LogRhythm SIEM Reviews

The thing that I find most valuable is that every interface is consistent. Whether you're looking at a dashboard, a drill-down, an alarm, a search, the interface is exactly the same. As you move through the experience of looking at some type of event, some type of incident, following up on a search, everything is consistent throughout the whole user experience.

One of the evidences we have that LogRhythm is being very successful for us is in this year's penetration test. I caught the pen-testers five times in the course of their duties. That was just great ammunition to show that this works.

The biggest thing that I think needs improvement is reporting in the Web Console. Most of our reporting is done in the thick client console. The only people that have access to that, really, are the people that work for me, the administrators of the system. So the end-users, the people whose logs we consume, we give them views to their logs but they aren't able to run reports. By moving reporting to the Web Console, that would enable all of the regular, non-administrative users to run reports as well.

We've been using it for several years.

We just went through an upgrade just to increase our capacity, so we could bring in more log sources, and it's been a wonderful product for us.

It scales great, which is one of the reasons why we went to it.

Almost all the time things are handled in a proper way. We've had very good experience with technical support. On one or two occasions, a couple years ago, they were going through some growing pains because of their expansion. Our CRM, our Customer Manager, stepped in and helped us get through those hurdles.

It's actually our second SIEM tool. Our first one was not scalable. We didn't really get to pick it, it was chosen for us. We got to a certain point and we just couldn't grow it anymore. 

So we did a full RFP, a bake-off so to speak, and looked at everything that was really competitive on the market. Ended up with LogRhythm. Did our initial deployment, which lasted us for about two years. Because we did our basic measurements on a tapped-out SIEM - we didn't realize how much growth we would have once we uncapped the bottlenecks - we ran into some growth issues. We just doubled our capacity three months ago with no problems at all.

I always recommend training for everything, but that really is use, not setup. Setup is very easy. I do recommend people take advantage of the LogRhythm Professional Services. They make it very helpful, it's easy to get up and running in a day or two. Use Professional Services is my recommendation.

In terms of the most important criteria when selecting a vendor, there isn't any single important criterion. I have a spreadsheet that I use that expresses value.

• Price is one component of value 
• Usability
• Manageability
• How many resources do I have to apply to it? 
• Can I run it with one FTE? Do I need two FTEs? 
• Also, its efficiency. Does it meet all of the use-cases that we're buying it for?

The first thing you do is sit down and think about, "what are going to be my first steps?" This is the kind of thing you have to phase, really, to be successful. "What are my goals out of my first year?" Plan that out, and then plan where I'm going to go from there. Then sit down with somebody that's experienced like the LogRhythm Professional Services, or your SE, or other people you know that have used LogRhythm for a while, and review that plan and make sure that you've got some specific strategic benchmarks in place so that you can guide yourself through that growth.

I would rate it a 10 out of 10. I am very happy.

Probably the investigation part, being able to investigate any log. We've got so many sources that go in there that, at any given time, we can easily look up the logs on just about any system that we have.

What I'm looking for was actually in a session, here at the LogRhythm User conference, about the PIE phishing analytics. That was real interesting because right now we've got a guy that walks through that process attempting to see if the email came in, who got it, and whether or not it was exploited. That's all manual at this point. 

I think they're limited now with this to Office 365. We've got on-prem Exchange and it would be interesting to act like they're going to evolve that into that, to have that ability to look at that information a lot quicker.

We've had it for about nine years, going on 10 years. 

It's definitely evolved. It's gotten to the point where you can scale it well. We recently got the AI Engine running and realize that we need to spin off the Web Console and the AI Engine to a separate box, and off the platform manager. Then we can easily add a data processor or a data indexer to expand our processing power too.

We had some other vendors at the time, but LogRhythm beat them out. We had RSA, I don't remember what the name of their product was, and LogLogic.

It's just amazing, that you can get the information, especially the AIE information, where it correlates different logs together. It's just incredible. It's something that in the old days, that you had to use grep and go to multiple servers, versus now you just tap in and drill-down and, bam, you've got all the logs that you need. It's just amazing, the process.

The speed at which I can get into forensic data is the most useful thing.

It’s very easy to overwhelm the system. I have some of the beefiest data that they provide, and I can still overrun the system.

The native ability to identify the correct time of logs and data also needs work, e.g. if I bring in a system log data stream, LogRhythm's ability to natively say it's a Cisco firewall or a Palo Alto firewall -- sometimes it struggles to identify the device.

I've used it for 18 months.

I love the tech support people. Everyone I have worked with knows their stuff, which is great. I have worked with other SIEM products before and it was hard to find a knowledgeable person. At LogRhythm, everyone I have talked to has been incredibly good.

We were a RSA Envision customer. Our platform was going away, so that’s one of the reasons we switched. We weren’t really impressed with the security analytics platform that they wanted us to move to. We didn’t want to make the investment they wanted. For our industry they were lacking.

I had seen LogRhythm before, and back then a few years ago, they weren’t a player in the market. Since then they have moved to a much better security analytics platform. For what we need, LogRhythm is a perfect fit.

It was very straightforward.

We did it in-house.

We have had the production environment up now for over a year. I foresee a ROI. The thing about a SIEM, is that it allows you to get a visibility quicker. It’s hard to quantify that soft cost. I’d say we are there or about to be there.

I'm not a fan of the big names in the space. I recommend it as a solution for medium to large business.

I’m in contact with them on a very frequent basis. I work with my contact a few times per month. I can’t complain about them at all.

The primary use is monitoring logs, to see what's going on.

It's head and shoulders above what we were using, which was SolarWinds LEM.

Alarms are the most valuable feature. We also like the dashboard and how things are at your fingertips. The fact that we can now edit the report templates is going to be a great thing.

My installation has some unique problems, apparently, because of our network architecture, and that's why we're looking at other solutions, and possibly a replacement. 

We're looking at user-based analysis. Granted, we haven't enabled the UEBA module, but we're forwarding all our proxy logs to LogRhythm and we have a really hard time pulling those proxy logs back out of LogRhythm. However, when we take LogRhythm and forward the same logs into somebody else's user-based analytics software, we get the majority of what we were missing. So we know the logs are making it to LogRhythm, but we still can't pull them out. If we've got all our proxy logs and I go out to Google or Facebook or the like, we should be able to go in and pull that information out ten minutes later, but it's a big challenge to do that.

As long as you don't overfeed it, it's fairly stable.

The scalability has been fairly decent so far, as long as you don't overfeed it.

Tech support is hit-or-miss. Some of the tech support agents are just wonderful and I've learned a lot from interfacing with them. Some of the tech support agents seem like they are metrics-based: How many tickets they can close in a short amount of time? I usually express my feelings in the ticket notes, so these are not unheard-of comments.

The initial setup was fairly straightforward.

My advice would be to definitely look into it. I've used other SIEMs that were a whole lot easier to program and I've used other SIEMs that were vastly oversold and cost way too much money. LogRhythm is a good product for what it is.

We have more than 500 and less than 1,000 log sources. In terms of messages per second, therein lies the rub. We bounce anywhere from 2,500 to, on certain days, a peak of over 12,000.

We are not using the full-spectrum analytics features. We don't use any automated playbooks. In terms of the number of staff for deployment and maintenance, the latter is me. I've got two other analysts that work with me.

Regarding our security program maturity, we've grown a whole lot in the last three years. LogRhythm, fortunately, was a part of that. Our previous SIEM had to be rebooted two or three times a day. Unfortunately, now that we're trying to leverage it to get more data out of it, we don't seem to to be able to do that.

I can't say I have seen any measurable decrease in the meantime to detect and respond to threats because I can't watch it all the time.

The consistency of its interface, whether you go to a dashboard, a search, an alarm - everything comes back consistently. There isn't a different interface for every function that you do, so it makes it very usable.

The benefit is really getting insight into the security posture of my organization. Proof in the pudding was that we had a penetration test over the summer and we caught the penetration testers five times because of various LogRhythm alerts.

The biggest thing I want is, right now you have thick console and the web console. Most of the reporting has to be done in the thick console. I'd love more reporting in the web console. A lot of our users don't have access to the thick console, only administrators do, so a lot of users can't run their own reports.

I think part of the thing that LogRhythm has always done with the deployment is a lot of hand-holding by Professional Services. I would tell everybody that was going to do this to pay the money and get Professional Services. Don't try to do it by yourself.

Awesome. In fact, I just went through a scaling exercise where we outgrew our initial implementation and we were able to double, very easily, our capacity through an upgrade process.

They're awesome. We use them all the time. I tell my staff that whenever you have an issue, the first thing you do is you open a ticket with tech support, then you start playing with it. If you have solved it by the time tech support gets back to you, cancel the ticket.

We were previously using SolarWinds and we outgrew it. It wasn't scalable. We needed to find a solution that would scale as we grew it.

It was straightforward.

We're a big university. We're the 26th largest university. I've got 45,000 students, 10,000 researchers and faculty members, plus staff. Main campus is in Philadelphia, Pennsylvania. A mile down the road we have a Health Science campus that has a medical school, a dental school, a pharmacy school, and it's kind of attached to the hospital, which is separate from us. We also have campuses in Harrisburg and Center City that are small adjunct campuses. We also have a campus in Japan and a campus in Rome. We have a big international presence, that's the size and the scope.

Our key challenge is that the drivers of the university have been notoriously open, but with the threat landscape of today we have to be mindful that the openness that the faculty wants has to be balanced with the needs of protecting all of the data information that we have, like any business has.

When it comes to the most important criteria when selecting a vendor, a unified, end-to-end platform is really important, but it's one of the key features. We look at the overall value that a platform has. Cost comes in, but also leadership in the field, manageability, how many FTEs it's going to take to run this solution. All of those things are factors.

I've been around this field for 25 years. I've used many solutions. LogRhythm is scalable, it's robust, they're constantly growing it, their tech support is good, their Professional Services are good. We just went through a massive upgrade to double our capacity. They give us training credits on our old solution. They want customer happiness and customer success.

Definitely do your homework. Understand what logs are important to you and really evaluate what scope you need to do, and take your time. This is a big project, you can't do it all at once. You really have got to do it in phases.

I am a new user who just made the decision to purchase Intuit.

We are in the process of deployment. At this point, we're in the middle of rolling it out to servers and just collecting logs, so as far as the actual deployment of rule sets, and anything like that, we haven't gotten that far yet.

Our environment is Windows and Linux. We have about 1200 users. We have about 500 servers and about 1200 machines that we can be collecting from, as far as endpoints. 

The initial configuration was easy. 

We worked with professional services, and they remoted in and got us the setup and explained the setup. 

We looked at eight or nine other vendors. 

We quickly eliminated four or five of them. We ended up with a final four, which was LogRhythm, Splunk, McAfee's solution, and AlienVault. From there, for various reasons, we narrowed it down to LogRhythm and Splunk. AlienVault, we felt was a nice solution as far as being able to plug it in, get it up and running quickly, but we felt we'd outgrow it. Splunk was on the other end of the spectrum. We felt that it was very powerful, probably more powerful than any of the other solutions, but we didn't have the manpower to configure it out-of-the-box. 

From our own analysis and a lot of other customers we talked with, they confirmed the configurations on Splunk is just too top-heavy, so we felt that LogRhythm was the happy medium. A lot of customers recommended it, because of the built-in rules, and the out-of-the-box configuration is much better than Splunk, and given our team size and our internal resources, we made the decision to go with LogRhythm.

Our company manages the solution as a threat hunting platform for a semi-government client in the Hong Kong insurance industry. We collect logs for video, active directories, antivirus, and firewalls to consolidate them in the solution. 

From the central log collector, we build detection policies to identify threats or possible breaches. The solution also serves as a data storage platform to troubleshoot issues and find root causes.

In addition, logs that include performance data are created for devices such as routers and switches to monitor the availability of the office network. 

We also perform ongoing maintenance of the solution and all components to ensure everything runs smoothly. 

The correlation engine is extremely valuable because it uses machine learning to process information from the central manager and identifies issues in the network. 

The engine accurately and quickly identifies problem areas as it correlates events from various devices. 

Without this engine, logs would have to be built individually for each device. 

The security playbook could be pre-defined and available to other analysts with similar security issues. Currently, playbooks are individually written for various actions and threats. 

It would be faster and easier to react to issues if pre-defined playbooks were accessible to all analysts. 

I have been using the solution for seventeen years. 

The solution is stable. 

The solution is scalable. 

I have escalated issues to technical support and rate the assistance I received an eight out of ten. 

Positive

The initial setup is complex and I rate it a six out of ten. 

We implement the solution for our customers. 

The solution remains a top choice for our customers because of its performance, indexing rate, and coalition engine speed. Customers trying to use SIEM to collect logs and identify threats require a solution that responds quickly. 

The solution's correlation engine is very important because it uses machine learning to automatically collect and analyze quite a bit of data. 

When choosing a solution, it is important to determine what you want to achieve instead of how the solution works. Most solutions have a method for collecting logs, relaying information, and identifying issues so selection is more about the speed and accuracy of end results.

I rate the solution an eight out of ten. 

Our key challenges in security include

• standardizing our policies
• having the end user population be aware on the security side of things.

And the solution, LogRhythm, is helping us today to enforce it. We see now what it is that we're trying to propagate into the environment, based on the policies that we're monitoring today. The goal is to 100% enforce our policies.

It has improved things tremendously. Going from a third-party vendor to an in-house solution, such as the LogRhythm solution, has given us visibility into the entire organization, compared to the limitations, based on budget and whatnot, from a third-party vendor. Absolutely, we have a lot more visibility now.

I can tell you that having the ability to monitor the semi-subsidiaries that are a part of our organization, is huge in that sense.

We have 10,000 EPS, as it is. And we have between about 500 and 1500 incidents daily.

One of the most valuable features is the investigation tab. It allows us to dig in deeper into the alerts that we receive today, based on the policies, that get triggered by our end-user population.

I think a must-have feature would be better reporting. Today, as you can imagine, the organization would like to see what is happening in our environment, and the reporting feature within LogRhythm, I would say, is very limited.

The reports do not provide information such as, who are your top ten end users generating the most activity within the environment, or appliances, per se, so that's very limited.

So far, from my end, I haven't experienced any challenges. We are able to integrate all of the solutions that we have out there: our antiviruses, our data-loss prevention tools, and even our web browsing filtering.

At this point, I really don't have any challenges. Maybe the architectural team has different ones for integrations, but no issues on my end.

I have not used technical support, as I do not troubleshoot the application itself. We are technically just administrators of it, monitoring.

Because the organization wanted to have an in-house solution, when we looked at what was out there, we thought that LogRhythm, based on the user interface that was somewhat easier to follow compared to the competition, was a must for our security analysts.

And the additional features within the investigation side of it, to dig deeper into what's going on out there. Those were two big selling factors for us.

• Curator
• Splunk
• Dell SecureWorks

We chose LogRhythm because, as I said before, the user interface was really a plus for us. It was easier to understand, compared to the competition. And the ability to dig in deeper in the investigation tab, those were the two major selling points.

The most important criterion, when selecting a vendor, is how easy it is to adapt to the solutions we have in house. Every organization, I understand, is different, but based on what we required, for the most part I'd say about 85% of our needs were met with LogRhythm, compared to all other competitors.

It's very important for our solution to be a unified, end-to-end platform because the organization might adapt new technologies. Our security architect needs to have the ability to integrate them. If it's a challenge then, definitely, that's going to be a downside for us.

If a colleague at another company was doing a SIEM solution comparison with this and similar solutions, I would say to give LogRhythm a shot and, if the possibilities are there, to implement a PoC to understand how the solution can help them.