LogRhythm SIEM Reviews

The benefits we see are manifold, compliance. We have to store logs. We're under SOX control, we're under now New York Department of Financial Services, cyber regulations, we are under EU GDPR, loads of regulations are coming out. To be able to store these logs and be able to access them if we need to, from an archive point of view, is very valuable.

The most valuable feature of LogRhythm for me is the ability to correlate logs throughout many different log sources. Every different log has a different time stamp, it has a different user, things are in different places. But with LogRhythm you can take all of your logs from all the different sources and make them relevant to each other. 

So if you're looking for a user that is doing something malicious or if you're looking for a computer that is maybe making some calls out to systems that you've never made before, you can correlate based on a user attribute or a computer attribute to say, "Go find me everything that that user is doing." Because of the correlation, you can then have alarms and reporting off of multiple log sources.

I'm not really sure I can pinpoint any particular area that I see LogRhythm needing improvement in. 

I think they probably need to, because a lot of companies are having this cloud-first strategy, where anything that's new has to go into the cloud for some reason. So I think with CloudAI coming out, that's really good. But maybe having more of LogRhythm in the cloud. Educating people about how we get LogRhythm more into the Cloud.

Part of the care and feeding of LogRhythm is staying on top of what's coming out in LogRhythm. I know that their community site has been improved and that they're wanting people to be more involved with the community. But I think making people aware of parts of LogRhythm that are new is very important. 

On the whole it's a stable product. Occasionally we do have issues with upgrades, but Professional Services and the support staff have been very helpful with fixing any of the challenges that we've had.

For us, because we're a small company with not that many locations - we only have seven datacenters in seven offices - we haven't had any problems with scale. 

We did purchase a company a few years ago and adding their log sources into LogRhythm did not pose a challenge. We always know that with the system that we purchased, there's a certain limitation of messages per second that we have to watch out for, and we've never gone over that. So for us there have been no issues with scale.

Whenever we've had Professional Services on site to work through new alarms, to implement a new feature that we haven't used before, they're always very professional, they're always very responsive. They follow up on items that they said they would, which is always good. We're paying them to do a service, and that's always nice, that they perform their service.

We have had challenges in the past with EU-based support - most of this is run out of Dublin and London - and those challenges were overcome by LogRhythm bringing their support back in-house. They were using a second-level team to perform the support. But once they fixed that, we get great support from LogRhythm. 

When you open a ticket they acknowledge that a ticket has been put in, and then somebody will get back to us. We also have 24/7 support, so sometimes our ticket can move from the EU to the US, and we have people in the US that are able to take over the tickets. They seem to be very good at managing that. 

We did not have a SIEM solution in place at all. I was told to go out and look for one, so I did, and LogRhythm definitely came out on top for what we needed it for.

The main challenge with setting up LogRhythm is you cannot just put LogRhythm in and let it run. You have to put some care and feeding into it. You really have to work on it.

LogRhythm gives you a lot of standard rules, but some of those, a lot of them, do need tweaking, and there are reasons for it. They can create a global rule that would work for maybe 20% of their customers, but everyone needs to go in and actually make changes. You have to have a staff on prem to be able to know your organization, know what your organizations looking for, and to be able to make those tweaks.

So the challenge with setting up LogRhythm is you don't just flip it on, you work at it, you make sure that you're invested in it. You have to have a team. It doesn't necessarily have to be a huge team of people that are working on LogRhythm 24/7. I'm sure for some financial institutions, or some institutions, that has to happen. But you need to align resources internally to be able to know the product. 

It's almost best if you have a first-line support for LogRhythm internally, because you can't always rely on somebody else to fix your problems. You really have to know your system. So taking the LogRhythm training - when we've had other people come on to our staff - I've done a lot of training, but we have had Professional Services come back and do more internal training. 

In terms of criteria for choosing a vendor, when you go through an RFP process there are always weighted criteria. We went through that whole process and started out with eight vendors, got it down to two and then selected LogRhythm. For me it's relationship, I want to feel that the product that we're buying is going to be supported, and that we have almost a team behind us that is there. When we did purchase LogRhythm we felt that. We bought a lot of Professional Services time to help us implement. 

It's not like the sales guy says, "Okay bye," and never talks to you again, and just takes in the money for the license renewal every year. They have customer boards, the sales engineers will talk to you and will bring things to the table. They'll come and do a health check. I don't feel like we just bought a product with LogRhythm, I felt that we bought a team.

You have to allocate resources, and that's why I've recommended LogRhythm to a few friends and colleagues. To get the best out of LogRhythm you really have to put the time in.

I believe the most valuable feature for us has been that we have all the logs together. We can query them, we can find all kinds of different situations that are going on in our network that we wouldn't have knowledge of without searching many different servers and logs.

Quicker ability to troubleshoot the problem, find the problem, get it fixed, and get the customers back up and using our system. 

I'm sure there are always areas, in stability and scaling, that need improvement. I don't have anything right off that I can say I know needs improvement right at this point.

We installed in 2009, and the stability has improved over the years. I consider it to be quite a stable product now. It seems to work day after day, week after week.

With version 7, we feel the scaling improved a lot. We are a large health system and we are quite often adding new businesses, new healthcare offices, new hospitals to our system. We we are able to add those extra logs into our system without causing any issues.

Tech support has always been good from the very first. In most cases the first response is a good one. It does the job, and if not, then you get back to them and they stay with you until they get it fixed.

We thought the setup was very quick and easy, of course we didn't try to boil the ocean all at once. We've been, over the years, adding more and more phases to our system, completed it in phases.

Really figure out what you want it to do for you, because it is very flexible and can be used for many different purposes. Determine what you want to use it for, and then get the assistance from LogRhythm to help implement it in that way. Then you can always expand it and take in other areas. But your primary goals need to be met right up front.

We are very happy with it.

• Visibility
• The AI Engine for rule generation

We have two facilities, a combination of all different platforms, Linux, Windows, etc. It's just all across the board.

It's definitely given us a lot of visibility into areas that we probably wouldn't have normal visibility into, such as code execution and things like that. It allows us to really drill down as to what's happening on the servers as they are being used in production, to where we can really get in and figure out what's going on.

It's pretty effective. In some cases we have run into some issues: The way that the rules work, and the alarms trigger. We get a good number of false positives.

I wish that there were more instructional videos on how to do different things and more walk-throughs.

Also, easier generation of AIE rules, or custom ones.

So far it's been really good.

Scalability is very good.

I've used LogRhythm tech support. I would rate it as very good, not excellent. For instance, we were trying to deal with pass the hash, which is a very common exploit and LogRhythm tech support told us they were just going turn that rule off, that we can't use it. We had to keep pushing until we had someone in another department push to an upper level of tech support to finally get it to where it was working.

It's very important for a solution to be a unified, end-to-end platform for us.

It's a really good solution. It's been very stable. At the same time, we have had some issues, some false positives.

And that issue I told you with tech support, there have been some challenges getting it to be where we wanted it to be, for a solution, like LogRhythm, that is supposedly best in the industry. I just thought it was kind of poor that they would take a common exploit that's been in use for years and say we can't get it to work when, obviously, they could get it work. It was kind of lazy.

Still, I would say go with LogRhythm.

• SmartResponse flexibility
• Ease of use
• Ease of administration

Overall, versus competitors, it is a lot easier to use, a lot more user friendly, but it still gives you a lot of flexibility to do whatever you want. The limit is your imagination, for SmartResponses at least.

We've actually been able to use it to show that we need more people, because we're going to be doing more. It's the center of our SOC, but we are starting to use it for operational things as well, not just security.

I would like to be able to use the Web Console, but because of our volume I can't.

Also, it needs to stay healthy. A lot of the problems seem to pop up out of nowhere, and a lot of them seem to be somewhat debilitating. We were fine for a long time, and then eventually one day our processing just dropped. I ended up talking to support for something like a month, and eventually I got to someone who said, "You should check the BIOS settings on your data processors and your indexers." Turned out there was some read-head caching setting that wasn't enabled by Dell. We were fine for over a year, and then all of a sudden, problems.

It's a great tool, just random dragons seem to cause problems.

Hit or miss, it depends. A month or two will go by and everything will be fine, and all of a sudden, something breaks. Then it's in the air for a little while, and then I manage to figure out what is causing the problem, fix that, and then everything is fine for a couple months. Then something else happens.

It's different every time. One specific example, I think it was related to a KB-update that basically broke a log source type, that was doing tens of millions of logs per day. And that just trashed our data processors. It put everything behind, we went down to single-digit processing, blocks-per-second processing, for a period a few weeks. I had to rebuild all the MPE rules into a new log source policy, and then everything was fine.

For a few months everything was working and then all of a sudden one day it just goes into the toilet. We didn't do any upgrades, nothing like that, so that is why I'm thinking KB-update, but I haven't pushed it.

It's pretty good, it's easy to add parts, it's pretty easy to do that. It's just expensive sometimes.

When we started, we had one platform manager, and two DPXs. And then we added this second organization, network domain, etc. Then we realized that we didn't have the infrastructure we needed to support everything. We were able to buy five DPXs, etc.

On a scale of one to 10 , it's a seven to eight.

Once you have escalate and validate, it's pretty easy to get to someone who knows what they're doing, and has a lot of the expertise in that specific area.

I know that it came down to LogRhythm, Splunk and ArcSight. They ideally wanted one person to administrate and run the whole system, which is why the other two got the boot and LogRhythm was chosen. That was the most important criterion in selecting a vendor.

It's not perfect, but no solution is going to be perfect. If you have one person that you can dedicate forty hours a week to the SIEM it will be fine.

We have about 170,000 employees worldwide. We have thousands of unique log sources we're ingesting. Right now, it's kind of information overload in what we're trying to create logs off of.

Our key challenges are staffing and, right now, we're just trying to get the best bang for the buck on what we can create for alarms, so that's what we're trying to get out of being at the LogRhythm User conference.

We're about to ingest pretty much all of our log sources and write alarms based off the log sources. That's what we're working towards right now, getting valuable alarms to trigger for our SOC to action.

LogRhythm meets our problem statement, as a solution.

The UI. We can give it down to our SOC and we can train them.

The CloudAI obviously, that's going to be big for us. Hopefully that matures. I saw the problem statement video they did today at this conference, which is great. But I haven't seen anything tangible out of that yet, so looking forward to that.

I wouldn't give them a 10 out of 10 because there is definitely some room for improvement as far as in the GUI. Some of the things don't make sense. I think they need to better understand how a SOC would use that platform.

I don't think they understand that every morning we do a case review and we need a quick dashboard to go review open cases for our SOC. And that's not built into the dashboard, so we have to create that. There are some use cases that I think they should sit down a little bit more with the customer and understand how we use it.

It's pretty stable.

It was scaled inappropriately when we got it, so we had to buy a bunch of hardware after that. But, it's working now.

I don't use it. My cohort, who is more of the SIEM admin, he uses it quite a bit. I think he's happy with it, as far as I know.

We used Q1 QRadar. After IBM bought it, it kind of died on a vine. They quit supporting it, so that was the main driver for getting off of that and going to LogRhythm.

Pretty straightforward.

We did a RFP for all the major vendors, ArcSight, all the big ones. LogRhythm came out as the best SIEM tool.

When selecting a vendor, for us, the platform has to be a unified, end-to-end solution. We've got so many unique platforms around our business that it has to be.

All SIEMs suck, but LogRhythm is the best.

The most valuable part of the solution is being to view all of the logs whenever you want. Any time an issue comes in or something that needs to be researched, I have the logs there. I can go in, run an investigation. It's pretty much at my hands. Information is available on demand. I feel like I'm in control of it, which gives me warm, fuzzy feeling.

Pro's and con's I would say. We are short staffed, like the majority of the people are here at the LogRhythm World conference. We have a lot of alarms that get overlooked, there's not a lot of prominence to them. So our SLAs are over extended. But other than that, we're getting alerted on things that we need to quickly look at, glance, and see what needs our attention right away.

Usually, anything that's really hot, urgent, rated 90 or above, we answer those right away, and get those tasks completed.

If they continue to do innovation, and listen to their customers, then they'll move forward, and I think that will be the best thing for all parties involved.

One thing that surprised me was how many logs were being generated by our environment and how many logs are just a waste of time, looking at them. They're just there. It's just logging information, and we were able to reduce.

Deployment, I believe, took about two weeks, and going from, let's say, a 100 logs, we were able to reduce to about half of those logs in terms of what we're reviewing.

Stability is perfect. We have had no issues whatsoever with the servers, or with the Web Console or anything else.

The scalability is awesome. Initially, when we first purchased LogRhythm, we purchased only about 20 lite agents. Then we realized, as we were looking for additional log sources, we needed more. Pretty much within a day, we were able to purchase additional licenses and get them rolled out to our organization.

Tech support is amazing. They always follow up with a document on how to do something and if you still need further assistance, they're willing to get on the phone with you, without any doubt.

We were using a different vendor and we decided to go against it. We wanted to bring this in, in-house. We were using Dell SecureWorks, and we were just not satisfied with their ability to give us reporting and information on a timely manner.

It was a little complex, I did not have training prior to, so it was more of a hands-on learning, which I appreciate. I prefer to do hands-on. It's easier for me to learn that way. It was complex but at the same time it was educational. It had benefits.

Being at this conference I learned a lot. For example, I haven't been using the Web Console to the extent that I should be using it, and I think going back I'll be using that a lot more.

It's extremely important for a solution to be a unified, end-to-end platform. In terms of criteria when selecting a vendor, we look at it as a relationship between our organization and LogRhythm. We want them to work with us and we're willing to work with them to fit what's best for our environment.

I gave it seven out of 10 because we've only used the product for about a year and a half and it's still a building process, and I think it will always be a building process. You're always tweaking things. I can't imagine the company being the best at one specific thing, and then if you're the best at it, then there's no room for improvement. But I know as an organization, we are extremely happy, with LogRhythm.

I would definitely tell colleagues to at least PoC LogRhythm, and see for themselves what their getting in their environment and what other vendors might be missing.

Key challenge, of course, is how the threat situation changes every day. LogRhythm is on top of that and very helpful. Another challenge, of course, like many other companies, staffing is not where it should be, money is not where it's supposed to be, but we do well.

We service the University of Massachusetts, but we also have other customers, all higher-end. It's up to the customer what they want us to look at and LogRhythm, absolutely, has the tools that we need to find the data threats that the customers are interested in.

We're MSSP and we've only been using LogRhythm this past year and we've actually found several instances where we've benefited our customers with the data that we have found, that we've collected. We were able to find out what was wrong, deep dive into it, and suggest to our customers what they need to do.

I would say the amount of data that it collects and the way it correlates it, extracts it, and makes it easy for an analyst to look at it and deep dive into it. I had another SIEM before LogRhythm and it was nowhere near what LogRhythm does.

The idea to me is collecting all this data and then extrapolating all that data, and it's phenomenal.

From what I saw yesterday here at the conference, they seem to be right on track with making the Web Console much easier, case management much easier.

When you're searching on something, you see something that you think may be a threat, you have to keep threat-hunting, deep diving, and from what I saw yesterday, it looks like it's going to get a lot easier and more helpful.

Unbelievable! Very good.

Very good. I was very impressed, especially yesterday, here at the LogRhythm User Conference, I did the 7.3 session, what's coming out. We've been around, as I said, less than a year and within that time frame - and from what I saw yesterday - it's unbelievable the way LogRhythm is moving forward.

If I look back to my other SIEM solution providers, the one we had before this, it's light years difference. LogRhythm support is very, very helpful, very knowledgeable. There's always somebody there. If they don't know the answer, they're going to go find someone who knows the answer. So it's very good.

We used their Professional Services, I was one of a group of three - and the professional services - that helped roll out. It was pretty straightforward. Of course, it was different because it was all new to us, and using the Professional Services was very helpful.

The driving factor in searching for a security solution would be, in this day and age, the threats that are out there are incredible. I think LogRhythm addresses a lot of the issues that are out there. Again, it's on us to make sure LogRhythm is a solution. It's a tool. If we don't use it properly it's pretty useless at that point. It's on us.

I would say it's very important that a solution be a unified, end-to-end platform, especially in a higher-end environment.

My nine out of 10 rating is based on what they offer, and what I saw yesterday at the conference, what they're coming out with. They seem to be on top of things.

Among the different SIEMs that are out there, the companies, I would definitely recommend LogRhythm.

Ease of use.

We're pretty new to it, but so far it's uncovered quite a bit of information. Just having everything in a single space has been very helpful.

As a security organization, our challenges are discovering where our data is at, most times, and protecting it. As I said, we're fairly young in LogRhythm, but so far it's done a very good job.

CloudAI is amazing from what I've heard about it so far, and I'm looking forward to it.

There is always room for improvement. Everybody continues to integrate. They've been a great company to work with so far. I'm one of those who is optimistic, there's always room for improvements.

Rock solid so far.

Scalability is incredible. There are no two ways about that, we're not even scratching the surface, and we're a pretty large company.

We've used tech support a couple of times, and they've been very responsive and very knowledgeable.

This is our first SIEM. My biggest driving factor was something that we could run with a small team. Like most, we have a very limited set of people to do this.

It was fairly complex, but that's just because we did the little things that aren't normal in our environment, but other than that fairly straightforward.

We did it in a little bit of a different fashion than most would. We deployed it in Azure, in a cloud environment. That was a little different, but still pretty straightforward.

The unified, end-to-end solution is very key here. We have a lot of various tools, and trying to get them all into one is very key.

Be sure to size it properly. Don't try to boil the ocean. Get your key log sources and let it start paying for itself immediately; it will.