ArcSight Logger Reviews

We primarily use the solution for monitoring all of our perimeter - from critical assets to less critical ones. It covers IT assets, networks, databases, servers, endpoints, etc.

The ability to customize the solution in great detail is its most valuable feature. We can customize the use cases and also have the ability to do scripting. We can personalize our dashboard as well. The scalability the solution offers is quite impressive. 

They should enhance and improve everything related to the graphical user interface. It needs to be more fluid and easy to use. Many think that ArcSight is complex and difficult. This is not something that my team feels but that's because we have acquired experience and expertise over time.

The solution should make it possible to integrate network analysis features.

The stability of the solution is good. There are very few bugs.

The scalability of the solution is very, very good.

Technical support is very responsive.

We didn't previously use a different solution.

The initial setup was straightforward. Deployment varies according to the scope of your technical parameters. Maintenance is a daily activity. I have a team of two people that are focused on the administration of the outside platform.

We implemented the solution through an integrator.

We evaluated QRadar before we implemented this solution.

We are using the on-premises deployment model.

There are people who say "Oh, ArcSight is losing its position and it's complex or it's not a good solution." I do not agree. I know that the biggest companies in the world are still working with ArcSight. It's the most comprehensive solution. It contains many features that are useful for enterprise-level organizations. 

If a company has a team that wants to go deeper and get the most features out of developing a real SOC, they should look for a very robust, scalable,  multi-tenant solution. The solution should also be able to manage data analytics and to offer User Behavior Analytics. Arcsight offers this. 

This particular solution is perfect for big companies. Smaller companies should look for integrated solutions that do not necessarily scale.

I would rate the solution nine out of ten.

We are a service provider and this solution is deployed on-premises for some of our customers. It is primarily used for firewall and Windows events. 

The most valuable feature is the level of detail that you can see about certain events, even when they do not come up in the console.

The searching is very good, where you can search for the larger part of the event.

I would like to see better scheduling in the next release of this solution.

It would improve the solution if some of the features available in the console were implemented within the search. More things can be done in the console, while the logger is restricted to just a few of them.

The stability of this solution is fine, so far.

When you export a large number of events then it gets slower.

We have about fifty users for this solution. We do not yet have plans to increase usage.

Technical support for this solution has definitely been helpful.

We evaluated Splunk and IBM QRadar before choosing this solution.

The first time you set up this solution it is a little bit complex. But when you try it again and you know where the errors are, it is much more comfortable.

We have four administrators who maintain this solution.

We deployed this solution ourselves.

We did not use another solution prior to this one, although we have upgraded versions.

This is a solution that is straightforward and easy to use. It is user-friendly and not complex.

I would rate this solution an eight out of ten.

We use the on-premise version of ArcSight Logger.

In our country we are a little bit private in terms of solutions, so we are just starting to use the basic data capture. Now some users can start to use additional features that come with Micro Focus ArcSight like user behavior analytics for investigating.

I think the ArcSight team should try to simplify legacy products for the customers, because that product is not easy to use or to work with. It needs more more competency or appeal to use. We hope Micro Focus is trying to resolve this.

A lot of people that compare this solution with QRadar or McAfee say that the other products in the market are more easier to use than ArcSight. After customers do the training to see how they can use it, they change their minds a little bit, but it still seems that Micro Focus should take some time to reduce the complexity in using Arcsight.

ArcSight should give each customer more visibility or a more useful presentation on the web product. There are a lot of customers that want to use the product in the web, especially to use the dashboard, but the dashboard is not so beautiful.

It has worked fine until now for whatever I needed. Sometimes an issue can occur when a client wants to upgrade the software to a major version. For the most part though, it is very stable.

Well before the last version I think it was a little bit difficult, but now with the new version that is integrated with the ESM it's little bit more efficient.

That is one of the bad things with Micro Focus. They are not so reactive and sometimes it takes more time to address the issue. There are many tickets that have not been resolved yet. We hope that Mirco Focus will be more reactive than they are at the moment.

The deployment doesn't take much time for the standard setup, but it can take more time when we need to integrate the device with the system. Sometimes we have found that we are not supported naturally and must do some tuning to integrate it. That can take some more time, but setup of the initial system does not taking more time. It's easy for me now to do this setup. I remember during my first year it took a little bit more time, but that's normal. It's easier to deploy the product in the basic standard, but in the complex module, it takes a little bit more time.

ArcSight Logger is very expensive compared to their competitors, but when we talk to the customer and explain what the features are and how we can scale, they understand. Still, ArcSight is more expensive than the competition.

I would rate this solution as ten out of ten.

Whenever I talk about the product I tell the user to start easy, not to take the whole package and to try to use it quickly. Start with the basics, then you can ramp up fluidly. Sometimes the client or customer wants to take it urgently so at that moment it will be more difficult to use. I prefer to take the product step by step.

We have several uses for this solution like retention storage. We use Logger for some queries since we are in Talco industries. We use it for IT, MSISDN, and mobile phone. For the SM we have communication for the infrastructures including security. Plus, we use ESM for prevention and for a couple of cases we use it for fraud prevention and some for the VIP members check.

The ESM use cases are the most valuable. It enables us to use the big data collection inside our company. We are able to create use cases for whatever it suits and I find that the most interesting part of any SIEM solution.

The speed of Logger indexing and searching for certain bugs for some queries that we provide could be improved. It can handle a huge number of logs but it can be improved.

They should improve the speed of the indexing and queries being dumped. Technical support's response time could also be slightly improved. Although these two issues are not something bad, it's just the only things that I think have any possibility to improve, but they're not necessarily something that is bad.

It is pretty much stable. From time to time we have cases of a connector crashing so the drama processing it is when it gets stuck but that is just an occasional case.

It's pretty much scalable. You can just add remote connectors and you can add remote log types. One of the best parts of the product is FlexConnector. Implementing them is easy to configure. 

We have twenty users using this solution that mostly compromise of information security guys and cybersecurity. There are IT infrastructure engineers like Windows Unix engineers and some Talco fraud prevention specialists.

We have two guys operating this solution in these three countries so we require two to three people to maintain the whole thing.

Their technical support is also good. Whenever we request anything they are arprompt and the guys are well trained. Any customer could say that it could be faster but I understand that we are not alone in this world. They have plenty of other customers so I completely understand. I would rate their support a nine out of ten. There is always room for more of a prompt response but I'm talking about hours, not days.

I was new to cybersecurity when I joined my company and they were implementing it at the time so the initial setup was a bit complex for me. When I got introduced to it for the first time and got thousands and thousands of pages of documentation it was a bit complex for me to fully understand how it works and how it functions. At this point, I don't think it's complex. It's pretty much straightforward and it's not complex for an experienced IT or security guy. 

The full implementation took one year, but there was a huge number of connectors that we implemented across three countries including Hungary, Serbia, and Montenegro. There were a huge number of connectors and a huge number of connector servers. I believe that that's why it took a year, it might have been a bit less. 

I would rate it a nine out of ten. I wouldn't give any solution a perfect ten. 

The functionalities of this particular server is absolutely phenomenal. The server has the ability to provide in-depth, real-time awareness of all actives on the network.

The platform also gives the administrators the ability to turn off some of the options displayed in case they don't need to see those specific sections.

The ability to query anything at any time using any specific field required, and the ability to automate the logger storage capabilities are great features.

Before the logger was installed on our network, we were very limited as to what type of information we could get back from our previous logger because the old one didn't have as many functionalities.

With ArcSight Logger, our ability to have a more in-depth look into the network traffic and the ability to save the reports for a set amount of time was a huge improvement.

The only thing I did not particularly like about the product was its speed on the web interface. It took very long for it to populate and perform the queries.

I used this product as a network administrator for two years.

The installation of the server and its agents on the network devices went extremely smoothly. The only issue we had was finding the correct agents to install on our older UNIX-based servers for which we had to contact HP to get information on how to go about acquiring the correct agents.

We have had no issues with the stability.

We had no issues scaling it for our needs.

We never actually had to call customer support because of the technical forums available to all ArcSight users who could share information and help troubleshoot in case anything was wrong or unclear about how to set up and use the system.

We were using a different product for our monitoring and logging services. The reason why we chose to switch over was the in-depth analysis capabilities provided by HP ArcSight which were not previously available to us.

Initially, we had some trouble finding the right agents to install on our servers since we were using some proprietary software on the network, but after we got past that step, everything else was pretty straightforward.

We had one agent come out to our office to assist us with the implementation.

Start using the available resources by registering your product immediately after deploying the unit and contributing to the ArcSight community.

Also, once you decide to go with ArcSight, make sure you go with the complete solution recommended by HP based on the size of your network because that could potentially cause the ArcSight server to perform extremely slow.

Several features are valuable to us, including --

• Log management in general
• Security options
• Integration with ArcSight SIEM as it uses the same connectors
• Simple GUI
• Powerful searching and reporting tools

Although I unfortunately can't comment on specific usage within my company, we have seen improvements from the use of ArcSight Logger and the many features that are valuable to us.

SmartConnector vendor support will always be a battle, but most major vendors and products seem to be supported.

Clicking on a log source on the main page should not pull all stored logs as this is too slow and way excessive. It should default to a recent and smaller sample.

My deployment is on Red Hat though which seems pretty speedy, so I am unsure for more Windows-based deploys.

We have had no issues with stability.

From what I can see, it scales well. It does require a pretty hefty baseline, but the more system resources you give it, the better it seems to perform.

HP support has been fairly impressive. Shifting personnel causes a bit of disruption in deployment tasks, but they seem to compensate for shifts pretty well.

For main components, HP SE’s seem eager to help. The way documentation is organized on their site could definitely use some work though. Documentation exists, and it’s generally pretty solid, but most times, asking an HP SE directly to email it to you tends to be much easier than searching for it yourself.

Implementation of anything this size and scope in a large company requires a lot of work. So getting outside assistance or additional staffing for deployment and support is recommended.

Splunk is definitely a direct competitor and equally powerful. Logger seems to have a better interface in my opinion. Also, if your company is already using ArcSight, it makes sense to go with Logger as it utilizes the same SmartConnectors for log parsing/forwarding.

I think where Logger shines is usability. Splunk is a beast unto itself and people build careers on it. Not to knock it too much, as it is a very powerful product. But the appeal of Logger is it makes log management accessible and usable to any IT/systems/networking employee or user to be able to make sense and use it while not having to become a guru of a specific log management system to use it to it’s fullest extent.

Data correlation, which unfortunately only comes with an ESM module, is the most valuable feature for us.

We have issues with connecting standard HP network devices as they appear to not be supported by HP ArcSight. One company/product is not aligned and apparently it is expected that all the network data is in CEF format, which is impossible for the HP network sources to deliver. Instead, HP ArcSight should be able to handle any file format.

We are still currently implementing it.

There were no issues deploying it.

We have had no stability issues.

There have been no issues scaling it.

I'd rate technical support a 7/10.

There was no previous solution in place.

It's complex for several reasons -

• Targeting and logic of systems
• Bandwidth dependencies
• Data privacy
• Location
• FW settings
• File formats

We're using a vendor team.

It is very expensive for what it delivers. Licensing is set at 80 servers, just enough to catch the most important ones.

• Real-time correlation
• Long-term log storage

It benefits the organization by identifying the threats ranging from the most basic ones to many advanced ones. Any of these threats could have a negative impact on business, so it's important that ArcSight Logger can identify all of them.

I wouldn’t mind adding a few features such as grouping of events based on the “name”, “source address”, etc. in real-time rather than requiring the running of reports every time. A few competitors allow this functionality already.

I've been using it for four years.

There have been no issues deploying it.

It's highly stable and we haven't had any issues with instability.

The solution is designed to be easily scalable depending on different organizations and their existing expansions.

The level of technical support is intermediate. Although they're helpful and polite, they don't help with emergency situations. However, the global ArcSight community is sufficient for the resolution of most critical errors.

It provides the level of flexibility and options specially to define custom use-case scenarios like no other SIEM tool, though I have experience with only one other.

The initial setup was a bit complicated to follow since there are many different components present within it. However, the complexity once learned adds a level of flexibility that you can play with.

We did it through a vendor team. Proper planning in place ensures smooth execution.

Plan, implement, explore and protect.

The most valuable features for us are the out-of-the-box device support capability and multi-tenancy maturity compared to other SIEM OEMs.

For example, it has helped us and the organization with a maturity level in the SIEM market to reach greater heights and compete with other organizations. We have an edge in the market with this product.

ArcSight Logger needs to improve in the area of threat analytics as security is vitally important to us. It also needs to provide some "upper-hand" features on some functionalities, as they're somewhat no so easy to use.

I've used it for four-and-a-half years myself, and it's been around 12 years of use by the organization.

We had no issues with the deployment.

HP needs to work on the stability as it is mostly dependent on Java and there are console-related issues.

We have had no issues scaling it for our needs.

I would rate technical support as good but not the best when compared to a few years prior. The level of support seems to have decreased lately.

Our first SIEM product is this. We chose it because it's a major player in the SIEM technology market and it's mature, even as it's in the earlier stages.

I would say the initial versions of ArcSight components were pretty complex. For example, consider ESM, for which we had to install the manager and database separately and there were major issues with it on the archiving, and also the database management was pretty tough. But over a period of time, they improved drastically when the CORR-E came into the market.

We have our own in-house SIEM administration and implementation team which handles all the activities for multiple customers.

For licensing, I would say ArcSight beats all the vendors in the market in complexity.

I would definitely say to go with this product as it's the best in the market, but before opting for this product your perform solution-sizing because otherwise you might end up digging your own grave in fixing it.

It has excellent query syntax and response. Complex queries of large volumes of data generally take seconds if not minutes.

ArcSight has improved incident response from days to minutes. It also offered ancillary non-security troubleshooting features, which were surprise benefits to teams such as network and operations.

I'd like to see more pre-built smart connector supported applications, although the list today is voluminous.

We've been using it for two years.

We had no issues with the deployment.

We have had no stability issues.

The original Connector Appliance peaked its events-per-second limit much sooner than anticipated and required us to purchase another, and significantly larger, appliance. The issue was self-inflicted as we discovered more use cases when adding new logs and log types.

Technical support is excellent. In fact, that was one of the best "features" of the implementation. I never had to wait to reach specialist help, and all engineers that I spoke with were highly technical and were pleasant.

I previously used a significant RSA Envision installation that had extremely poor performance with complex queries. It was routine to wait an hour or more for a more complex query. HP ArcSight was introduced by a CISO with previous experience at a previous employer and the improvement was immediately obvious. It was a wise decision that I took with me to my next organization.

It can be difficult to set up connectors to ingest and normalize different log types initially.

I would recommend HP professional services for starting up. I used that approach and was able to glean enough through knowledge transfer to hit the ground running from day one in production.

Security makes it difficult to quantify ROI, but I can say that we were able to complete incident response in minutes where the same had taken hours or days.

In terms of pricing, size appropriately, and realistically up front. That said, the product architecture is scalable as needs grow.

ArcSight has a Google-like query syntax with boolean-style operands. That said, there is also a GUI to craft queries. I'd recommend learning the GUI as this is the same GUI used in HP's ESM product, the engine that can correlate disparate log events and turn incident response from reactive to proactive alerting. Getting a head start on learning that syntax would help ease into the highly-recommended ESM or ESM Express products.