This product manages and analyzes Windows server log files. While this activity is not limited to forensics, it is an important incident response tool.
One of the first things that any competent attacker will do on a compromised server is modify the system logs to hide their tracks. Tools which can remotely collect logs make this vastly more difficult, and a layer of analysis and alerting software on top can help track down the infiltration after the event, or (better yet) flag up suspicious activity as it occurs.
Event Archiver is the backbone of the product. It connects to multiple Windows servers (this requires domain/OU admin rights), and can be set to import their logs (application, security, and so on) on a periodic basis or whenever they are full. The alert data is then brought together into a local database. The software's architecture allows for distributed networks and multiple subnets by exporting data. Multiple instances of the Archiver can be run, set to export their data to remote ODBC databases or as flat files via FTP. This data can then be centrally aggregated and analyzed.
On top of that sits the Event Analyst tool, which takes the vast amount of log data and makes sense of it, applying filters and rules to drill down and isolate relevant events. Displaying these in chronological order gives an insight into the sequence of events during an incident, and the data is easy to manipulate. The software was not fast at processing data, but a faster database would help a lot.
A final component is a toolbar control which can receive Netbios and syslog alerts that match certain criteria and bring them to the attention of a console manager. A simple tool, but effective.
Overall, we like the Dorian suite, but it is lacking in a couple of major areas. First, it is aimed at Windows systems, and most large organizations will have plenty of non-Windows systems generating logs. But while the Event Alarm console can receive syslog messages, the Event Archiver and Analyst components cannot. A service is provided to import syslog messages into the local machine's Windows Application Event log – an effective, if clumsy, way to address the problem.
We were also disappointed that the reporting tool included components requiring proprietary IE plugins to view charts.