LogRhythm SIEM Reviews

The most valuable part of the solution is being to view all of the logs whenever you want. Any time an issue comes in or something that needs to be researched, I have the logs there. I can go in, run an investigation. It's pretty much at my hands. Information is available on demand. I feel like I'm in control of it, which gives me warm, fuzzy feeling.

Pro's and con's I would say. We are short staffed, like the majority of the people are here at the LogRhythm World conference. We have a lot of alarms that get overlooked, there's not a lot of prominence to them. So our SLAs are over extended. But other than that, we're getting alerted on things that we need to quickly look at, glance, and see what needs our attention right away.

Usually, anything that's really hot, urgent, rated 90 or above, we answer those right away, and get those tasks completed.

If they continue to do innovation, and listen to their customers, then they'll move forward, and I think that will be the best thing for all parties involved.

One thing that surprised me was how many logs were being generated by our environment and how many logs are just a waste of time, looking at them. They're just there. It's just logging information, and we were able to reduce.

Deployment, I believe, took about two weeks, and going from, let's say, a 100 logs, we were able to reduce to about half of those logs in terms of what we're reviewing.

Stability is perfect. We have had no issues whatsoever with the servers, or with the Web Console or anything else.

The scalability is awesome. Initially, when we first purchased LogRhythm, we purchased only about 20 lite agents. Then we realized, as we were looking for additional log sources, we needed more. Pretty much within a day, we were able to purchase additional licenses and get them rolled out to our organization.

Tech support is amazing. They always follow up with a document on how to do something and if you still need further assistance, they're willing to get on the phone with you, without any doubt.

We were using a different vendor and we decided to go against it. We wanted to bring this in, in-house. We were using Dell SecureWorks, and we were just not satisfied with their ability to give us reporting and information on a timely manner.

It was a little complex, I did not have training prior to, so it was more of a hands-on learning, which I appreciate. I prefer to do hands-on. It's easier for me to learn that way. It was complex but at the same time it was educational. It had benefits.

Being at this conference I learned a lot. For example, I haven't been using the Web Console to the extent that I should be using it, and I think going back I'll be using that a lot more.

It's extremely important for a solution to be a unified, end-to-end platform. In terms of criteria when selecting a vendor, we look at it as a relationship between our organization and LogRhythm. We want them to work with us and we're willing to work with them to fit what's best for our environment.

I gave it seven out of 10 because we've only used the product for about a year and a half and it's still a building process, and I think it will always be a building process. You're always tweaking things. I can't imagine the company being the best at one specific thing, and then if you're the best at it, then there's no room for improvement. But I know as an organization, we are extremely happy, with LogRhythm.

I would definitely tell colleagues to at least PoC LogRhythm, and see for themselves what their getting in their environment and what other vendors might be missing.

Key challenge, of course, is how the threat situation changes every day. LogRhythm is on top of that and very helpful. Another challenge, of course, like many other companies, staffing is not where it should be, money is not where it's supposed to be, but we do well.

We service the University of Massachusetts, but we also have other customers, all higher-end. It's up to the customer what they want us to look at and LogRhythm, absolutely, has the tools that we need to find the data threats that the customers are interested in.

We're MSSP and we've only been using LogRhythm this past year and we've actually found several instances where we've benefited our customers with the data that we have found, that we've collected. We were able to find out what was wrong, deep dive into it, and suggest to our customers what they need to do.

I would say the amount of data that it collects and the way it correlates it, extracts it, and makes it easy for an analyst to look at it and deep dive into it. I had another SIEM before LogRhythm and it was nowhere near what LogRhythm does.

The idea to me is collecting all this data and then extrapolating all that data, and it's phenomenal.

From what I saw yesterday here at the conference, they seem to be right on track with making the Web Console much easier, case management much easier.

When you're searching on something, you see something that you think may be a threat, you have to keep threat-hunting, deep diving, and from what I saw yesterday, it looks like it's going to get a lot easier and more helpful.

Unbelievable! Very good.

Very good. I was very impressed, especially yesterday, here at the LogRhythm User Conference, I did the 7.3 session, what's coming out. We've been around, as I said, less than a year and within that time frame - and from what I saw yesterday - it's unbelievable the way LogRhythm is moving forward.

If I look back to my other SIEM solution providers, the one we had before this, it's light years difference. LogRhythm support is very, very helpful, very knowledgeable. There's always somebody there. If they don't know the answer, they're going to go find someone who knows the answer. So it's very good.

We used their Professional Services, I was one of a group of three - and the professional services - that helped roll out. It was pretty straightforward. Of course, it was different because it was all new to us, and using the Professional Services was very helpful.

The driving factor in searching for a security solution would be, in this day and age, the threats that are out there are incredible. I think LogRhythm addresses a lot of the issues that are out there. Again, it's on us to make sure LogRhythm is a solution. It's a tool. If we don't use it properly it's pretty useless at that point. It's on us.

I would say it's very important that a solution be a unified, end-to-end platform, especially in a higher-end environment.

My nine out of 10 rating is based on what they offer, and what I saw yesterday at the conference, what they're coming out with. They seem to be on top of things.

Among the different SIEMs that are out there, the companies, I would definitely recommend LogRhythm.

Ease of use.

We're pretty new to it, but so far it's uncovered quite a bit of information. Just having everything in a single space has been very helpful.

As a security organization, our challenges are discovering where our data is at, most times, and protecting it. As I said, we're fairly young in LogRhythm, but so far it's done a very good job.

CloudAI is amazing from what I've heard about it so far, and I'm looking forward to it.

There is always room for improvement. Everybody continues to integrate. They've been a great company to work with so far. I'm one of those who is optimistic, there's always room for improvements.

Rock solid so far.

Scalability is incredible. There are no two ways about that, we're not even scratching the surface, and we're a pretty large company.

We've used tech support a couple of times, and they've been very responsive and very knowledgeable.

This is our first SIEM. My biggest driving factor was something that we could run with a small team. Like most, we have a very limited set of people to do this.

It was fairly complex, but that's just because we did the little things that aren't normal in our environment, but other than that fairly straightforward.

We did it in a little bit of a different fashion than most would. We deployed it in Azure, in a cloud environment. That was a little different, but still pretty straightforward.

The unified, end-to-end solution is very key here. We have a lot of various tools, and trying to get them all into one is very key.

Be sure to size it properly. Don't try to boil the ocean. Get your key log sources and let it start paying for itself immediately; it will.

The fact that I can quickly determine if there is a threat actor from internal to external. That's our primary goal. We have a lot of traders and a lot of developers, internal, so that's generally where our presence is. We don't have a whole lot of online presence. We're not so much worried about external actors.

Being able to determine what a user is doing is really helpful for us.

We've got two facilities. We pretty much have one setup, the DX. We don't have any failover, just because it doesn't work for us.

Our key challenge is weeding out who is actually trying to be a threat. Now, LogRhythm certainly helps us, but it's still very difficult because we've got not a super high turnover, but high enough that you're constantly going through them looking at stuff.

Being able to actually track somebody down and figure out what they're doing. Before, we didn't really have these insights, we were going by the the seat of our pants and trying to pull whatever logs we could, whatever Unix logs we could find, and it wasn't really helpful that way. Now it pulls it all into one spot and we're actually able to correlate data and say, "Hey look, this person's really actually being shady," and go from there.

We've been able to identify certain individuals and not have issues past that.

There is a Group-By field that they're breaking out, which stopped me from being able to have certain events. They're breaking it out in 7.3, so they've already got it. That was the one thing that bothered me, so I'm happy about that.

Stability is not great but I think that's our issue. Qualys seems to blow it up all the time, but that's more on us to stop Qualys from scanning LogRhythm.

Scalability is pretty good. We rolled it out at our primary company and then rolled it out past, to our sister company, which went really, really well.

It's awesome.

It's fairly important that a solution be end-to-end unified. The fact that LogRhythm is, is working out very well for us.

I gave it eight out of 10 because of some of the issues we've had with the system actually going down but, again, that might be entirely on us. We're still in the defining phase of that.

One thing that surprised me over the course of our deployment is the amount of logs that I didn't realize we had, different log sources that we're seeing pop up, pending, being brought into the system and we haven't even seen them before. People are standing them up left and right and I'm thinking, "Guys, stop it."

Make sure that your operations guys, your network guys can actively search through it well. Get them training. Don't do half a job with it.

The Web Console, and digging in through the logs.

We use a single appliance, around 5,000 MPS. We're a Windows shop, so mostly Windows servers, desktops, workstations, etc. Somewhat distributed as well, we have three main sites and 20 or so distributed sites as well.

Our key challenges are, mostly people, getting more resources, and the goal is just get better. Are we better today than we were yesterday?

I think it has helped immensely. I think the ability to quickly receive an alert and investigate that alert is pretty beneficial. I think it is pretty effective.

Also, the ability to remediate alerts with partial scripts is pretty good.

I would definitely like to see more things in the Web Console, in terms of the ability to run reports and generate reports out of it, and schedule those. Instead of having to go to the FAT client, you would just do it out of the Web Console.

Right now there are two brains, there are the Web Console and the FAT console so that hinders a little bit of flexibility or innovation that they can do. It is a tough spot to be in, but otherwise it is a pretty good product.

In terms of just stability of the product, sometimes we have run into some issues there.

In our environment, we have X number of clients, so that's not extremely scalable, but I know that the solution is pretty scalable.

Support has been really good.

We were using Splunk prior to this but it was too expensive and we needed a true SIEM solution.

A little complex, but usually any SIEM is; just all the components that are in that one appliance.

I am pretty impressed with it. I have seen a it grow, just in the short time that we have had it.

It is very important for us that a solution be a unified, end-to-end platform. That is one of the biggest driving factors, having a single place that I can do network monitoring if we wanted to. We could do log correlation out of different security tools that we have.

Make sure you give it enough resources in terms of users. Somebody to manage it, whether that be a MSSP or in-house resource.

We have 10 hospitals or so throughout Minnesota, and a lot of clinics and smaller health facilities. The technology stack is mostly Microsoft based. We do about 25,000 MPS.

Key challenge is just protecting PHI, personal healthcare information, that's a challenge in our industry. Patient care comes first, even before security. Then also, healthcare is a bit behind the loop. It's a large organization, we've got over 30,000 end points.

Just like any SIEM product, LogRhythm gives you a lot of insight into your organization. The web UI has been particularly helpful for our analysts and our budding SOC program. Being able to give them a nice kind of sexy layout, dashboard. And the reporting is great for management.

Then there are all the "cobwebs" that we're discovering, that LogRhythm gives us insight into.

We can't feed it fast enough, is basically what it comes down to. It's given us a ton of insight that we didn't have before. It's been magic.

The functionality of it. It definitely does a lot of things out of the box. You don't have to do a ton of tweaking and tuning, but that's there for you if you want it. Big-time usability and implementation is easy.

Maybe it's just my lack of understanding of it, but I would like to see the web UI expanded further.

I would also like to see - and there might be some documentation around it - building your own smart response plug-ins.

I think those would be pretty nice.

So far so good. No complaints.

It's been very good. I've had a couple instances where it's taken a week or more to figure out the issue. But usually, when it gets to the tier-2, tier-3 guys, they get it answered really quickly. We've also had a lot of success sending logs to them so they can do RegX on those for us, some custom parsing. It's nice.

The issues we had surrounded integrating the Qualys API, and some questions that we had. It ended up taking awhile to get it figured out, that we needed to get a feature request put in.

In terms of a solution being unified, end-to-end, for us it's huge. We have a ton of different security controls. I'm sure we're not any different than any other organization. Being able to bring it all in and put it on a single pane of glass is awesome.

My rating of eight out of 10 for LogRhythm is because, while I think the support is great, the solution is a little rough around the edges. Like I said, I'd like to see the web UI built out more, and be able to jam more data into it. The fat client console feels a little rough around the edges to me, even though I use it every day. But overall, not a ton of complaints.

Definitely check out LogRhythm. That's one of the things that I've noticed in talking to other people, it seems like people really focus on other top 10 SIEM tools like ArcSight and such. I don't hear LogRhythm talked about that much, so usually I'll bring it up and say, "Hey, go check out Logger."

I like the usability of it. I like the web console and the ability to pivot through all the data in real-time.

We have a pretty varied environment. We have all kinds of compliance. We have PCI, HIPAA, FISMA and the like. We are also a large development shop. It's not as strict as we would like it to be.

As a security organization, our key challenges/goals are just staying on top of everything. The environment changes rapidly, especially with a big dev environment.

Regarding meeting those goals, In the last two months that we've had LogRhythm it's been very good. We ripped out an old SIEM that wasn't quite as easy to use. That has been nice.

The benefits are that it gives us a central pane of view for all of our logs and all the events. Where it's really helped us is that it requires less time to remediate and detect any issues.

It's hard to say what should be improved because we're still trying to get an understanding of what the tool does.

I think in all the sessions we have at the LogRhythm User Conference, we'll find out more what the tool does. Then, from there, we'll probably decide if we really wish it would do this or that.

Two months.

I have not personally used it, but a co-worker has. So far, we're very happy with it.

We did have a previous SIEM solution, which was IBM QRadar. One of the biggest reasons we decided to move on from that was cost. The renewal costs from IBM were extraordinarily high. We had already talked to LogRhythm for a different use case, with compliance. We already knew what LogRhythm had to offer.

It was a little bit of both straightforward and complex. There were certain parts of it that were very straightforward. There were other pieces where we just had to get a grip on which log sources we were going to send where, and how to manage it all.

When selecting a vendor, one of the biggest things for us is ease of use. The second is how are they going to be a partner with us?

In terms of advice to someone who is looking into this kind of solution, I would say to look at the long-term costs of any solution that you're looking at.

Visibility, obviously. Seeing all the logs from all the various log sources, be it perimeter, internal, overall security controls; getting it in one pane of glass. And alerting, obviously.

I started here two years ago, no SIEM. Now we have visibility into any type of external attacks, perimiter attacks. We've found operational problems, misconfigurations, things like that.

Logging improvements. I think that the template to reporting is just difficult, it's hard to go back. You can't modify the templates. So more customization. That would be key.

We could also use more information on how to integrate with specific vendors.

Threat intelligence is a big thing. LogRhythm actually has a pretty good threat intelligence deal, but we happen to use a vendor that is not built-in. It'd be great if LogRhythm could expand more on the user forum on how to integrate more with the more non-mainstream vendors.

It's good. We have all-in-one, an XM unit, because we're a smaller shop. It's been a great, a single unit. As we've needed to expand, I've put out more collector systems feeding back into the XM unit, so it's good.

We've used them many times. I'd say overall good. I was actually an ArcSight user at a previous company, I'd rank LogRhythm higher than those guys.

As I said, it was ArcSight at my previous company. I was lucky enough to try to build the security practice where I'm at now. LogRhythm was one of three that we evaluated.

I'd say straightforward. We did have PS as well, so it was very helpful.

QRadar and Splunk. And, for whatever reason - it is not really a truly a SIEM player - Tripwire. Management wanted us to evaluate Tripwire.

We're about 1200 seats, 10 locations roughly, totally a Cisco shop, from perimeter ASAs to IDS, Sourcefire, to web filtering, it's a big Cisco shop that I stepped into.

Our key security goals revolve around maturation and pulling more information into the SIEM. We started off with the low hanging fruit, the Active Directory, the SOCKS servers, things like that. But now we need to get more - all our security controls as well - security systems. We need more from executive PCs, from application servers, we need more visibility I think.

In terms of meeting these goals, this solution, on a scale of one to 10, is an eight, at least in terms of how we've been able to adopt it.

The most important criterion when selecting a vendor interoperability, the ability to pull logs, and the ease of customizing parsing logs. By far.

In terms of advice to a colleague, if they're looking at this and similar solutions: I've dealt with ArcSight before, they're a magnitude higher in terms of operationally managing the software. I haven't used QRadar, but from the surface, looking at it form 10,000 feet, I would say and Logarithm and it are probably much easier to mange, much easier to use.

LogRhythm has been really a good partner, they've reached out, they're always wanting information, "How we can improve? How can we do this or that?" Our SE and sales guy are really great. Keep in touch, so I feel like there's someone I can always reach out to if there's a problem.