What’s exciting about LogLogic?

Written By:
Content Copyright © 2007 Bloor. All Rights Reserved.

Logs? Boring things aren’t they? Well, that may or may not be true, but it certainly doesn’t apply to LogLogic. I had better explain.

Regular readers will know that I have written in the past about companies like CopperEye and Sensage providing storage and search capabilities against call data records (CDRs) in the telco sector. However, if you are from the police or some related agency, what you really want to see is not just someone’s mobile phone records, but also their fixed line phone records, their emails and, quite likely, the web sites that they have been accessing. Given that many telcos provide several if not all of the relevant services, how are interested government agencies going to get a holistic view of a suspect?

There are two possible approaches: first you could store and index each set of data separately and then use some sort of federated query capability to combine the data, or you can combine all the data in one place and then provide relevant query and reporting capability. It is the latter approach that LogLogic uses.

Of course, logs are not limited to the sorts of things mentioned. They also apply to databases, intrusion detection (from outside the firewall), extrusion detection (people within the organisation mis-using information), network infrastructure and anything else you can think of.

What LogLogic enables you to do is to bring all sources of log data (CDRs, Syslogs, WC3 format data, database logs, customised application logs, whatever) into a single place and then analyse that data so that you can comply with relevant regulations, for security purposes, to prevent (internal) fraud, to prevent mis-use (for example, staff accessing porn sites), to better understand your network, and so on.

The way that LogLogic does this is via two appliances, both of which are traditional appliances in the sense of being a complete hardware/software bundle that you plug in and it goes. The two appliances are the Log Data Warehouse and the Reporting Appliance. The former stores the data (up to 34Tb per appliance—but the data is compressed so that the appliance only has 4Tb of actual capacity—and you can have multiple appliances) and comes with the relevant connectors to capture the relevant log data from the various sources that you might have, and it also indexes all of the incoming log data. The company claims capture speeds of 75,000 log messages (lines) per second.

The Log Data Warehouse stores all the log information exactly as it originated. This is important for evidentiary reasons, for example. However, it isn’t easy to visualise as normalised (meta-) log data. This is where the LX Reporting and Analysis Appliance comes in: this enables the generation of template-based reports that put the log data into easily readable and understandable format.

Note further that LogLogic operates in real-time and can generate alerts or other actions as required. In the latter case, there is an API available for you to build LogLogic into other applications, and it also supports service orientated architectures (SOA) through web services integration. As far as alerts are concerned there are various approaches supported, including behavioural, statistical and contextual analysis so that you can quickly pick out rogue behaviour.

The problem that LogLogic has is that it has no competitor so its market is ill-defined. There are point solutions that are appropriate departmental or divisional solutions but there is nothing really like LogLogic on an enterprise scale. While this is a good thing (the company has more than 350 customers, many of them prestigious) it also makes it difficult to market the product because there is no slot that it neatly fits into. It is not really a security product: it is more than that. It isn’t even really just a GRC (governance, risk and compliance) offering though it supports all of those things. Some other analysts have made up a space precisely for LogLogic (the Log Management & Intelligence space, aimed at enterprise log data management activities) for which LogLogic is, necessarily the market leader; but this may have more to do with creating relevant pigeonholes that helping customers understand the market. In practice, LogLogic is a data management product that encompasses all of the activities just discussed, as well as parts of others (such as data governance). Regardless of how you label it, LogLogic is clearly its own market leader.

So, exciting? Well, not as sexy as Angelina Jolie but not quite as boring as you might think.