed in thenetwork. The LX won’t solve your network problems all by itself, but itabsolutely will enable your security analysts to be more efficient andaccurate than ever before. The key is that the security analyst musthave the skills to interpret what the LX presents.
