ArcSight Logger Reviews

We do work for multiple SIEM solutions such as Splunk, QRadar, LogRhythm. My team and I mostly work on ArcSight Logger and Splunk because we are dealing with projects related to these solutions.

We are discussing Logger for ArcSight Logger, specifically Log Collection.

In companies such as Aramco, SABIC, or electricity companies, they keep the main SIEM solution as Splunk or other LogRhythm solutions, and they use ArcSight Logger to collect the logs from Linux and Windows systems. They then forward these to the SIM solution.

ArcSight Logger fulfills compliance requirements and passes audit requirements. It is one of the Aramco standards requirements and is recommended by Aramco for any implementation.

Aramco, SABIC, water companies, and electricity companies are critical infrastructure with air-gapped networks. In an air-gapped network, there is no communication going out from that network area to the outside world, even to the corporate network. ArcSight Logger is installed on minimal resources with minimal requirements. There are not many upgrades or new features that come up frequently, though they do occur occasionally.

This decision is made by higher management as they don't want to have multiple solutions for one solution.

ArcSight Logger themselves don't provide good support, but companies such as ours provide comprehensive support.

Splunk is gaining popularity because ArcSight Logger doesn't have certain advanced features.

I have been working with ArcSight Logger for quite long, approximately eight plus years, entering the ninth year now.

ArcSight Logger can integrate with any SIM solution without issues.

I haven't encountered any stability issues.

ArcSight Logger is primarily designed for enterprise-level businesses.

ArcSight Logger themselves don't provide good support, but companies such as ours provide comprehensive support.

We provide pre-implementation, implementation, and post-implementation support to cover all areas.

If issues are specifically related to the solution, we can resolve them at our level, particularly configuration or integration matters. However, for specific features of the application, such as issues with Microsoft or Oracle, we cannot debug their solution or application, despite having certified and expert staff.

Positive

The implementation of ArcSight Logger is very quick and easy. Implementation typically takes only one to two hours maximum.

Implementation is taken care of by the customer unless they have an SLA with a support company. Some organizations now have managed services that cover these aspects.

ArcSight Logger is definitely cost-effective.

Splunk has more features and advantages compared to ArcSight Logger. While ArcSight Logger's functionality is limited, Splunk offers capabilities beyond SIEM and log analysis, including user behavior analysis, threat intelligence, and customer behavior analysis. Companies such as Aramco have invested in Splunk and are capitalizing on these solutions. They are focusing more on the defense and detection side. With Splunk, they remove ArcSight Logger and add Dragos as part of their strategy. This is why they are migrating all plants from ArcSight Logger to Splunk.

As a department head, my staff uses my credentials and contacts everywhere. Only ArcSight Logger with Splunk was implemented in Aramco, not in other organizations. I rate ArcSight Logger 8 out of 10.

The product helps me see all the event logs in one place. When I look into the application, I can see different levels of alerts and make the required decision.

The solution provides information about the risk factors. It also provides information on our security exposure.

There are multiple sources, like Windows and Unix, and we need connectors to get the logs. The solution must provide readymade connectors for different applications. Otherwise, we have to build connectors ourselves.

I have been using the solution for almost five years.

The tool is stable.

The tool is scalable. We can map many devices without any issues. We have almost 1500 devices. We have two administrators. We will continue using the solution for now.

The technical support team is very slow. The support persons do not take prompt action. They take too much time to implement new changes. Even if we tell them that we are not able to get critical logs, they take almost three to four days to provide a resolution. The support is not good.

We have used other products, but they were not as good as ArcSight Logger. We decided to use ArcSight Logger because we wanted a unified tool that captures all the logs across all devices.

The initial setup is moderately difficult. It is easy if we are trained well. Otherwise, the deployment takes three to four days.

The product is worth the money. I am able to get the results I need.

People who want to use the tool must understand the range of products they will connect with ArcSight, their use cases, and what they are looking for. The configuration is done according to our requirements. Otherwise, the solution will be flooded with false alarms, and we will miss the important alerts. Overall, I rate the product an eight out of ten.

We don't have a lot of use cases. We supposed the MSSP provider would have a lot of use cases, and this intelligence would be used in the contract, but it wasn't the case. 

We do have some specific situations like alerts in case of changes to extremely powerful accounts, administrative groups, and things like that.

Investigation is good when you know what you want to search for in Logger. The most difficult part is parsing the logs and configuring the parsers. For investigation, it's good. For correlation, it's not good. We use Sentinel, and Sentinel has pre-built use cases that are much easier to configure. So, it enhances our security incident investigation.

We have inbound integration, but configuring the parsers is sometimes very difficult. We only have two use cases where we have a correlation set up. We send the information to Check Point to block IP addresses when we see a lot of blocks from the same source. We have a trigger. So, Logger automatically blocks these IP addresses. We could have Logger put them on a blacklist.

So, it offers the ease of integration.

The solution has room for improvement. We're currently upgrading to the newer version, where they have something like Kafka, a hub for all solutions feeding information into Logger. 

However, I think ArcSight has been sold two or three times, and the quality has decreased. I wouldn't recommend ArcSight.

I have been using it for 12 years.

The importance of ArcSight has diminished since the recent acquisitions. The support is not good, and it's difficult to find people with ArcSight skills in Brazil. I don't know if the situation is similar in other countries.

Neutral

The pricing isn't the problem. We have a lifetime license, so we don't pay a monthly fee. 

If you're adopting a new SIEM, I wouldn't recommend ArcSight.

Overall, I would rate the solution a six out of ten. 

We use the product for Windows event management, custom application onboarding, and integration with firewalls and other security tools for log collection and security monitoring.

We encounter challenges when onboarding logs from cloud sources, so we are considering transitioning to a cloud-based solution. Additionally, we find that the search and access functionality is quite slow. It is not a scalable product, so we have to create and manage storage.

Additionally, they could include case management functionality. It would be beneficial to have both the Logger and the ESM (Enterprise Security Manager) accessible from a single interface.

We have been using ArcSight Logger for five years.

The scalability of ArcSight Logger has indeed impacted our capabilities. There has been a noticeable operational impact, as we sometimes face challenges obtaining what we need from the vendor. Additionally, we must manage storage ourselves, creating file storage amounts, which can be cumbersome. Since we continuously log data, particularly 365 days a year, accessing historical data can sometimes be problematic due to data issues.

I rate the scalability a seven out of ten.

While the technical support team provides fast responses to our queries, we have encountered challenges obtaining the support level we expected, especially during the deployment phase. Despite paying for support, we found that more assistance was needed. Additionally, the community and document repository could be better.

Positive

Our return on investment for implementing ArcSight Logger over the past 12 months has been positive.

Pricing is reasonable compared to similar tools on the market. They offer perpetual licenses.

Integrating ArcSight with security tools in our environment is relatively straightforward for on-premises tools. However, integration is more challenging for cloud-based tools. We often need to develop a custom process, even for some on-premises tools.

The response time on IDQ (Informatica Data Quality) routines has improved significantly from the previous version. However, the SOAR platform is not particularly user-friendly for developing and deploying playbooks, including out-of-the-box playbooks and support for SolarWinds.

I rate it a seven out of ten.

We primarily use it in our site for compliance.

The machine learning is a good feature. 

The next release should have AI capabilities. 

I have been using ArcSight Logger for 4 years. 

The initial setup is straightforward. 

Overall, I rate the product a 6 out of 10. 

If deployed properly, the solution can collect logs well. The categories of logs are very high. It is very good. The solution is compatible with syslog servers. Our customers like the solution.

It is a proven technology. It is one of the best products available in the market. Loggers generally pull the logs and send them to the main orchestration device. Loggers connect to the SIEM tools, and the solutions speak to each other. It is pretty good.

If we want to increase the capacity of the SIEM tool, the events per second can be increased. Loggers are the only way to fetch the logs. It depends on the customers’ requirements. ArcSight Logger sends the logs. The SIEM system is the main component.

Less false positives will lead to a better solution. If there are more false positives, the solutions provided by the SIEM tool will be diluted. The data retention capabilities depend upon the size of the hard disk. The bigger the hard disk, the more the data can be stored. The integration with other security solutions is good. It's a proven solution in the market.

It would be better if the product is cheaper.

I have been using the solution for a long time.

The tool is very stable.

The tool’s scalability is very good. It is very scalable. We have six customers.

The technical support is reachable and helpful.

SIEM is a complex solution if not installed properly. If it is installed properly, it will be a cakewalk. It will be a very smooth product. We have to understand the network and design before implementing it. We must thoroughly understand the network, where the devices are, how the devices are connected, and where we will get the logs. Then, we can configure the system.

The solution is worth the money. It depends on the customer’s use cases and how they use the information provided by the SIEM tool.

It is a very good solution if the pricing is taken care of. It is a yearly subscription.

We have very few options. We have QRadar, ArcSight, Splunk, and Elastic. Elastic is the analyzer. All the solutions are good. All are enterprise-level tools.

I will recommend the tool to others. It is a robust and scalable solution, but it is expensive. If the customers are willing to pay for the security, the robustness, and the scalability, ArcSight is one of the best products. Overall, I rate the product a ten out of ten.

We use the product for log management purposes at the moment.

ArcSight Logger’s most valuable feature is visibility. It provides in-depth information on business activities once we log into the system.

The platform is quite expensive. They should reduce its cost.

We have been using ArcSight Logger for a year now.

It is quite a stable platform. I rate its stability a seven out of ten.

We have less than ten ArcSight Logger users in our organization. It provides a medium level of scalability.

I rate the initial setup process a five out of ten. It takes a week to complete the deployment.

We execute some of the implementation steps and take help from our vendor for a few.

I rate the product’s pricing a seven out of ten, where one is inexpensive, and ten is expensive.

I recommend ArcSight Logger a seven out of ten. The product’s setup could be quite user-friendly. There could be a proper guide to understand the process.

Our primary use case for this solution is incident response, investigations and log management. For example, risky network communications, communications with risky countries, and VPN connections from outside the country. We deploy the solution on-premises.

The log digestion features from threat intelligence platforms like Recorded Future or Talos are valuable.

The graphics and dashboard could be improved.

We have been using this solution for approximately four years and are currently using ArcSight 7.

The solution is scalable, and we have approximately 6,000 machines sending logs.

We have had a good experience with customer service and support.

The initial setup was a little bit complex.

Implementation was done in-house.

The licensing costs are standard and are charged yearly.

I rate this solution an eight out of ten. The solution is good, but the dashboard can be improved.

We check a lot of logs in ArcSight Logger because we're running a massive database platform.

I had some latency issues for two months. I had to increase our storage capacity significantly to reduce the latency. 

I have been using Logger for around five years.

The scalability is good. I built our ArcSight Logger deployment, so I will increase resources if there are any performance problems. 

I haven't had many problems, but I a partner in Jordan has helped me more than the vendor.  

I didn't use logging tools previously, but I used Elasticsearch to prepare to use Logger, and I have the ability to build query support in ArcSight Logger.

Setting up ArcSight Logger is easy.

We have a Logger license for lots of devices because our company built 5,000 CBS. 5,000 CBS. You need to buy the  ESM and Logger licenses.This is the last year we will be using ArcSight Logger. We plan to switch to Recon. We'll adopt the next-generation ArcSight tools like Recon and Transformation Hub. If the performance improves, then I have licensed 5,000 CBS. We expect to increase the licenses to 15,000 CBS and expand the scope and network. 

I rate ArcSight Logger eight out of 10.

The solution is used for searching and test reports.

The provisioning engine is a valuable feature of the solution.

It is really difficult to work in ArcSight Logger, as it is very slow. I have worked three times on these logs due to their slow functioning.

If it changes completely, I think there will be two issues. Firstly, if they are using big data, then it will be very costly, and it will be enhanced with service protocol. Secondly, I see a lot of customers in Saudi Arabia coming overseas to vendors to get the ArcSight Logger version which uses big data for searching.

I have been using ArcSight Logger for nine years.

It is a scalable solution. You can create tools and add more than one program to one board. A total of fifteen users are using ArcSight Logger at the moment.

The technical support team is good.

The initial setup is straightforward. The maintenance is good. We deployed the solution on-premises, as there is some restriction on the cloud, and customers prefer it on on-premises as it is cheaper.

If you are willing to work with ArcSight Logger, you must be aware of the security reasons as an institution. The security advantages should be known to understand the functionalities, and you also have to be familiar with VNX strategies.

I rate the overall solution a three out of ten.