Log management review: LogLogic MX3020

I found the LogLogic MX appliance to be among the easiest-to-use management products, and it has all the functionality most administrators would need for basic log management. The GUI is simple and uncluttered. I didn’t find myself looking to help manuals nearly as much as I did in other products.

LogLogic sent its 2U-high MX3020 appliance (version 4.9.1 software), which combines the feature sets of the company’s LX and ST boxes, thus encompassing log collection, reporting, archiving, and forensics functions, and adds one or more compliance suites. The test unit came with five Ethernet interfaces and 2TB of RAID10 storage, and it was easily the quietest and coolest — as in low temperature — appliance tested. Setup was a breeze.

LogLogic’s management interface is accessed via HTTPS and opens by default to a summary statistics dashboard. All the statistics you’d expect are shown, including message rates, CPU utilization, and disk space. The GUI was clean, easy to understand, and responsive. The only missing element is the ability to quickly drill down into more detail via context-sensitive graphs, which many of the competitors have.

Monitored clients can be added manually, one at a time, or through the use of queries, or by allowing the MX3020 to inspect inbound message streams to see if it can identify the source devices. Similar devices or clients can be collected together into a device group for easier management. LogLogic has more than 70 predefined device types (definitions ease message parsing), including most of the popular vendors and generic Syslog.

The Log Source Status screen image below shows a sampling of device types. Most client connections are agentless, although there is an open source client for Microsoft Windows computers and clients for mainframes and other esoteric systems.

Incoming events can be viewed in the Real-Time Viewer, and all events can be searched in the Index Search screen. The MX3020 has a special section dedicated to showing firewall and VPN events, which some administrators will find useful.

You can search events by typing in search expressions, using built-in search filters, or creating your own search filters. Search filters can be created using keywords, regular expressions, or Boolean expressions, and they can be saved and shared with other LogLogic users. Search filters can even be marked as read-only or modifiable. An additional In Context tab allows an administrator to quickly see the previous 10 events surrounding the results of a particular filter, a nice touch.

Administrators can set an unlimited number of alerts, and notifications can be sent via SNMP, Syslog, or email. The screen image below shows example alerts. The LogLogic MX3020 is fairly flexible in the types of alerts that can be created, including message volume, search filters, ratio, and adaptive baseline alerts. Ratio alerts send notifications when message rates for particular events exceed or fall below predefined thresholds. I particularly like the ability to send alert notifications based upon receiving no event messages from a device in a particular time period, perhaps indicating a device or communications failure.

You can create alerts based upon a series of events across multiple devices. For example, you can create an alert for single failed logons that happen to occur within a small timeframe across 100 computers, perhaps catching a password-guessing worm or hacker in process. You can also input SNMP object identifiers (OIDs) so that alerts can be sent to an SNMP database for handling.

Adaptive baseline alerts take a week or so to measure overall message volume baselines across a collection of devices, and can then alert when events cross above or below the defined baseline thresholds.

The LogLogic MX3020 comes with many predefined, editable standard reports, which can be adjusted on the fly when executed in real time, published on a schedule, and made available in multiple formats: HTML, CSV, PDF, and so on. Normally, the MX comes with one compliance suite (COBIT, NERC, PCI, and more), while additional compliance suites — including search filters, alerts, and reports tailored to compliance requirements — can be purchased. LogLogic also offers a Compliance Manager product that adds workflow and sign-off capabilities surrounding compliance features. I did not review the Compliance Manager or any of the add-on products.

Reports and their graphs are context-sensitive and allow drilling down into more detail and tighter timeframes with a click of the mouse. LogLogic’s appliances would be improved if the same functionality were incorporated into graphical displays.

One especially interesting report, the Application Distribution, takes collected firewall stats to show a historical record of devices and the TCP/IP ports they use. The data contained in this report can be sliced and diced a number of ways to assist in an investigation. All logs are signed with a SHA-256 hash.

The LogLogic MX3020 appliance offers a clean, simple, and smooth interface for log management and reporting, hindered only by a lack of context-sensitive graphics in many areas. It lacks some esoteric enterprise features such as storage groups and network bandwidth throttling, but offers nice extras such as adaptive baseline alerts and the ability to identify incoming device streams. Except for the limited number of alert notification methods, LogLogic MX3020 provides every capability that all but the largest organizations might need.

See additional log management reviews:

• GFI EventsManager v.8.2
• LogLogic MX3020 v.4.9.1
• LogRhythm LR2000-XM v.5.0
• NitroSecurity NitroView ESM and ELM
• Splunk 4.1.2
• Trustwave SIEM

Compare log management product features

Read the log management evaluation guide