LogRhythm SIEM Reviews

It serves several different features. We can check the checkbox for HIPAA compliance, SEC-type stuff.

But really, our biggest focus was actually on our clients. Because we're an accounting firm, a lot of our clients actually audit us, or they have large security questionnaires that we have to fill out. So having a SIEM product is one of those check boxes, and being able to say "yes" on security questionnaires; or one that clients come in and say, "We want proof that you're auditing your domain controllers, that you're auditing the security files servers, you know who touched our files, how they read them, deleted them, modified them." 

Being able to pull all that information up before the auditors, it's great. Very critical.

We're fairly new to LogRhythm. One of the things that we really liked in the deployment PoC phase was the dashboard. How easily it percolated critical information up onto a screen that we could immediately review, and drill-down to look at the raw logs. That was one of the key features that we liked in the PoC. Still today, that is by far one of the best features.

Probably the biggest improvement and I've talked to several of the management here at the LogRhythm User conference on it, is their thin piece, which is their file integrity monitor, that we use on some of our security servers. The data sets are extremely large, tons of files are being modified, deleted, created. That product could use some more enhancing.

We've been working with them to enhance that product for future releases. It's been a good experience. 

Any issues that we've had, they've actually fixed the majority of the issues that we had with the initial product, by even giving us customized installation packages to adapt to our environment.

It's been real good. We've done several upgrades since then. Each time, if there has been an issue, we've just opened up a ticket with support and literally, it's hours to minutes sometimes - depending on time you open up the ticket. There's a response and then engineers calling you, and helping you out through some of those issues. It's been good.

We haven't scaled because, like I said, we're still the first-year phase. Now, when we purchased the product, we did purchase it to scale it out a little bit over time. We overbuilt it just a little bit so that we could keep adding log sources to it. But so far, we've been right on the money, as far as the initial build of it. 

We had come from two other SIEM products that were going end-of-life. The original one was the Cisco Security Manager, and then the latest one was RSA enVision. Because that was going to end-of-life, we needed to find a replacement product.

The big thing was the PoC was a great tool to get a great overview of what the product was going to be like. We also worked with an SE that helped deploy the product. Then we also were able to talk to support. So we got a good feeling to how the product was going to operate, not only from our operational standpoint, but also from a support standpoint, and also from help from our local support engineer.

We just had a great experience all round, and when comparing feature sets, the web interface to the alarm drill downs, the AI Engine drill downs, to the network monitor product, it was definitely on the top of the list.

The other big thing that we really liked about LogRhythm - we had a unique requirement - was that we had to have appliances, we didn't want virtual devices. Just from the security side of things, we wanted to be able to manage those devices ourselves, rather than having our infrastructure group manage those. LogRhythm also provided us the appliance base versus Splunk which is all virtual base.

We actually used LogRhythm's Professional Services group to help us get the product up and running. It went real smooth. Matter of fact, the amount of time that we allocated the Professional Services, we were short of that. It just went real well. 

Our group caught on to the product very quickly, which was another great benefit. We were able to do a lot of the work ourselves, versus relying on Professional Services to do it, just because we caught on much quicker than we had thought initially.

Our SIEM solutions list included several different vendors from Splunk to LogRhythm to RSA, their new product. We ended up choosing LogRhythm.

Just from the simplicity standpoint, it's met all of our expectations now. Like I said, you always have that little thing here and there that you still have to tweak, but other than that, we've really liked the product. 

The biggest thing in this product is not everybody on our security team is well versed in SIEM or analytics, but we found that LogRhythm - the Web Console UI - really simplified, especially with the metadata parsing out. It allowed those people to read those type of events much quicker, because it was right there, and it was pretty easily translated. So "user" is username, "host" is the host, and so it's very easy. You're not having to dig through this big long raw log file to actually figure it out. Then if it needs to go there, it goes to an advanced person.

What I found most helpful out of it is the ability to see all of the same data, that I would get from my appliances, in one place. I don't have to log in to six or seven different appliances and hunt for that kind of information. I can just do some queries within LogRhythm and it tells me the same information.

One of the things I find that would be helpful is the GLPR information, to be able to understand what is actually being processed. I've got, say, 20 different rules, but I don't know which one is getting more of the data, which is getting none of the data, because there's not really a good interface for that.

The stability, it's pretty high, there were some early issues, we were overrunning it with data, and part of it was a sizing issue. Once we got through that it's been running a lot better and it's been more stable. We haven't had to worry about it falling over on itself.

At this point we're still using a single XM appliance. The scaling that we've had is really just upgrading from an older-series to a newer-series XM appliance.

There were a lot of support calls we went through, and they would tweak and change a few settings here and there. Then eventually, what we did was we upgraded to different hardware because there wasn't anything else we could remove. We had to continue to keep getting those same logs.

More of the AIE drill-down notifications. I don't have to customize a lot of stuff. I'm more of an advocate for LogRhythm dashboards for my company, to make sure that other teams utilize what I'm bringing into LogRhythm. Use it for their operations, use it for their alarms and so on.

For my situation, besides the investigation that LogRhythm offers, it's the AI Engine rule set that it offers. It has brought us more significant changes in how we alarm and notify our users about what's going on in our network. It's not just one specific log, it's the correlation of multiple logs on different log sources.

More features that I would like to see more development in are the automation and the smart response. A lot of the attendees here at the LogRhythm User conference are working towards that, and most of us are not even developers. But we're trying to figure what are the skill sets and how do we make sure that LogRhythm gets more intuitive in automating and responding to alarms and notifications that we get.

The stability is pretty much straightforward. I know the product has grown very big and it has tried to cover a lot more features, it has brought more features, and I was surprised that I've seen a lot more features coming out in version 7.3.

I'm at that point where we're investigating getting a new box, looking at other options. I'm at that point that my box has reached its maturity and I need to replace it, probably next year. We're in the process of working that out with our sales engineer.

Probably the investigation part, being able to investigate any log. We've got so many sources that go in there that, at any given time, we can easily look up the logs on just about any system that we have.

What I'm looking for was actually in a session, here at the LogRhythm User conference, about the PIE phishing analytics. That was real interesting because right now we've got a guy that walks through that process attempting to see if the email came in, who got it, and whether or not it was exploited. That's all manual at this point. 

I think they're limited now with this to Office 365. We've got on-prem Exchange and it would be interesting to act like they're going to evolve that into that, to have that ability to look at that information a lot quicker.

We've had it for about nine years, going on 10 years. 

It's definitely evolved. It's gotten to the point where you can scale it well. We recently got the AI Engine running and realize that we need to spin off the Web Console and the AI Engine to a separate box, and off the platform manager. Then we can easily add a data processor or a data indexer to expand our processing power too.

We had some other vendors at the time, but LogRhythm beat them out. We had RSA, I don't remember what the name of their product was, and LogLogic.

It's just amazing, that you can get the information, especially the AIE information, where it correlates different logs together. It's just incredible. It's something that in the old days, that you had to use grep and go to multiple servers, versus now you just tap in and drill-down and, bam, you've got all the logs that you need. It's just amazing, the process.

Not just for security but from an operational standpoint as well. Perhaps an end user would call with a particular problem - "I can't print in this" - and, during the investigation of that, we could find perhaps there was a log message that was generated, an error from that application. Then we could create a rule, quickly and say, "Any time that you see that log generate an alert..." 

It enables our IT staff to be a lot more proactive, to fix problems, instead of having to wait for the end user to call and say something is not working.

The scalability. We had a huge problem with that before. Now, we can quickly search through all of our logs. If we have an issue that, perhaps there's something suspicious from a particular host, we can quickly go through there and search all the logs for anything that had to do with that host for a specific time frame, and anything coming to or from that host, or if it's a user, or whatever it is. Investigations, its really been helpful for.

It's not necessarily bad against LogRhythm, but I think an area that always can be improved is the parsing rules. The more information that we can get out of the logs, as far as specific metadata in the logs, whether it's an IP address, or something like that. Sometimes, LogRhythm will parse the rule but perhaps it won't get every little detail out of the rule.

Any advancement in those, could be very helpful to be able to correlate those logs against other items. Especially for items that are a little less - "mainstream" may not be the right word - that are not necessarily a top-tier vendor. Perhaps, instead of Cisco, it's a different firewall vendor. Those sorts of things, that sometimes we run into an issue where the log parsing is suboptimal. It could be a little bit better, could be some improvements there.

We have about 550 users and 150 servers or so, and I think we're feeding in approximately 800 logs per second on average, into LogRhythm. We haven't had any problems with scalability. It chews through the logs, and our searches are pretty quick, they're very responsive.

Fortunately, we haven't had to deal with them a lot, but when we have we've had really good luck with them. They have always been very knowledgeable, quick to solve our problems, very responsive. They'll follow up if there is a delay, perhaps they're still researching the solution. They're always quick to reply back and say, "Hey, I haven't forgot about you, it's still with the developers." Fortunately, we haven't had many issues with the product.

We were using a different SIEM tool before. It's probably not really fair to call it a SIEM. It just really wasn't quite robust, it was more of a log collection tool. The system worked fine, we could create some basic events from a single log: "You see this log, fire an alarm off of it," or something like that; not really correlation per se. 

We had issues with scalability with it. We could stand it up for about a month, and then after about a month, as the database started getting full, then trying to do searches and things like that, it was too slow. So you would have to clear out the database, start again, and again it would work for about a month.

Yes we did, unfortunately I don't recall exactly which other ones we looked at, but we had a number of different demos with other vendors and, obviously, chose LogRhythm. 

We are really happy with the product. We've been a customer for a number of years now and really haven't had any issues. It's done just about everything we ask it to do.

I would say to us, the thing that matters most is the automation of the AI rules that are being sent to our emails to let us know what's happening within our network and within our environment.

When we set it up, we went through and probably turned on about 14 AI rules that we found to be really advantageous to us, and have tuned those over the past couple years. It's just worked out really well for us.

PCI compliance was our main driver for purchasing LogRhythm, but it turns out there was just a ton of other information that really came from having that appliance, other than just being PCI compliant and checking that box for us. 

Like I said, it was just more insight into our own network, our own users, our own flow of traffic, helping to alleviate a lot of that burden from our system admins by automating some of those alerts. So, all in all, it's just been a great fit for us.

I'm really excited about the CloudAI stuff. One thing I've asked, and I don't know if it's in the works or not, is for a better way to test our AI rules, to make sure they're working correctly, instead of having to manually go in to each one and doing an invalid login to see if the rule fires. Some better way to test all those rules that we have turned on and enabled would help.

Out of 10, I would give it an eight. We upgraded our firewall and that broke our parsing rules and it took a while to get that all fixed, but other than that it's been great.

We haven't taken in a whole lot of logs since our initial setup, so we haven't scaled it, I'd say, to its potential yet. 

We're on an upgrade path, we just got to 7.2.5 and we're on the beta program for 7.3 to get to CloudAI. Once we get that done, we plan on ingesting more logs, going to Office 365, pulling those down. So, we plan on really growing it.

Technical support has been great. I will be honest with you, I think that's one of the strengths of LogRhythm. Every time I've opened a ticket I've gotten a response back that day. They're great, they work through it. Even when we did our upgrade through Professional Services, she was great. She recorded the whole session so we could use that at our next upgrade. 

I've just found them to be tremendous.

For me, not having been in the security world, at least on the SIEM appliance side, it was a lot to take in at first. We had an onsite engineer come in, help us put it in play. We had a week's worth of training. All in all, it went pretty smoothly. 

There were gaps in our knowledge, I think, but that's where we opened up customer service requests and they came through and helped us out. But for me, personally, I would say it went well. It was just "a lot," it was new to us, it was new to our organization, so it was just a lot of information, but as far as it goes, it was pretty smooth.

We're really happy with it.

From my point of view, at a organizational level, we're able to get that insight into what users are doing, what our applications are doing, whether there is any untoward traffic coming in, whether the applications are misconfigured. It's also used, dare I say, to tick a compliance box.

The most valuable feature for me is that it's a single pane of glass for all of the analysts in my team. It gives us complete eyes and ears into what's going on within our environment. We run two separate installations. One is in our datacenter where we handle all of the sensitive data, and one is on the enterprise side, so it gives us a real good visualization of what's really going on.

In terms of the product, what really needs to improve are the metrics that you can get from it. We're all about mean time to detection, mean time to response, pulling those metrics out so I can put them into my KPI packs to present to the board. Everyone in a CISO role is having the same challenge. We've got multiple spreadsheets. Being able to leverage the SIEM to give us the information would be invaluable.

The other area is Office 365. We're cloud-first as far as our enterprise goes, and what we lack at the moment is being able to pull that information into the SIEM. I understand that that's coming, so we're looking forward to that.

On the whole it's been fine. We've not had any issues with volume, with the system going down. There are a couple of tweaks that you get with older systems. Patching time is always interesting. When you want to do an upgrade, if you're going from a minor version it's fine. If you're going from a major, then it's always good to use the autopilot services.

In a previous role of mine, we had an IT department that thought they could do everything, and virtualization was the way to go. That definitely didn't work. In the current organization, we found the two instances are very, very scalable. Being able to get additional licenses for agents works well, very easy to do.

The feedback I get from the analysts in the team is the first-line support is your traditional first line support, they'll log a call. We often get the responses in a timely manner. If it needs to be escalated, we've got good contacts within the wider organization and it gets escalated from level-one to level-two, definitely don't have any issues there. 

It's nice to see that the vendor listens. If something does go wrong, they're on the phone giving you the support that you need. Other vendors don't necessarily do that as quickly as LogRhythm.

If we go back nine to 10 years, we had the advent of PCI. The standards council says you needed to use file integrity. The only real solution at the time was Tripwire. That's when I got introduced to Ross Brewer (Vice President and Managing Director of EMEA for LogRhythm). From that point, we knew this was the right solution. We wanted to gather the logs into a central place.

In the various guises that I've had over the years, we've gone from multiple installations across 54 datacenters, globally, into our smaller setups. It's easy to install, it's pretty much, as they say, "out of the box," but it needs to be fed and watered on a daily basis. You do need a team to look after it, which I think is the same with any SIEM out there, but this is much easier to use. And because it's out of the box, you get the information you need within the first couple of hours.

With the new organization that I've been with for three and a half years, we spent seven months looking at other solutions out there; looking at Splunk, looking at ArcSight. We did a trial, we stood them up next to each other. Straight away it was fairly evident that the LogRhythm application itself, and the agent roll-out, was straight out of the box. Like I said, it needs feeding, watering every day, but in terms of being able to take the box, put it into your datacenter, get it up and running, they're definitely light years ahead of the competition.

In terms of the criteria for selecting a vendor, it always comes down to cost.

And usability. I like to make sure that my analysts are hands-on when we look at these tools. What's the interface like? How easy is it to use? What's the after-sales like? What's their tech support like? These are all things we need to look at. 

Also, which operating systems do the agents run on? Can you integrate into all the hardware that you've got? What syslog feeds can it take? Can it take SNMP as well?

If colleagues were looking to purchase a similar solution, the guidance that I'd give them is make sure that they draw out what they're looking to get from the solution. Make sure they have an inventory of hosts. Don't go all out, don't put everything on at once. As they said, don't try to boil the ocean at once. What are your critical hosts? Feed that information in first. Build case studies. What do you want to get from it, what are you looking for? And then work your way through it.

What I've done in the past is I've asked them to come over to our office and take a look at our implementation. I'm happy to share that information with others. I'm able to give them some case studies on what we've found with the Windows operating systems and some of the other hardware out there.

We have a big issue with our users, they really like to click on links and attachments. The Phishing Intelligence Engine, is a new feature they're releasing, which is really going to have a nice fit for us. Then the CloudAI stuff they built right into the SIEM. There's nothing else you've got to do other than upgrade it to the latest and greatest version. Those would be two really key opportunities for us to really take care of a security vector that we have issues with every day.

Favorite feature of the product is the ease of administration. There's not a lot of overhead. We don't need a FTE dedicated just to admin the product. That was one of the biggest selling features for us.

Have not scaled. Like I mentioned, it was a compliance check-box. We are running what they call an all-in-one, all the features are running all in one box. But you can also take each feature as you grow, and move those features off. For example, if the Web Console is slow, you can extract that out and run it on its own separate system. 

There are Fortune 500 companies running it, so obviously it scales.

We had one issue, self-inflicted wound. We were capturing too many active logs and not archiving them off. We went through a process where we did Professional Services with our VAR; missed that step, that we actually needed to use some archiving. About three months into it, we're saying, "We're out of space. Performance is terrible." 

Quick call to support. Support's great. You have a service manager you talk to, and then they get you to the right team. There's no bouncing around. They do all the schedule coordination, everything like that. Can't say enough about support. We were back up and running within a couple of hours.

The general SIEM was brought in, like a lot of SEIMs are brought in, is to solve a compliance issue. To check a box. That's initially what it was brought in for. Now, I'm investigating where we're going to grow this tool. Because apparently, it's sitting in a state that's getting a little stale.

At this LogRhythm User conference I'm looking to see what additional benefits it can provide. LogRhythm can do a lot. It's just a matter of making the right choices to gradually get yourself going down the path of developing it, because it can get overwhelming, like any SIEM. 

But LogRhythm's got a nice online community to shape your decision making, like, "Here is where you should start." They've got actual tips and tricks every month that you can get on, really easy things to digest over lunch hour. You've got to dedicate the time.

The recommendation from VAR was to actually have Professional Services engagement. That was one week. Basically, that was just building out the SIEM, creating some basic rules, showing it lay of the land, where things are, where you go to administer, how do you create a case. Really basic administration.

Then, what LogRhythm also built into that was a one-week training, which we did online, which was great. That just built on to that first week of here's how it's built out, and then here's how to use it, here's how the administrate it, here's how you use it for analyzing alarms in your environment.

We looked at IBM, and then we also looked at Splunk.

FTE cost. We're a small shop. Infrastructure team is five people, not a dedicated security professional. Cost, being a small shop, ease of maintenance, and ease of use; top four. LogRhythm came in by far the cheapest, was easiest to maintain - this was the initial thought - that's proven out that it is. Then, actually easy to just get in there and look at the logs. It's really easy to use. From not having anybody with any real SIEM experience, to get us off the ground and running was incredible.

From how we use it, I would rate it a 10 out of 10; not knowing exactly where we could go with it, I'd have to give it a nine, because I don't know if there are any challenges inside it. What we're doing is very limited. I would like to, as we continue to grow with the product, see if there are any ceilings on that.

I would highly recommend taking a look at the FTE requirements. They're not all the same. That's huge, depending on the size of your staff, and budget constraints too. There are other SIEM software solutions that have a lot of add-ons that continue to add cost. You need to look at the big picture of what you want it to accomplish. Ours was pretty straightforward with compliance, we didn't have a lot of additional costs. I think those are the two big takeaways I could give somebody.