"Every log has potential value." If an executive had a mantra, this might be the one of LogRhythm execs Chris Peterson and Mike Reagan, CTO and vice president, respectively. You might not be surprised to learn, then, that LogRhythm is a log and security event management solution provider.
But consider the fact that a mid-sized organization can generate half a million to a million logs daily. And consider that the format of those logs can be as varied as the devices that generate them. And that a log that might indicate a critical situation to one organization might not indicate more than an annoyance to another organization. Put the facts together and you might conclude that searching for that potential value in a log can be as overwhelming as searching for the proverbial needle in a haystack.
LogRhythm aims to turn that haystack into a filing cabinet, a filing cabinet with a brain, if you will, where logs are classified, labeled, and retained, and mined for analysis, compliance, and security purposes. It uses a log identification engine to sift through logs, classifying and naming each and normalizing it for analysis and reporting. As part of the classification, it determines whether a log is related to security, operations, or audits and also prioritizes each event based on its impact on an individual business's operations. The solution categorizes data into "alert" for items requiring immediate attention (including role-based alerting, which alerts the proper group or individuals depending on their role); "event," for items requiring attention at some point; or "log," for items that an admin might want to look at further down the road.
The product adds another wrinkle to the log data process by interpreting data based on the context in which it's found—what might be a commonplace event in one area might be a dangerous anomaly in another. Based on the information it gathers, it calculates the risk of a threat and the level of a threat. It captures and retains data in searchable storage for retrieval and analysis later as well.
The company's latest release, LogRhythm 4.0, includes a Universal Database Log Analyzer (UDLA), which extends log collection to include any ODBC-compliant database. Additional new features include extended metadata fields, for added depth in the gathering of business intelligence, and LogMart data mining functionality for data trending and visualization.
Available as software preloaded and shipped on an appliance, LogRhythm is extensible—you just add another appliance. A large deployment might have five appliances, with a single SQL Server instance on each. In spite of multiple appliances, the product brings data back to the user on a single screen. That screen includes a dashboard that can be customized to each user's needs. Use cases include real-time monitoring for financial fraud, detection of data leakage, and the collection of an evidence trail for auditing and compliance. Clients also use LogRhythm log management for business intelligence. For example, one client uses it to capture business data as to which of its Web servers is logged as being viewed most frequently.
"The value of log data has always been there," CTO Chris Peterson says. The reward, he adds, is when you can see customers take the LogRhythm product and extend its usefulness across the enterprise.