LogRhythm SIEM Reviews

Our primary use case is incident response and alerting. In terms of performance, it's pretty awesome.

It has saved us a lot of time. We've built some pretty cool custom alarms to alert us on stuff that we know is bad so we can respond to issues pretty quickly.

The AI Engine is the most valuable feature.

We've had no issues with it regarding stability. It's been pretty rock solid.

Scalability has been a little tougher for us. We're definitely looking to scale up. We've got a few log sources that we don't have in there that we need to get in there, but it's going to take a little additional effort.

Technical support is fantastic.

It's been pretty great. For us, the use case is all about generating actionable alerts and alarms and seeing how much we can reduce manual operations, so that's what I would compare: time saved.

We don't use the full-spectrum analytics capabilities. In terms of playbooks, we're still on 7.26 so we don't have the playbooks yet, but we're upgrading as a high priority right now. For deployment and maintenance of the solution, we use two staff members.

In terms of log sources, we have a couple of thousand and our MPS is 3,800.

When selecting a vendor, what's important for us is support. Support is huge.

We have a big issue with our users, they really like to click on links and attachments. The Phishing Intelligence Engine, is a new feature they're releasing, which is really going to have a nice fit for us. Then the CloudAI stuff they built right into the SIEM. There's nothing else you've got to do other than upgrade it to the latest and greatest version. Those would be two really key opportunities for us to really take care of a security vector that we have issues with every day.

Favorite feature of the product is the ease of administration. There's not a lot of overhead. We don't need a FTE dedicated just to admin the product. That was one of the biggest selling features for us.

Have not scaled. Like I mentioned, it was a compliance check-box. We are running what they call an all-in-one, all the features are running all in one box. But you can also take each feature as you grow, and move those features off. For example, if the Web Console is slow, you can extract that out and run it on its own separate system. 

There are Fortune 500 companies running it, so obviously it scales.

We had one issue, self-inflicted wound. We were capturing too many active logs and not archiving them off. We went through a process where we did Professional Services with our VAR; missed that step, that we actually needed to use some archiving. About three months into it, we're saying, "We're out of space. Performance is terrible." 

Quick call to support. Support's great. You have a service manager you talk to, and then they get you to the right team. There's no bouncing around. They do all the schedule coordination, everything like that. Can't say enough about support. We were back up and running within a couple of hours.

The general SIEM was brought in, like a lot of SEIMs are brought in, is to solve a compliance issue. To check a box. That's initially what it was brought in for. Now, I'm investigating where we're going to grow this tool. Because apparently, it's sitting in a state that's getting a little stale.

At this LogRhythm User conference I'm looking to see what additional benefits it can provide. LogRhythm can do a lot. It's just a matter of making the right choices to gradually get yourself going down the path of developing it, because it can get overwhelming, like any SIEM. 

But LogRhythm's got a nice online community to shape your decision making, like, "Here is where you should start." They've got actual tips and tricks every month that you can get on, really easy things to digest over lunch hour. You've got to dedicate the time.

The recommendation from VAR was to actually have Professional Services engagement. That was one week. Basically, that was just building out the SIEM, creating some basic rules, showing it lay of the land, where things are, where you go to administer, how do you create a case. Really basic administration.

Then, what LogRhythm also built into that was a one-week training, which we did online, which was great. That just built on to that first week of here's how it's built out, and then here's how to use it, here's how the administrate it, here's how you use it for analyzing alarms in your environment.

We looked at IBM, and then we also looked at Splunk.

FTE cost. We're a small shop. Infrastructure team is five people, not a dedicated security professional. Cost, being a small shop, ease of maintenance, and ease of use; top four. LogRhythm came in by far the cheapest, was easiest to maintain - this was the initial thought - that's proven out that it is. Then, actually easy to just get in there and look at the logs. It's really easy to use. From not having anybody with any real SIEM experience, to get us off the ground and running was incredible.

From how we use it, I would rate it a 10 out of 10; not knowing exactly where we could go with it, I'd have to give it a nine, because I don't know if there are any challenges inside it. What we're doing is very limited. I would like to, as we continue to grow with the product, see if there are any ceilings on that.

I would highly recommend taking a look at the FTE requirements. They're not all the same. That's huge, depending on the size of your staff, and budget constraints too. There are other SIEM software solutions that have a lot of add-ons that continue to add cost. You need to look at the big picture of what you want it to accomplish. Ours was pretty straightforward with compliance, we didn't have a lot of additional costs. I think those are the two big takeaways I could give somebody.

It's visibility. Frequently our network team - while our network security is paramount from a security perspective - our network team is really focused on keeping the network up. They're not concerned about intrusions, and potential malicious activity. They're making sure that users can get data from point A to point B successfully without any downtime. With LogRhythm, our SIEM solution offers more of a rounded perspective, especially from security, making sure they are not only operational, but they're operational in a security conscious manner. That's really helped. 

I specifically keyed on the network, but it's really where we're able to add additional visibility across all groups, from a security perspective, that they might not be aware of. Usually a business owner is just focused on, "Is my application up, is it running? Yes." They're happy. We come in and bolt on security, and we're changing the mindset of our company one group at a time.

Most valuable feature is really providing us visibility into our infrastructure. Frequently, I'm reaching out to our partners in the business, and I'm asking them how I can assist them, and how I can improve their visibility from a security perspective. 

Often times, like many of the users I've met this week here at the LogRhythm User conference, we've encountered that the business owners, they're not familiar with their logs. Some of them haven't even really looked at them. But when I delve into the logs with them, and identify some things we can trigger on and alert on, and really help them improve the efficacy of their tool, it's really been a big benefit to have that visibility. Not only from the security perspective, but an operational perspective. It's really helped to build a relationship between us and the business.

There is, of course, always, improved automation. Because, as we are continually needing more and more people from an analyst perspective, the more we can automate, the fewer people we need. If we can automate some of the lower-level things, that can allow our SOC to be trained on the higher-level more technical things that really give the true value. I don't want my analyst to be stuck underneath sending emails, and "alert fatigue" is the buzz word. 

But, on top of that, there has been a market that has grown from SIEM for security orchestration, where it's another tool you have to bolt on top of SIEM to make SIEM as effective as it should be from day one.

I was in a session earlier today here at the LogRhythm User conference where they're mentioning that the web UI, and through the case management, they're actually getting an incident playbook that you can utilize. That's a big step that I'm intrigued by. Hopefully it goes the way that it's planned because that is one that saves me from having to go out and purchase a separate security orchestration tool, which is just another screen I need to look at.

That feature is one that I'm very excited about, and hopefully it follows the roadmap according to what LogRhythm is projecting. That's definitely a feature that I and my managers have identified as a need. I was excited to hear about that at this conference. 

That's probably the only feature request that would be of drastic improvement to our SOC.

We've been on LogRhythm since version 6. We've dealt with some bumps and bruises here and there. However, LogRhythm has clearly been dedicated to improving stability at every turn and every hotfix and every new agent release. It's gotten better and better.

With 7.2.2 we went to High Availability mode. We were having some issues, our deployment is global, we're in multiple datacenters across the world. Having HA has really helped us because if our platform manager went down, we could just failover perfectly to our second one, and not get called at midnight. So that's been great.

However, past 7.2.2, HA has almost become unnecessary because its stability has improved to such a level that HA is now just a bonus feature. It's a security blanket versus a necessity.

Currently, we're running one AI Engine in our local datacenter where we're based out of, in Texas. We have two platform managers like I mentioned, they're both in HA mode. We have a en-clustered DX cluster in that datacenter. We've got at least one data processor, if not multiple, in every other datacenter with its own corresponding indexer as well. 

We treat as many LogRhythm environments across all data centers that funnel up to our main one in Dallas.

The Professional Services as well as the general support has been phenomenal. They're very attentive to our needs. When we submit a ticket we get a pretty quick response back. If they don't know the answer, they're either immediately going over to their buddies down the row, and seeing if they can get help and, if not, they escalate it as quickly as possible. 

Any upgrade of an application this size, you're going to hit some snags and hurdles, but LogRhythm as a SIEM tool company, from a support perspective, has really allowed us to overcome those and we haven't really had any downtime as a result of upgrades.

They go pretty well. Of course there are bumps and bruises, especially with LogRhythm being such a massive application. If it was to go 100% well, I would honestly think that it didn't go that well, and I just don't know about it.

I don't think any application can truly be a 10 out of 10, especially one of LogRhythm's size; that would be very difficult to achieve. But an eight, in my mind, is perfect. That means there is room for improvement, there is room for me to work with the vendor, and talk back and forth about what my needs are specifically so they can work that into a feature request down the line.

The benefits we see are manifold, compliance. We have to store logs. We're under SOX control, we're under now New York Department of Financial Services, cyber regulations, we are under EU GDPR, loads of regulations are coming out. To be able to store these logs and be able to access them if we need to, from an archive point of view, is very valuable.

The most valuable feature of LogRhythm for me is the ability to correlate logs throughout many different log sources. Every different log has a different time stamp, it has a different user, things are in different places. But with LogRhythm you can take all of your logs from all the different sources and make them relevant to each other. 

So if you're looking for a user that is doing something malicious or if you're looking for a computer that is maybe making some calls out to systems that you've never made before, you can correlate based on a user attribute or a computer attribute to say, "Go find me everything that that user is doing." Because of the correlation, you can then have alarms and reporting off of multiple log sources.

I'm not really sure I can pinpoint any particular area that I see LogRhythm needing improvement in. 

I think they probably need to, because a lot of companies are having this cloud-first strategy, where anything that's new has to go into the cloud for some reason. So I think with CloudAI coming out, that's really good. But maybe having more of LogRhythm in the cloud. Educating people about how we get LogRhythm more into the Cloud.

Part of the care and feeding of LogRhythm is staying on top of what's coming out in LogRhythm. I know that their community site has been improved and that they're wanting people to be more involved with the community. But I think making people aware of parts of LogRhythm that are new is very important. 

On the whole it's a stable product. Occasionally we do have issues with upgrades, but Professional Services and the support staff have been very helpful with fixing any of the challenges that we've had.

For us, because we're a small company with not that many locations - we only have seven datacenters in seven offices - we haven't had any problems with scale. 

We did purchase a company a few years ago and adding their log sources into LogRhythm did not pose a challenge. We always know that with the system that we purchased, there's a certain limitation of messages per second that we have to watch out for, and we've never gone over that. So for us there have been no issues with scale.

Whenever we've had Professional Services on site to work through new alarms, to implement a new feature that we haven't used before, they're always very professional, they're always very responsive. They follow up on items that they said they would, which is always good. We're paying them to do a service, and that's always nice, that they perform their service.

We have had challenges in the past with EU-based support - most of this is run out of Dublin and London - and those challenges were overcome by LogRhythm bringing their support back in-house. They were using a second-level team to perform the support. But once they fixed that, we get great support from LogRhythm. 

When you open a ticket they acknowledge that a ticket has been put in, and then somebody will get back to us. We also have 24/7 support, so sometimes our ticket can move from the EU to the US, and we have people in the US that are able to take over the tickets. They seem to be very good at managing that. 

We did not have a SIEM solution in place at all. I was told to go out and look for one, so I did, and LogRhythm definitely came out on top for what we needed it for.

The main challenge with setting up LogRhythm is you cannot just put LogRhythm in and let it run. You have to put some care and feeding into it. You really have to work on it.

LogRhythm gives you a lot of standard rules, but some of those, a lot of them, do need tweaking, and there are reasons for it. They can create a global rule that would work for maybe 20% of their customers, but everyone needs to go in and actually make changes. You have to have a staff on prem to be able to know your organization, know what your organizations looking for, and to be able to make those tweaks.

So the challenge with setting up LogRhythm is you don't just flip it on, you work at it, you make sure that you're invested in it. You have to have a team. It doesn't necessarily have to be a huge team of people that are working on LogRhythm 24/7. I'm sure for some financial institutions, or some institutions, that has to happen. But you need to align resources internally to be able to know the product. 

It's almost best if you have a first-line support for LogRhythm internally, because you can't always rely on somebody else to fix your problems. You really have to know your system. So taking the LogRhythm training - when we've had other people come on to our staff - I've done a lot of training, but we have had Professional Services come back and do more internal training. 

In terms of criteria for choosing a vendor, when you go through an RFP process there are always weighted criteria. We went through that whole process and started out with eight vendors, got it down to two and then selected LogRhythm. For me it's relationship, I want to feel that the product that we're buying is going to be supported, and that we have almost a team behind us that is there. When we did purchase LogRhythm we felt that. We bought a lot of Professional Services time to help us implement. 

It's not like the sales guy says, "Okay bye," and never talks to you again, and just takes in the money for the license renewal every year. They have customer boards, the sales engineers will talk to you and will bring things to the table. They'll come and do a health check. I don't feel like we just bought a product with LogRhythm, I felt that we bought a team.

You have to allocate resources, and that's why I've recommended LogRhythm to a few friends and colleagues. To get the best out of LogRhythm you really have to put the time in.

I like the usability of it. I like the web console and the ability to pivot through all the data in real-time.

We have a pretty varied environment. We have all kinds of compliance. We have PCI, HIPAA, FISMA and the like. We are also a large development shop. It's not as strict as we would like it to be.

As a security organization, our key challenges/goals are just staying on top of everything. The environment changes rapidly, especially with a big dev environment.

Regarding meeting those goals, In the last two months that we've had LogRhythm it's been very good. We ripped out an old SIEM that wasn't quite as easy to use. That has been nice.

The benefits are that it gives us a central pane of view for all of our logs and all the events. Where it's really helped us is that it requires less time to remediate and detect any issues.

It's hard to say what should be improved because we're still trying to get an understanding of what the tool does.

I think in all the sessions we have at the LogRhythm User Conference, we'll find out more what the tool does. Then, from there, we'll probably decide if we really wish it would do this or that.

Two months.

I have not personally used it, but a co-worker has. So far, we're very happy with it.

We did have a previous SIEM solution, which was IBM QRadar. One of the biggest reasons we decided to move on from that was cost. The renewal costs from IBM were extraordinarily high. We had already talked to LogRhythm for a different use case, with compliance. We already knew what LogRhythm had to offer.

It was a little bit of both straightforward and complex. There were certain parts of it that were very straightforward. There were other pieces where we just had to get a grip on which log sources we were going to send where, and how to manage it all.

When selecting a vendor, one of the biggest things for us is ease of use. The second is how are they going to be a partner with us?

In terms of advice to someone who is looking into this kind of solution, I would say to look at the long-term costs of any solution that you're looking at.

Being able to centralize and have one view of all the threat events coming out of all my multiple security sensors.

It has been the easiest SIEM platform that I have worked with or seen in production.

It is an easy, centralized view of our environment.

Our key challenges and goals are maturing our security operations and security event management process.

• Better correlation of all events: We seem to get a lot of misinterpreted data coming from multiple sources. It would be nice to have an easier way to interpret the data and correlate it.
• The challenge of maintaining it: Maintaining compatibility with all of our log sources is still a challenge for us.

We have implemented it as a necessary feature, but we need to be able to mature that.

I was just involved in the decision-making process. However, I know that the deployment was straightforward.

It seems to be highly scalable and easy to scale.

I have not used LogRhythm technical support.

I was just involved in the decision-making process. However, I know that the setup was straightforward.

It is extremely important for our solution to be a unified internal platform.

I would recommend looking into it.

Visibility. Being able to see the system, see what's coming in, and being able to report on the logs coming in. Seeing what other people are doing and being able to track down quickly what is going on in your network.

We're a worldwide company with 50,000 employees, in probably 15 locations, three SOCs and four or five data centers.

It's made it quicker for us to see threats. It's an easier platform to work with. Its more user friendly, GUI based.

Easier creation of rules and parsing, and more user-friendly. A more user-friendly basis of using the tool to create rules and alarms to be able to report off of, and quickly stop any attacks and the like.

Also, more in-depth training on how the security platform works with other pieces of software like Sequel, firewalls, or PowerShell.

A ten again. It's very easy to scale.

Great. They respond quickly and are very knowledgeable and they also allow us to be hands-on. Instead of them doing it for us, they actually teach us how to do it. So better knowledge transfer.

We were using RSA Security Analytics and, before that, we were using RSA enVision. The challenges behind them were that they were very clunky, not very user-friendly, and you had to know coding, and you had to know command-line interfaces to even use them. Even on their GUI side. With LogRhythm we don't have to.

It was straightforward and, like I said, a lot of good knowledge transfer on what to do and how to proceed.

IBM QRadar and RSA Security Analytics, but LogRhythm stood out because of their scalability and their interface and their user friendliness. Being able to easily navigate through the system.

It is very important that our solution to be a unified end-to-end platform. Very important. We wanted a one-stop shop with LogRhythm. We didn't want to use anything else to record our logs and stop threats.

I would give LogRythm a 10 out of 10 just purely on the fact they are very helpful, very knowledgeable. The software is very easy to use. Easy to learn. I came into security with no knowledge of security or how to do anything, and within a year I'm an administer of the software. So it's pretty good.

I would say go with it. Hands down, one of the best security platforms I've seen. Easy to use, ease to scale, huge visibility into your network. You just see everything and you see it easily. You don't have to go search for things.

It has benefited the IT team's security functionality.

Our key challenge is HIPAA compliance. Then obviously, protection against malware, and particularly ransomware, is one vital threat to our organization.

As a healthcare company, what we use it for is compliance, then to protect our data from exaltation.

• The greater AI
• API support

Increased total costs of ownership (TCO): We have had to staff up our SOC. This has required analysts, which has required salary and staffing requirements.

In the next release, I would certainly like to see more HIPAA compliance. I would also like to see more integration with Palo Alto Networks, particularly their Traps, which is their endpoint solution.

In addition, I'd like to see more automation coming in. Whilst they have SmartResponse, it does not yet configure with OpenAPI support. That is something that I feel they need to look at in their next edition.

The scalability is very good. One of the reasons that we bought LogRhythm was because of its scalability. We intend to scale up as we increase our company size.

It is mostly good. We are not always able to reach the right person. We have had a couple of problems that were escalated all the way to Level 3, but they have always been solved.

We did not have a previous solution.

As a healthcare organization, we obviously have to have HIPAA compliance. This was the main driver for purchasing the solution.

I was involved in the setup. It was mostly straightforward.

Look at your staffing. Do you have highly technical people on your staff? If you do, then you obviously want to buy the product and look at your scalability options. If you don't have your staff, absolutely look into the co-pilot and factor that into your cost evaluation.

The SIEM tool list we considered from included Splunk and SolarWinds.

For LogRhythm against Splunk, it was their pricing model. For SolarWinds, LogRhythm's reputation and scalability.

It is highly important for our solution to be a unified end-to-end platform.

Most important criteria when selecting a vendor:

• Scalability
• The ability to have support.

LogRhythm has their co-pilot, which is absolutely essential, and whilst we do not use co-pilot in our organization, knowing it is there is certainly absolutely valuable.