ArcSight Logger Reviews

We primarily use the solution for monitoring all of our perimeter - from critical assets to less critical ones. It covers IT assets, networks, databases, servers, endpoints, etc.

The ability to customize the solution in great detail is its most valuable feature. We can customize the use cases and also have the ability to do scripting. We can personalize our dashboard as well. The scalability the solution offers is quite impressive. 

They should enhance and improve everything related to the graphical user interface. It needs to be more fluid and easy to use. Many think that ArcSight is complex and difficult. This is not something that my team feels but that's because we have acquired experience and expertise over time.

The solution should make it possible to integrate network analysis features.

The stability of the solution is good. There are very few bugs.

The scalability of the solution is very, very good.

Technical support is very responsive.

We didn't previously use a different solution.

The initial setup was straightforward. Deployment varies according to the scope of your technical parameters. Maintenance is a daily activity. I have a team of two people that are focused on the administration of the outside platform.

We implemented the solution through an integrator.

We evaluated QRadar before we implemented this solution.

We are using the on-premises deployment model.

There are people who say "Oh, ArcSight is losing its position and it's complex or it's not a good solution." I do not agree. I know that the biggest companies in the world are still working with ArcSight. It's the most comprehensive solution. It contains many features that are useful for enterprise-level organizations. 

If a company has a team that wants to go deeper and get the most features out of developing a real SOC, they should look for a very robust, scalable,  multi-tenant solution. The solution should also be able to manage data analytics and to offer User Behavior Analytics. Arcsight offers this. 

This particular solution is perfect for big companies. Smaller companies should look for integrated solutions that do not necessarily scale.

I would rate the solution nine out of ten.

Our primary use case was to catch malicious activity happening inside our organization.

As the name suggests, it's a brilliant log collection tool, and it can handle hundreds of thousands of servers in a single shot to ingest the data.

The search operations are very fast, and you can get reports very easily for a huge number of events. You can export the search operations.

It's very easy when you want to further forward the logs as well. For example, from the end device if I'm receiving logs in an outside logger and I want to forward those to some other product, which will do something for me, I can easily do it. That's one thing that I like about it.

It's not a new product and is a bit complex. So, it requires a person dedicated to working on it and to know about it in and out. It is a huge product, and the search operation is a bit complicated for a new user or someone who has not used it for long. So for that person, it becomes a bit difficult.

There is a storage problem, and some improvement can be made at the search mechanism.

If you want to do a search, then you have to obtain a couple of criteria to get the exact amount of data. Let's say you have hundreds and thousands of servers in your environment, which will ultimately populate billions of events in a single day, especially the network devices. In this case, if you want to search a specific event, you have to be very, very specific with that query. That's something that can be generalized a bit.

Apart from that, it's a very complex tool and is not easy to implement and maintain. It requires a dedicated team.

Another thing that I think can be improved is the performance issue. When you are ingesting data in ArcSight and also you are forwarding the data from ArcSight to some other products, I have seen some performance issues.

ArcSight, does not perform well in this case. It takes time to process the data. The load is too much. At times, the logger crashes.

The UI can be improved as well.

I used it for close to two years.

The overall stability is good, and I'd rate it as fine.

To scale it, it again comes down to how are you using it. You need to identify the areas which are taking too much load or requiring too many resources from the logger. Area identification needs to be there. Once you do that, then it is easier to scale.

If you are not looking at the right place, then it would be difficult to scale because the bigger the organization, the bigger is the architecture of ArcSight Logger. This is because you need to have multiple loggers so that ArcSight Logger can withhold all the data that I want to feed into it.

We had 20 to 30 users who used ArcSight Logger logger on a daily basis.

Technical support is good. Depending on the agreement with the vendor, such as gold support, platinum support, etc., the support can differ. However, overall, it is good.

The initial setup is complex.

We got help from the vendor during implementation. Without the vendor's help, I would say it's very, very difficult to implement ArcSight Logger and maintain. It's a very complex tool, so we need to have vendor support for implementation.

It's not cheap at all as it's a big product and has been in the market for quite some time now.

I would recommend ArcSight Logger and rate it at seven on a scale from one to ten.

It has excellent query syntax and response. Complex queries of large volumes of data generally take seconds if not minutes.

ArcSight has improved incident response from days to minutes. It also offered ancillary non-security troubleshooting features, which were surprise benefits to teams such as network and operations.

I'd like to see more pre-built smart connector supported applications, although the list today is voluminous.

We've been using it for two years.

We had no issues with the deployment.

We have had no stability issues.

The original Connector Appliance peaked its events-per-second limit much sooner than anticipated and required us to purchase another, and significantly larger, appliance. The issue was self-inflicted as we discovered more use cases when adding new logs and log types.

Technical support is excellent. In fact, that was one of the best "features" of the implementation. I never had to wait to reach specialist help, and all engineers that I spoke with were highly technical and were pleasant.

I previously used a significant RSA Envision installation that had extremely poor performance with complex queries. It was routine to wait an hour or more for a more complex query. HP ArcSight was introduced by a CISO with previous experience at a previous employer and the improvement was immediately obvious. It was a wise decision that I took with me to my next organization.

It can be difficult to set up connectors to ingest and normalize different log types initially.

I would recommend HP professional services for starting up. I used that approach and was able to glean enough through knowledge transfer to hit the ground running from day one in production.

Security makes it difficult to quantify ROI, but I can say that we were able to complete incident response in minutes where the same had taken hours or days.

In terms of pricing, size appropriately, and realistically up front. That said, the product architecture is scalable as needs grow.

ArcSight has a Google-like query syntax with boolean-style operands. That said, there is also a GUI to craft queries. I'd recommend learning the GUI as this is the same GUI used in HP's ESM product, the engine that can correlate disparate log events and turn incident response from reactive to proactive alerting. Getting a head start on learning that syntax would help ease into the highly-recommended ESM or ESM Express products.

• Scalability of the smart connectors
• Ease of storing billions of events without special storage needs
• Great compression rates

First of all, the collection of a mass of events is a challenge for enterprise companies. You need a great deal of storage and how you collect them is an issue. The smart connectors and great compression rates of ArcSight helped us a lot.

The other thing is to be able to be competitive as you need to show that you need a logging system that complies to the laws in your country and company policy so that you can continue to do your business. With ArcSight, we easily pass the requirements of the external audits our clients require.

I would say that the consolidation should be done only by using ArcSight. We need to use the ESM module to create complex rules and reports as we can only do limited reports with ArcSight.

We've used it for about two years.

The main problem is how to collect logs from various resources.

The smart connectors are very stable.

We've had no issues scaling it for our needs.

Since we work with partners, I can't say too much. However, for every company on this planet there is always room for improvement in the level of support.

This was the first solution we've used, and I believe it will be the last solution we need.

We used an appliance, so the setup was very easy. But I must say that even if you use an open server, it is not complex to deploy this product.

We worked with a partner for the implementation.

It is really hard to measure ROI financially, but there are some important things to say. First of all, since it's easy to use, our operational time has decreased so that we as technical staff have much more time to spend on other issues. Since we collect all of the logs, we can investigate fraud and find their sources. We can also find the causes of system outages.

It works fast and you can collect just about everything. The only drawback is that without ESM, you are limited. The most important thing is the scalability of the product and its ease of use. Companies like us need some specific connectors, and smart connectors give us a very scalable solution. Also, even though we have billions of events, it is really fast in finding the logs we need. That makes this solution amazing.

Some of the most valuable features I really appreciate are the performance, how quick the solution is, and how easy it is to create a query. Additionally, it is user friendly and the automatic graph creation feature is beneficial. 

The solution could be improved in maintenance settings.

Some of the additional features I would like to see in the next release is an automated dashboard of the logs that has information that is more detailed. 

I have used this solution for one and a half years. 

It is a stable solution. 

It is a scalable solution. 

The technical support is very good providing accurate answers and I have never experienced problems with them.

The initial setup to be straightforward, you just have to stick to the documents and it is really easy.

My current deployment was not a complex environment. It was very easy to deploy and connect with the different connectors. I had deployed the solution approximately three times in my career. 

With a complex environment, the deployment was approximately two days whereas with a really complex environment the setup would require around 15-20 connectors.

I would recommend it to others because the performance of the solution is overall great. One of the significant features are its high search capacity and if you know the query language you will be more comfortable.

I rate ArcSight Logger a nine out of ten.

• Log collecting
• Big Data analytics
• Security analytics

This product was used to help us get PCI compliant. Its automated functions made it easier so we could concentrate more on real issues instead of standard log collecting and alerting issues.

With the connectors, there were some legacy devices that had some problems since support was dropped for those.

We've been using it for four years alongside ArcSight Express.

We had no issues with the deployment.

The stability of the system was good except when we had a DDoS attack, when we lost some functions for a short time.

Scalability is good if your need is high enough, but for smaller cases it isn't so good.

Customer service was very helpful.

Technical support is at a good level.

We used an older version that was going to be replaced.

The initial setup was complex, but that was mainly because of customer security reasons.

We used a subcontractor for the first part of the installation, and finished it off in-house.

We had some big licensing issues when there was a DDoS attack. The attack caused a huge amount of extra activity, so it would be nice to have an "emergency level" of licenses when there are these kinds of issues.

I would recommend, from a security point of view, calculating licensing limits according to what incidents could happen and then get 5-10% more licences on top of that.

We did an evaluation of major vendors and HP was fastest for us to get in and use.

Overall, it is a good system for what we use it for, but some licensing parts are really annoying.

As always, a pre-calculation and pre-planning will help a lot, and compare it to three to four other vendors. Changes on the system that is running are a bit harder to do., in our case this, of course, might be an issue of our customers strict security requirements.

Several features are valuable to us, including --

• Log management in general
• Security options
• Integration with ArcSight SIEM as it uses the same connectors
• Simple GUI
• Powerful searching and reporting tools

Although I unfortunately can't comment on specific usage within my company, we have seen improvements from the use of ArcSight Logger and the many features that are valuable to us.

SmartConnector vendor support will always be a battle, but most major vendors and products seem to be supported.

Clicking on a log source on the main page should not pull all stored logs as this is too slow and way excessive. It should default to a recent and smaller sample.

My deployment is on Red Hat though which seems pretty speedy, so I am unsure for more Windows-based deploys.

We have had no issues with stability.

From what I can see, it scales well. It does require a pretty hefty baseline, but the more system resources you give it, the better it seems to perform.

HP support has been fairly impressive. Shifting personnel causes a bit of disruption in deployment tasks, but they seem to compensate for shifts pretty well.

For main components, HP SE’s seem eager to help. The way documentation is organized on their site could definitely use some work though. Documentation exists, and it’s generally pretty solid, but most times, asking an HP SE directly to email it to you tends to be much easier than searching for it yourself.

Implementation of anything this size and scope in a large company requires a lot of work. So getting outside assistance or additional staffing for deployment and support is recommended.

Splunk is definitely a direct competitor and equally powerful. Logger seems to have a better interface in my opinion. Also, if your company is already using ArcSight, it makes sense to go with Logger as it utilizes the same SmartConnectors for log parsing/forwarding.

I think where Logger shines is usability. Splunk is a beast unto itself and people build careers on it. Not to knock it too much, as it is a very powerful product. But the appeal of Logger is it makes log management accessible and usable to any IT/systems/networking employee or user to be able to make sense and use it while not having to become a guru of a specific log management system to use it to it’s fullest extent.

We use the on-premise version of ArcSight Logger.

In our country we are a little bit private in terms of solutions, so we are just starting to use the basic data capture. Now some users can start to use additional features that come with Micro Focus ArcSight like user behavior analytics for investigating.

I think the ArcSight team should try to simplify legacy products for the customers, because that product is not easy to use or to work with. It needs more more competency or appeal to use. We hope Micro Focus is trying to resolve this.

A lot of people that compare this solution with QRadar or McAfee say that the other products in the market are more easier to use than ArcSight. After customers do the training to see how they can use it, they change their minds a little bit, but it still seems that Micro Focus should take some time to reduce the complexity in using Arcsight.

ArcSight should give each customer more visibility or a more useful presentation on the web product. There are a lot of customers that want to use the product in the web, especially to use the dashboard, but the dashboard is not so beautiful.

It has worked fine until now for whatever I needed. Sometimes an issue can occur when a client wants to upgrade the software to a major version. For the most part though, it is very stable.

Well before the last version I think it was a little bit difficult, but now with the new version that is integrated with the ESM it's little bit more efficient.

That is one of the bad things with Micro Focus. They are not so reactive and sometimes it takes more time to address the issue. There are many tickets that have not been resolved yet. We hope that Mirco Focus will be more reactive than they are at the moment.

The deployment doesn't take much time for the standard setup, but it can take more time when we need to integrate the device with the system. Sometimes we have found that we are not supported naturally and must do some tuning to integrate it. That can take some more time, but setup of the initial system does not taking more time. It's easy for me now to do this setup. I remember during my first year it took a little bit more time, but that's normal. It's easier to deploy the product in the basic standard, but in the complex module, it takes a little bit more time.

ArcSight Logger is very expensive compared to their competitors, but when we talk to the customer and explain what the features are and how we can scale, they understand. Still, ArcSight is more expensive than the competition.

I would rate this solution as ten out of ten.

Whenever I talk about the product I tell the user to start easy, not to take the whole package and to try to use it quickly. Start with the basics, then you can ramp up fluidly. Sometimes the client or customer wants to take it urgently so at that moment it will be more difficult to use. I prefer to take the product step by step.