Log files alternate between extremely valuable and extremely irritating, depending on the task at hand, but the real effort involves analyzing the data.
Network Intelligence Corp.’s NIE-2550-HA is a good example of how far log analyzers have come in recent years. Despite some UI problems, it handles diverse system logs and does a good job of condensing log information.
The NIE-2550-HA is a 2U rack-mounted server-class system with six hot-swap 72GB SCSI drives housed in a server chassis, along with the enVision GUI. Behind the appliance’s spiffy red front bezel lie two 2.8Ghz hyperthreaded P4 Xeon processors and 3GB of RAM running Windows 2000 Server SP4.
The enVision Web-based Java management GUI can be run via a Remote Desktop Protocol connection to the server, as well as from other hosts running Internet Explorer. Other browsers need not apply — Mac IE in particular fails rather spectacularly when trying to log in to enVision.
The NIE-2550-HA fit into my lab quite easily. Initial configuration can be done via the console interface or the LCD management panel. I pointed a Web browser at the IP address, and voila — up and running. I then pulled together several gigabytes of log files from a variety of sources, including several different firewalls, VPN concentrators, IDSes, and Linux servers.
To control the tests, I wrote a quick tunable syslog injection tool in Perl and fed these logs to the NIE at varying rates, as many as 3,250 events per second. The NIE is a midrange appliance and only supports as many as 2,500 events per second, but can burst to 3,250 events per second to reduce the potential for losing logs during an attack.
Each system to be monitored is configured to send syslog data to the NIE-2550-HA. The NIE can also handle Windows event logs, Check Point’s LEA (Log Export API) format, as well as intrusion detection and prevention and IDS logs, including Cisco Systems Inc. IDS and Snort. By accepting and processing these diverse logs, enVision easily provides event correlation for a whole network.
Administrators define candidate and active hosts from among the systems sending log data. The NIE’s dashboard display — linked to the enVision function menu — shows easily digested data about current system load. Large speedometer-style meters display the current events-per-second rates, averages, and maximums, as well as network interface activity and Web and database process load.
EnVision’s base functionality is information condensation. This requires strong reporting features, and enVision’s report creation tools are quite extensive, permitting straight SQL queries into the log-file database and offering a wizard-based report generator.
Neither are for the weak of heart, as even the wizard can be a bit onerous, but the tools’ depth makes the effort worthwhile. Luckily, there are hundreds of pre-defined reports available for a wide range of devices.
On the downside, the UI report selection interface could use some work. Reports are organized in a hierarchical tree layout, but the frame containing the lists is rather narrow, so nearly all report names are truncated. You must use the horizontal scroll bar to fully reveal them. Similar small-layout issues plague other parts of the UI.
The alerting functions work well; a simple alarm browser displays current alarm conditions per category and per host. Alarm configuration and maintenance is involved, but, as with the reporting tools, the options provided outweigh the sometimes-cumbersome process.
Network Intelligence has done a good job in providing a single solution to handle all log-file-related tasks, from collection to reporting. Considering the requirements for the Sarbanes-Oxley Act and other regulations, it doesn’t hurt to be armed with a broad array of tools to derive meaningful information from masses of logs.