LogRhythm SIEM Reviews

Primary use case for the SIEM would be for log collection and threat identification.

We're still in the beginning stages of our security solution, as far as maturity. Two years ago, this security program didn't exist. 

Its benefits are broad. The solution isn't necessarily made to do any one thing, but it can do anything you tell it to. It is able to tackle any different type or size of job.

The analytics that it does.

Full-spectrum analytics capabilities, which we use for:

• User behavior.
• Watching and monitoring for login events or any anomalies. 
• Going through and watching trends. 
• Knowing what activities endpoints are doing, where they're going, what websites they visit, then making sure that they're in the normal or making sure they pick up on any outliers.

I would like to see APIs well-documented and public facing, so we can get to them all.

When it comes to a single version, it is rock solid. We haven't had any major bugs or flaws that haven't been involved with upgrading or going to another version. As long as you're on the same version, it is rock solid.

It works. The biggest thing with scalability is looking at how much data you have to ingest, so if you have to build the DX to be a specific size then you have to plan out how big its going to be. Therefore, it doesn't necessarily scale easily, but you can add additional data indexers at any point.

The technical support is very good. They are in the top two to three companies that we work with.

Its very complex. As with anything, it takes time to get it working and know all the different nomenclature with it.

I do the deployment and maintenance of the solution myself.

I have seen a measurable decrease in the mean time to detect and respond to threats. We went from not detecting them to detecting them. We can actually pick up what is anomalous in our network now.

The solution has provided us with consistency and increased staff productivity through orchestrated automated work flows by at least 20 percent. 

Our top choices were LogRhythm and Splunk. 

Splunk is a data lake that doesn't necessarily do any analytics. Whereas, with this solution, we're looking at all the analytics. We can quantify data, we can drop data, and we can do what we need to, plus the pricing model is better.

Know what you want it to do. If you buy a SIEM because its called a SIEM or someone says it's a SIEM, you're gonna end up with what someone else believes they need. Figure out what you need beforehand and make sure that those bullet points are covered because there are a lot of options.

We're currently using the built-in manual playbooks. So far, the features are very good. They are growing. I am looking forward to seeing how they expand upon it.

The automation is coming. The API access and everything else we're looking for to be able to deeply automate a lot of common tasks is still being built-in. Right now, we can do automation on simple tasks. E.g., if it sees something bad, it can take it off the network and put it in our remediation subnet. However, it does not have the capability for complex investigative actions yet.

Right now, we have about 3000 log sources and 3000 messages per second.

It's our central security monitoring platform. It's where we bring all of our events together so we can monitor our network.

It's helped us be more streamlined in our monitoring processes. We used to have multiple places where we'd have to do this work and now we have centralized all of it into one platform.

Also, the alarm functions have helped us cut down on the manual work. They bubble things up to us instead of our having to go look for stuff.

In terms of our security program maturity, I think we're fairly mature. We definitely have some ways to go still, but we're continually improving. We've had a security program for some 15 years, so it's been around and had time to mature. LogRhythym has definitely been a part of that. For the operations and monitoring pieces, going from what we had before to it being the central component for us, it has really helped us become more mature in those areas.

From an operational perspective, day to day, the Case Management functions are really useful for us. They allow us to track what we see in the incidents that we have.

We use the full-spectrum analytics capabilities. We have a number of rules that we've built, and built-in rules that we leverage as well. We've got a whole bunch of dashboards and the like to do the analytics. We definitely find the full-spectrum analytics to be valuable.

Hearing the roadmap items, it's pretty good. I especially like the fact that the playbook is coming with the ability to integrate the smart responses into the playbooks. That way, we can not only have the playbooks, take those steps, but start to automate those steps as well. I think that is really powerful.

We played around with the CloudAI portion during the beta. We're not currently using it. But I think more in that area is going to be really important, where we can look at machine-based patterns, as opposed to just, "I saw two of these and three of these things, so set an alarm." I'm really excited about that.

Generally, the stability has been good. We have run into problems with stability going through upgrade processes. Recently, we have been on the front edge of the upgrade path. When that happens we tend to run into issues either with certain functionality not working after the upgrades or stability issues because of the upgrades.

It will definitely meet our needs going forward. We're not a huge shop, so we haven't had a whole lot of problems there.

But going back to the upgrade issue, in a previous upgrade from 6 to 7, we ended up with some hardware problems, because of scalability, with the software change. The hardware that we had didn't meet the needs anymore. But we were able to get that resolved.

Technical support is not bad. The lower-level, first-line support is not always great, but if we can get to the right people, then it's pretty good.

At this point, it's a pretty core platform for us, so we haven't been looking around.

We do not use any of the playbooks currently. We'd definitely like to. It's a feature that we're planning to implement pretty soon.

Regarding our log sources, it's in the high hundreds, probably not in the thousands. When it comes to messages per second that we are processing, looking at the average, we're at about 1,000, but we peak somewhere north of 1,500.

I rate the solution an eight out of ten. It's a great platform, but I don't want to give them too much confidence, there's always room to improve.

The primary use case is looking at our security as a whole, as an organization, trying to get all the logs collected, see how things can be integrated or what's happening through the different products. We also use it to see how people are trying to potentially circumvent security and what we can do to prevent people from doing that. Finally, we use it to get training out to end-users for certain things that they may be doing inaccurately.

We don't currently use the full-spectrum analytics or the built-in playbooks.

The benefits are having a deeper look into some of the applications, what's happening within them and possibly seeing configuration errors, enhancing not only the security but the functionality of different applications.

It has also provided us with increased staff productivity through orchestrated, automated workflows.

The most valuable features are the alarms, and some of the reporting features in the product are great. The web interface is awesome, it's very intuitive and gives a lot of great information.

So far the stability has been great. No issues whatsoever.

We're actually going through an expansion at the beginning of next month and it seems to be fairly easy.

We have used technical support in the past and it hasn't been an issue. They get back with us fairly quickly. Great people to talk to, very knowledgeable.

We were using another product before, McAfee Nitro SIEM, and that product was just getting too hard to maintain. We had other people on the team and within the organization who had used LogRhythm in the past, so it came highly recommended. We checked into it, checked reviews on some of the different vendors, and LogRhythm is the one that came out on top.

The initial setup was pretty straightforward.

In terms of the deployment and maintenance of the solution, for us right now, it was very light staff for the setup. It was two or three people that racked and stacked the servers. Once that is done, you don't really need them anymore. For maintenance, we've got two or three people on staff who manage and maintain it.

I'd highly recommend going with the product.

Our security program is pretty much in its infancy. We're always looking to improve things. Just as IT, in general, constantly changes on a daily basis, LogRhythm is always evolving and coming out with different things, helping with innovation. It's been great.

Right now we have roughly 70 to 80 different log sources. We have about 5,000 to 6,000 events per second, and we're looking at expanding that.

I rate it at eight out of ten. It's up there, top-of-the-line, but just like with any other application or program, as you grow, there are going to be some small hiccups. They're very minor.

We use it for all of our log correlations and event management. We try to do some external troubleshooting for other groups, like WebOps, but it's primarily our security and event manager.

For the same price, we have been able to go from a SIEM that could only manage about 20 percent of our environment to a full 100 percent coverage of all the devices on our network. Thus, we have seen a massive increase in the amount of data that we can collect, the type of things that we can see, the way we can look at logs, the way we can get alerts, and the way can create our own customer roles, which has allowed us to customize the work in our environment.

We find the user interface and the ability to pivot near search from one particular item to the next part item to be highly valuable. 

Its ability to work with all different sorts of log sources has been extremely valuable. 

The reporting could be improved. 

There are other security technologies outside of this SIEM that should be inside of this SIEM. I can see in their roadmap that they're trying to address a lot of these things, and have these technologies built into the solution, because there is no point in going to another vendor or opening up a second window to obtain the data that you need.

It is stable. We haven't had any major problems. We had a slight hiccup when we went through our upgrade procedure, but it wasn't anything overly complex, and support was there to help us. Therefore, we had it back up and running very quickly.

It should meet our needs going forward. The way we have it designed right now, we should be able to bring in single boxes and multi boxes to increase storage capacity performance whenever we need it. It's well-designed in that sense, allowing us to grow as needed.

Everything experience I have had with them has been awesome. I have had no issues going to them. They are willing to get on the phone with you. They will get on Webex with you and control the system to see what's going on, getting their hands deep in to it, then resolving the issue.

In previous and other support departments, they will just email you some suggestions and then leave you to take care of it yourself. That is not really what LogRhythm is about.

It is more intuitive than the previous solution (IBM QRadar) that we had in the environment.

We definitely had to get some assistance, because we didn't have the expertise. Once we got the product in place, it's good at maintaining itself, along with the support. 

If you're going anything more than the single box solution, I would not try to set it up by yourself. I would get the expertise to help you get it right.

In comparison to the competition, they are more affordable. This allows us to do more with less.

The primary use case is an analysis of server logs with some deeper analysis done on searches. Reports help ensure various departments have daily notices of any activity that they should be reviewing.

• Alerts to account usage errors.
• Reports of malware from the antivirus.
• Reports application errors presented in logs.

Daily alerts: These allow me to quickly find security and operational issues which need to be addressed.

More detail in the alerts given to avoid additional searches, as often the source or destination associated with the alert is not evidenced.

The most valuable feature to me is certainly the CloudAI, which I have been a beta tester of, and also the SIEM capabilities and automation.

I see CloudAI expanding greatly. It's obviously a new product for them. It will be able to give contextual evidence of people's behavior which, at the moment, whilst the SIEM does that, AI actually is that specification and concentration on people's behavior, which is a huge component in cybersecurity.

The benefits at an organizational level would certainly be that for my company, which is in healthcare, certainly a huge compliance, but also it gives me visibility of all the departments in my company, not just the IT department. I'm able to see the actions and behaviors of the whole company, not just on my campus, but remotely as well.

What still needs improvement is automation. The SmartResponse obviously does not use open APIs at the moment, so we're having a lot of problems connecting it with things like Palo Alto Traps and some other systems, things like Cisco. I know that it's on the roadmap, but at the moment that is where the weakness lies.

For myself, I would like a HIPAA configuration out of the box where I can switch on various HIPAA rules. Obviously, HIPAA has 18 very exact identifiers and I'd like those to be already in the box ready to be switched on.

My impressions of stability are exceedingly, that I've not heard any down-time. We have had to contact support a few times, but just to see how to do a few configuration settings.

It's actually been scaling incredibly well. We have put more memory in the box and we've taken some of the Websense traffic and put it onto VMs. We can take more hardware and daisy-chain them up, so we know that when we do need to have physical hardware scalability, that feature is there.

Exceptional. One of our tickets had to go all the way to level three, but it was exceptionally covered well and the resolution was incredibly timely.

It was our very first log management solution. When I joined, we did not have a cybersecurity program. My employment was to build a cybersecurity program right from scratch, right from the start. Whilst I evaluated a couple of other programs, LogRhythm came to me, through the evaluation of those, to be the clear winner.

The criteria certainly was scalability. Our company, within a year, has gone from $600 million of revenue to $1.3 billion. At that point, I knew that we had to have that scalability function.

I've been very lucky that some of my staff have very high technical knowledge on configuration of LogRhythm. If I didn't have those staff available to me, I would certainly recommend the Co-Pilot, which is an option that LogRhythm provides. I think that gives you the confidence that you've not only bought a product but, at that point, how to configure it and use it.

Very happy. Yes.

As a guidance and recommendation, I would ask them, what is your level of comfort in configuring LogRhythm? If they say to me, "Not so much," I would say, "Well, then you have to budget not just for the product, but for the Co-Pilot solution as well." If, however, they say, "No, I'm very happy. I have the skills already in-house," then I would say obviously to buy the product with the Professional Service hours.

The thing that I find most valuable is that every interface is consistent. Whether you're looking at a dashboard, a drill-down, an alarm, a search, the interface is exactly the same. As you move through the experience of looking at some type of event, some type of incident, following up on a search, everything is consistent throughout the whole user experience.

One of the evidences we have that LogRhythm is being very successful for us is in this year's penetration test. I caught the pen-testers five times in the course of their duties. That was just great ammunition to show that this works.

The biggest thing that I think needs improvement is reporting in the Web Console. Most of our reporting is done in the thick client console. The only people that have access to that, really, are the people that work for me, the administrators of the system. So the end-users, the people whose logs we consume, we give them views to their logs but they aren't able to run reports. By moving reporting to the Web Console, that would enable all of the regular, non-administrative users to run reports as well.

We've been using it for several years.

We just went through an upgrade just to increase our capacity, so we could bring in more log sources, and it's been a wonderful product for us.

It scales great, which is one of the reasons why we went to it.

Almost all the time things are handled in a proper way. We've had very good experience with technical support. On one or two occasions, a couple years ago, they were going through some growing pains because of their expansion. Our CRM, our Customer Manager, stepped in and helped us get through those hurdles.

It's actually our second SIEM tool. Our first one was not scalable. We didn't really get to pick it, it was chosen for us. We got to a certain point and we just couldn't grow it anymore. 

So we did a full RFP, a bake-off so to speak, and looked at everything that was really competitive on the market. Ended up with LogRhythm. Did our initial deployment, which lasted us for about two years. Because we did our basic measurements on a tapped-out SIEM - we didn't realize how much growth we would have once we uncapped the bottlenecks - we ran into some growth issues. We just doubled our capacity three months ago with no problems at all.

I always recommend training for everything, but that really is use, not setup. Setup is very easy. I do recommend people take advantage of the LogRhythm Professional Services. They make it very helpful, it's easy to get up and running in a day or two. Use Professional Services is my recommendation.

In terms of the most important criteria when selecting a vendor, there isn't any single important criterion. I have a spreadsheet that I use that expresses value.

• Price is one component of value 
• Usability
• Manageability
• How many resources do I have to apply to it? 
• Can I run it with one FTE? Do I need two FTEs? 
• Also, its efficiency. Does it meet all of the use-cases that we're buying it for?

The first thing you do is sit down and think about, "what are going to be my first steps?" This is the kind of thing you have to phase, really, to be successful. "What are my goals out of my first year?" Plan that out, and then plan where I'm going to go from there. Then sit down with somebody that's experienced like the LogRhythm Professional Services, or your SE, or other people you know that have used LogRhythm for a while, and review that plan and make sure that you've got some specific strategic benchmarks in place so that you can guide yourself through that growth.

I would rate it a 10 out of 10. I am very happy.

We didn't have a main logging system, so it's really nice to have that now, and in place. We are collecting all our logs from all the servers, routers, and its really helpful, and it's a great product to have.

Right now I really like the dashboard, and being able to view it easily, and to just have all the data right there available for me.

I think the dashboard could definitely have more features. I've seen some of their roadmaps that they're going towards. I really like it.

One of the features that I actually put in a request for was, they have the ability to build this great case and have it all ready. But you can't export it, right now on my specific 7.2 product, you can't export it from there. So, I can't have a nice PDF to give to a CEO, or give to legal, or wherever it needs to go to further their investigation. That's definitely a product that their actually going to come out really soon with.

The stability is pretty good. We haven't really had any problems with it. I think in our deployments, we had about 25 monitoring agents. One of the agents did start acting kind of funky, so I just called up support. I said, "Hey, we can't get this agent to work properly." They helped us out right there that same day. We actually updated that specific agent, and its been working ever since.

We're a fairly new customer to the product so we haven't had to meet problems like that with it. But we do plan to scale it fairly soon, so we'll see.

It's been pretty good. After the deployment, I really haven't had to call them. They have a pretty nice knowledge base, and their user guide pretty much explains everything you really need to get done. 

There are some issues that I had with Forcepoint, and getting it to work properly with LogRhythm, but that was more on the Forcepoint side of the problem than LogRhythm.

It was due to compliance that they decided to get a product.

I actually was hired within the last five months. I showed up, and they said, "Hey, you're going to get to deploy this." I said, "Sounds great."

Deployment was fairly easy. They gave us some prerequisites that they needed us to have ready for them, so we went ahead and got those all ready, went through change management, got everything approved. 

They needed to have - if you want it to collect logs remotely - a service account created, you needed to have specific ports already open, to make sure that everything communicates properly.

We went ahead and had everything set up. We got the support call because we got the DMX appliance. The day came, we got it all set up, it was fairly simple. The support agent walked us through everything we needed to do. He showed us tips, and tricks, and best practices for specific situations. He did training at the same time as we were deploying. It was a fairly simple, easy process.

It's one of the top 10 SIEM solutions. What I really like about LogRhythm is that they're always innovating, new ideas. They're consistently trying to improve. I think that's really great about them.