LogRhythm SIEM Reviews

We use it to alarm our help desk. 

We staring to use it for SMART Response. We have been using SMART Response for about a year. Now, we are starting to push that towards the help desk, so the junior analysts can do more.

It allows us to automate a lot of things with a smaller team.

• AI
• SMART Response
• Looking forward to using the playbooks

• Move it to Linux. I would like to see it get off the SQL Server.
• I would like it to be containerized. 

Our appliance is a little older, so we need to upgrade it. We are going to probably move to the software-only version. However, the issues that we have are our own fault because we didn't buy the right-size appliance.

We are not that big of a company. We are only at about 800 events per second.

We have had a couple of custom logs built, but we don't call in that much.

The initial setup is easy with the physical appliance.

We have two people who are setting it up and doing the admin side.

Make sure you size the appliance correctly.

We use Ansible and Terraform for infrastructure, so the same concept as the playbooks. We are looking to use the playbooks going forward.

We have about 1500 log sources. We do about a 25 million logs a day. Obviously, they're not all events.

The biggest use case is visibility. Because we have a lot of flaws, if you don't have a tool that can bring it all in and give you that visibility, then all that log information is useless. Thus, LogRhythm helps us keep that visibility.

It has definitely improved our security program's maturity, because we have visibility that we didn't have before. We came from another SIEM platform that we had used for over ten years and we completely outgrew that platform. LogRhythm has given us more visibility. It has created more actionable items for us on a day-to-day basis, which gives us more work. At the same time, it has given us more tools than we had before, so that is definitely nice.

I wish I could just name one feature! There are so many: 

• The ability to drill down and pivot from an event is one of the biggest advantage the product has compared to other things that I have seen in the market.
• LogRhythm differentiates itself through its usability.
• Its simplicity. It can do more than just basic simplicity.

We have gone through a few versions which has caused a lot of instability. We have logged a lot of hours with professional services. The version that we are currently on is a lot more stable than what we have experienced in the past. So, it is progressively getting better day-by-day. However, we have had some instability in the past.

There are a lot of things that are on our wishlist which I found out about on day one.

As far as scalability is concerned, it is good.

I would rate the technical support as a nine out of ten. We have had some issues. Though overall, support has been great. The portal and their interaction with us along with their full support has been fantastic.

The initial setup is complex, because it's a huge product. LogRhythm is a beast. It can do so much more than just the analytic software, so it is not your typical installation. It's more of a three to four month installation process because you are gradually bringing in logs and fine tuning them. It is not a difficult process, just a lengthy one.

We have seen a measurable decrease in the mean time to detect and respond to threats. As it comes out new features and new releases, the window is becoming a lot narrower because you can pivot a lot more with the data. Therefore, the new features and enhancements are reducing that.

I just found out about the playbooks at the conference. I plan on using them as soon as I get back.

We have about 2500 messages per second coming in.

The primary use is monitoring logs, to see what's going on.

It's head and shoulders above what we were using, which was SolarWinds LEM.

Alarms are the most valuable feature. We also like the dashboard and how things are at your fingertips. The fact that we can now edit the report templates is going to be a great thing.

My installation has some unique problems, apparently, because of our network architecture, and that's why we're looking at other solutions, and possibly a replacement. 

We're looking at user-based analysis. Granted, we haven't enabled the UEBA module, but we're forwarding all our proxy logs to LogRhythm and we have a really hard time pulling those proxy logs back out of LogRhythm. However, when we take LogRhythm and forward the same logs into somebody else's user-based analytics software, we get the majority of what we were missing. So we know the logs are making it to LogRhythm, but we still can't pull them out. If we've got all our proxy logs and I go out to Google or Facebook or the like, we should be able to go in and pull that information out ten minutes later, but it's a big challenge to do that.

As long as you don't overfeed it, it's fairly stable.

The scalability has been fairly decent so far, as long as you don't overfeed it.

Tech support is hit-or-miss. Some of the tech support agents are just wonderful and I've learned a lot from interfacing with them. Some of the tech support agents seem like they are metrics-based: How many tickets they can close in a short amount of time? I usually express my feelings in the ticket notes, so these are not unheard-of comments.

The initial setup was fairly straightforward.

My advice would be to definitely look into it. I've used other SIEMs that were a whole lot easier to program and I've used other SIEMs that were vastly oversold and cost way too much money. LogRhythm is a good product for what it is.

We have more than 500 and less than 1,000 log sources. In terms of messages per second, therein lies the rub. We bounce anywhere from 2,500 to, on certain days, a peak of over 12,000.

We are not using the full-spectrum analytics features. We don't use any automated playbooks. In terms of the number of staff for deployment and maintenance, the latter is me. I've got two other analysts that work with me.

Regarding our security program maturity, we've grown a whole lot in the last three years. LogRhythm, fortunately, was a part of that. Our previous SIEM had to be rebooted two or three times a day. Unfortunately, now that we're trying to leverage it to get more data out of it, we don't seem to to be able to do that.

I can't say I have seen any measurable decrease in the meantime to detect and respond to threats because I can't watch it all the time.

It monitors any potential security threats within any of our important network security appliances, like our firewall, or any of our important databases. The idea being that you can't look at all the logs at once, so we now have a central point of monitoring for all potential threats.

I have been using LogRhythm for just a few months, but the college has had it for over a year. Until I worked with it, there was no monitoring it and the solution just sat there. The solution is just picking up speed now.

• The threat analytics
• Seeing what potentially could be happening; what are the riskiest things going on.

I would like it to do a lot of the automation (which I still need to learn more about), because I am essentially a one man shop doing all the jobs. I'd like for it to be able to do more for me, so I can focus my attention on my other job responsibilities, because there are a lot of them.

The only issues that we have had with it were Windows-based. The actual appliance has been up and continuously logging everything that we have, and CIS logging through it. There have been no signs of any problems nor instability.

When it comes to dealing with support, all my interactions have been great. Everyone has known what they're doing and have been quick to respond. They seem to always know the answer. I haven't stumped anybody yet. That's not something that I typically encounter. Usually, I wind up being the person finding the weird thing where people have to get back to me and it is left up to the developers.The few issues that I have had while doing upgrades, LogRhythm's support answered them incredibly quickly.

When it comes to dealing with support, all my interactions have been great. Everyone has known what they're doing and have been quick to respond. They seem to always know the answer. I haven't stumped anybody yet. That's not something that I typically encounter. Usually, I wind up being the person finding the weird thing where people have to get back to me and it is left up to the developers.

The few issues that I have had while doing upgrades, LogRhythm's support answered them incredibly quickly.

I have never used a competing product.

I love the potential of this solution. It sounds like a "set it and forget" type of solution. Let it deal with all the problems. It is good at doing that.

On the day-to-day, I haven't had a huge amount of time to work with the full-spectrum analytics. I have been focusing on getting it updated and up-and-running.

Currently, we have a Windows agent. Therefore, we technically have just two log sources, because the Windows agent is picking up all the domain logs onto one box and forwarding them on. It is taking all the Windows Servers and single-sourcing them. Then, currently, the only other thing that we have actively logging is our Sonic logs and CIS logs. We only have two individual sources listed, but it is more logs than that.

We have a lot of distributed offices and no visibility into any of them. The use case for this product is to collect and integrate logs from all the machines at all the different sites and get better insight into the security areas that we need to tighten up.

I am hoping that we will be able to response to threats and gain visibility into our environment that we don't currently have.

The AI Engine.

I would like to see our vulnerabilities counter. We will be using Tenable to fill that void right now.

It seems like it will scale easily with the way our environment is set up.

We have not used LogRhythm's tech support yet.

We were using an MSP and were dissatisfied with its performance. What we started to do was figure out what we could bring in-house and what we needed from a security standpoint, and this SIEM kept coming up as something we should look at.

The initial setup is complex.

We are using a LogRhythm partner, at least for the first three years, to help with the monitoring and the deployment of it. We are not a big enough environment where we have people that we can dedicate to it right now.

We require one person for deployment and maintenance.

I would recommend LogRhythm. I am really impressed with it, though we haven't start using it yet.

We are just in the middle of deployment of the full-spectrum analytics capabilities. We haven't finished the configuration of the product yet.

We do plan to use the built-in playbooks.

We have approximately 931 log sources at this point.

Most important criteria when selecting a vendor: 

1. The reputation of the vendor. 
2. The quality of the product. 
3. The integration into the environment that we have right now.

We primarily use the LogRhythm SIEM for the law collection aggregation for all of our Windows machines. We have all our firewalls sending logs to it. We have it hooked into Office 365 with the API to manage our cloud environment, and it's performed phenomenally.

The most valuable features are the reporting tools. A lot of times as security, we are tasked with explaining to management and the executives how the security program is going, what our concerns are, and if we want to get anything out of them as far as budget to fix some issues. We have to be able to show the evidence, and LogRhythm does a great job of putting it forward and making it easy to create reports with nice looking dashboards, which show off what we are doing as a security program.

One to three years.

It has been completely stable. We have had it in for a little over a year now, fully in production, and it has never gone down once. 

The only thing we had an issue with was when I tweaked the AI roles to basically fire on everything, which then caused a lot of accelerated rollover in our events. This was simply user configuration, and not anything on the LogRhythm side. It has been a very stable solution the whole time that we've had it in.

We are currently in the process of upscaling our current LogRhythm instead of buying a new one, which is really beneficial.

I don't know what they do on the back-end as far as the algorithm for crunching logs and keeping everything small and compact, but we haven't had any problems with the sizing. With some of the other systems the we have used, we quickly run into the problem where everything gets overblown and you have to go in and filter stuff out. What LogRhythm does that I like is they have all these knowledge base add-ons and modules out-of-the-box. It comes with all these features that you can use and get up off the ground running.

Their customer support is friendly and willing to help. I can't compliment their support staff enough. They've been nothing but helpful. Any questions that we have, they come out and help us, or they email us. It's great to have such an attentive support staff.

Using the LogRhythm Community, you can find the answers to any of the problems that you have. Everyone out there is just trying to help each other get better. So, it's really nice.

The installation was a bit complex because we are running a virtual infrastructure. Some of the stuff that we dealt with on the virtual machine and the discs was a little complex. However, the engineers at LogRhythm were more than willing to help. I had a little trouble because I was unfamiliar with the way vSphere works in the way that disk sizing stuff goes to get it setup.

Everything is running on one large virtual machine instance that we have because we have a lot of virtual infrastructure. We help other companies and host their solutions. We are really versed in that. So, we have one huge deployment, and it works really well.

The nice thing about LogRhythm is you can either use the agents, getting a certain number of agents with your license depending on how you want to go, and those agents do a lot of cool things, or you can use CIS Log host, then you have like an unlimited number of them. So, we have used the CIS Log for a lot of ours because it was easy to put into LogRhythm and change the destination of our CIS log solution. Now, our CIS Logs go into LogRhythm, and it's easy. You see them pop up there, then you just accept them as new log sources, and bingo you're in. Now, you're working. So, it is really good.

Where some other engines have been touted as SIEMs, you actually have to do a whole lot of actual engineering work of your own to even get the basic functionality out of them. This is one thing LogRhythm knocks out-of-the-box. 

It helps that the product is fully realized and ready to go as soon as you get it installed. You can immediately see results and immediately see the data coming in. You're able to collate and correlate it, obtaining your data in a quick and easy manner. 

Do a demo. See what they're offering. Just know that their support is the best.

I haven't used any of the automated playbooks yet. Our engineers are leery about having the automatic stuff go off, which I can understand. We also have separation of duties. I don't have a lot of their credentials to work with it on my own, so we would have to go back and forth with the engineers, and that is something that they don't really want to do. However, we do have our own playbooks and security team, but it's more manual. I am interested in the playbooks feature, so I will attend one of the events here to learn more about it and figure it out, then take it back to the team to get buy in on it, so we can then use it.

We have about 2500 log sources sending logs to LogRhythm right now. We have about 20 firewalls, with a lot of Windows PCs. 

It's the best solution that I've ever used. We're expanding its use, not only in our corporate network, but out to the cloud environment where we host customer data stuff, too.

Our primary use case is incident response and alerting. In terms of performance, it's pretty awesome.

It has saved us a lot of time. We've built some pretty cool custom alarms to alert us on stuff that we know is bad so we can respond to issues pretty quickly.

The AI Engine is the most valuable feature.

We've had no issues with it regarding stability. It's been pretty rock solid.

Scalability has been a little tougher for us. We're definitely looking to scale up. We've got a few log sources that we don't have in there that we need to get in there, but it's going to take a little additional effort.

Technical support is fantastic.

It's been pretty great. For us, the use case is all about generating actionable alerts and alarms and seeing how much we can reduce manual operations, so that's what I would compare: time saved.

We don't use the full-spectrum analytics capabilities. In terms of playbooks, we're still on 7.26 so we don't have the playbooks yet, but we're upgrading as a high priority right now. For deployment and maintenance of the solution, we use two staff members.

In terms of log sources, we have a couple of thousand and our MPS is 3,800.

When selecting a vendor, what's important for us is support. Support is huge.

We've been working with LogRhythm for a few weeks. We had Splunk and we're replacing it LogRhythm.

It's a general SIEM system for us, gathering the logs into one area.

We integrated Azure logs with it and that makes it simpler. Rather than having to log into the portal, we can just check everything in one place. We can compare those to our Windows and host logs to see if any problems correlate between them.

It just makes it simpler for analysts to find everything in one place. We don't have to give everyone access to ten different things, it's just one area where we can see everything.

We like the alerting features. They seem a little more hands-on and easier to set up.

It seems like a stable product. We haven't had any downtime yet. All the network monitoring seems to be going smoothly.

We have about 20,000 logs per second as our ceiling and we're at about 6,000 to 8,000 now, so we're okay. It looks like it's going to meet our needs for many years.

They're hard to get a hold of. We've tried to work with a couple of engineering department guys there. We've called them and called them but we never hear anything back.

We moved away from Splunk because we were not happy with it. Workstation monitoring seemed a little more complex than it is with LogRhythm. It's much simpler to search for issues and get alerts through it.

The setup was pretty straightforward. They sent us the appliance, we tailored it to our needs, made sure our network met everything it was looking for. We worked with their support a little bit on what they recommend for setting everything up.

We had a kick-off meeting before they sent the appliance to us and they handed all the documentation to us. That aspect's good. But working with the engineering support has lacked.

We looked at AlienVault, that was one we demo'ed. LogRhythm does seem better.

I'm not sure that we're hands-on yet with the full-spectrum analytics capabilities and we don't use any of the built-in playbooks. We have plans to use them in the future. We want to integrate everything into it and make it more automated.

We're at about 6,000 logs per second. In terms of a measurable decrease in the meantime to detect and respond to threats, we haven't gotten there yet. We are still implementing, still learning. We have to get to all our logs correlated.

So far we're pretty happy with the overall functionality of the system. It's going to meet everything we're looking for.