LogRhythm SIEM Reviews

I like the usability of it. I like the web console and the ability to pivot through all the data in real-time.

We have a pretty varied environment. We have all kinds of compliance. We have PCI, HIPAA, FISMA and the like. We are also a large development shop. It's not as strict as we would like it to be.

As a security organization, our key challenges/goals are just staying on top of everything. The environment changes rapidly, especially with a big dev environment.

Regarding meeting those goals, In the last two months that we've had LogRhythm it's been very good. We ripped out an old SIEM that wasn't quite as easy to use. That has been nice.

The benefits are that it gives us a central pane of view for all of our logs and all the events. Where it's really helped us is that it requires less time to remediate and detect any issues.

It's hard to say what should be improved because we're still trying to get an understanding of what the tool does.

I think in all the sessions we have at the LogRhythm User Conference, we'll find out more what the tool does. Then, from there, we'll probably decide if we really wish it would do this or that.

Two months.

I have not personally used it, but a co-worker has. So far, we're very happy with it.

We did have a previous SIEM solution, which was IBM QRadar. One of the biggest reasons we decided to move on from that was cost. The renewal costs from IBM were extraordinarily high. We had already talked to LogRhythm for a different use case, with compliance. We already knew what LogRhythm had to offer.

It was a little bit of both straightforward and complex. There were certain parts of it that were very straightforward. There were other pieces where we just had to get a grip on which log sources we were going to send where, and how to manage it all.

When selecting a vendor, one of the biggest things for us is ease of use. The second is how are they going to be a partner with us?

In terms of advice to someone who is looking into this kind of solution, I would say to look at the long-term costs of any solution that you're looking at.

Visibility, obviously. Seeing all the logs from all the various log sources, be it perimeter, internal, overall security controls; getting it in one pane of glass. And alerting, obviously.

I started here two years ago, no SIEM. Now we have visibility into any type of external attacks, perimiter attacks. We've found operational problems, misconfigurations, things like that.

Logging improvements. I think that the template to reporting is just difficult, it's hard to go back. You can't modify the templates. So more customization. That would be key.

We could also use more information on how to integrate with specific vendors.

Threat intelligence is a big thing. LogRhythm actually has a pretty good threat intelligence deal, but we happen to use a vendor that is not built-in. It'd be great if LogRhythm could expand more on the user forum on how to integrate more with the more non-mainstream vendors.

It's good. We have all-in-one, an XM unit, because we're a smaller shop. It's been a great, a single unit. As we've needed to expand, I've put out more collector systems feeding back into the XM unit, so it's good.

We've used them many times. I'd say overall good. I was actually an ArcSight user at a previous company, I'd rank LogRhythm higher than those guys.

As I said, it was ArcSight at my previous company. I was lucky enough to try to build the security practice where I'm at now. LogRhythm was one of three that we evaluated.

I'd say straightforward. We did have PS as well, so it was very helpful.

QRadar and Splunk. And, for whatever reason - it is not really a truly a SIEM player - Tripwire. Management wanted us to evaluate Tripwire.

We're about 1200 seats, 10 locations roughly, totally a Cisco shop, from perimeter ASAs to IDS, Sourcefire, to web filtering, it's a big Cisco shop that I stepped into.

Our key security goals revolve around maturation and pulling more information into the SIEM. We started off with the low hanging fruit, the Active Directory, the SOCKS servers, things like that. But now we need to get more - all our security controls as well - security systems. We need more from executive PCs, from application servers, we need more visibility I think.

In terms of meeting these goals, this solution, on a scale of one to 10, is an eight, at least in terms of how we've been able to adopt it.

The most important criterion when selecting a vendor interoperability, the ability to pull logs, and the ease of customizing parsing logs. By far.

In terms of advice to a colleague, if they're looking at this and similar solutions: I've dealt with ArcSight before, they're a magnitude higher in terms of operationally managing the software. I haven't used QRadar, but from the surface, looking at it form 10,000 feet, I would say and Logarithm and it are probably much easier to mange, much easier to use.

LogRhythm has been really a good partner, they've reached out, they're always wanting information, "How we can improve? How can we do this or that?" Our SE and sales guy are really great. Keep in touch, so I feel like there's someone I can always reach out to if there's a problem.

For me, the NERC compliance modules are probably the best thing. And the system monitors, they really pick up a lot for me.

It helps you get an eagle-eye view and then delve down granularly. The ease of that is pretty amazing.

I've got three main datacenters and then I'm processing somewhere in the vicinity of 20 million logs a day. My key challenge is making sure that I'm complying with federal regulations.

It's helping me in my compliance role. Helping me to provide evidence for our audits so that I can show we're doing what we're doing.

My main thing I'd like to see is, when you're using canned reports, that they're not blank. If there's no log source say, "No log source", or if it didn't find anything say, "It didn't find anything". I hate blank reports.

I think it's pretty amazing. We have two deployments. My deployment is a small one that is on secured systems. We also have another deployment that's way bigger and for our normal corporate environment. So it fits from small to huge.

I have used LogRhythm tech support and I would say those guys are phenomenal, outstanding. They get back to you quick. If they can't answer it right off the bat they get an engineer to give you a call back, and they follow it through till it's good.

I gave it an eight out of 10 because you can kind of dig around and find what you need, so it's fairly user friendly. And the support that you get from their tech teams is pretty phenomenal.

I'd say definitely give it a look, and talk with them. I would definitely say that the support that you're going to get is well worth it.

It has helped tremendously when following up on investigations and logs. We often get bogged down with many tasks during the day. We can actually come back to a particular scenario that we are looking into, so it has been very beneficial for that.

Key challenges are our users and network. In our network, we get logs from a particular product called a NetScaler, which hides our source IPs, so that makes it a little challenging. Our goals are to tune LogRhythm further and utilize all the different modules that they do offer us. It is a challenge to get it all done.

• The web console
• The case management

I did hear about the new playbook edition coming up and I am excited about it.

It is excellent.

I have used the tech support and think they are great. I have many vendors that I deal with for other tools and hands down LogRhythm has been the best SIEM solution.

It is a big project, but very worthwhile, and LogRhythm has plenty of documentation, support people, professional services, and classes that can help get a business implemented and push them all the way to completion. I definitely think it is worthwhile.

It is very important for me that the solution be a unified end-to-end platform.

The consistency of its interface, whether you go to a dashboard, a search, an alarm - everything comes back consistently. There isn't a different interface for every function that you do, so it makes it very usable.

The benefit is really getting insight into the security posture of my organization. Proof in the pudding was that we had a penetration test over the summer and we caught the penetration testers five times because of various LogRhythm alerts.

The biggest thing I want is, right now you have thick console and the web console. Most of the reporting has to be done in the thick console. I'd love more reporting in the web console. A lot of our users don't have access to the thick console, only administrators do, so a lot of users can't run their own reports.

I think part of the thing that LogRhythm has always done with the deployment is a lot of hand-holding by Professional Services. I would tell everybody that was going to do this to pay the money and get Professional Services. Don't try to do it by yourself.

Awesome. In fact, I just went through a scaling exercise where we outgrew our initial implementation and we were able to double, very easily, our capacity through an upgrade process.

They're awesome. We use them all the time. I tell my staff that whenever you have an issue, the first thing you do is you open a ticket with tech support, then you start playing with it. If you have solved it by the time tech support gets back to you, cancel the ticket.

We were previously using SolarWinds and we outgrew it. It wasn't scalable. We needed to find a solution that would scale as we grew it.

It was straightforward.

We're a big university. We're the 26th largest university. I've got 45,000 students, 10,000 researchers and faculty members, plus staff. Main campus is in Philadelphia, Pennsylvania. A mile down the road we have a Health Science campus that has a medical school, a dental school, a pharmacy school, and it's kind of attached to the hospital, which is separate from us. We also have campuses in Harrisburg and Center City that are small adjunct campuses. We also have a campus in Japan and a campus in Rome. We have a big international presence, that's the size and the scope.

Our key challenge is that the drivers of the university have been notoriously open, but with the threat landscape of today we have to be mindful that the openness that the faculty wants has to be balanced with the needs of protecting all of the data information that we have, like any business has.

When it comes to the most important criteria when selecting a vendor, a unified, end-to-end platform is really important, but it's one of the key features. We look at the overall value that a platform has. Cost comes in, but also leadership in the field, manageability, how many FTEs it's going to take to run this solution. All of those things are factors.

I've been around this field for 25 years. I've used many solutions. LogRhythm is scalable, it's robust, they're constantly growing it, their tech support is good, their Professional Services are good. We just went through a massive upgrade to double our capacity. They give us training credits on our old solution. They want customer happiness and customer success.

Definitely do your homework. Understand what logs are important to you and really evaluate what scope you need to do, and take your time. This is a big project, you can't do it all at once. You really have got to do it in phases.

• The user interface (UI)
• Ease of use, especially if you are starting off
• The AI

Key challenges and goals: Anytime you are building a program from the ground up, there is a lot of legwork to be done to get things tuned to the point where they are usable.

Effectiveness of solution in meeting security challenges and goals: It is very effective. It is a single pane of glass for all of the logs, that not just myself, but anybody who is looking for information about how the network is behaving can use. So, not just primarily a security tool, it is a tool for everybody if it is set up that way.

We run across the odd vendor which we are using that we think are large players in their environment, but there is not necessarily a native support for their log ingestion per se, where it requires customization in order to be able to parse and accept their logs. I would also like to see them expand on some of the ability to interact with other technologies in real time via the programming platforms.

It pre-existed before I got there. Once it was deployed, I have been responsible for most of the log ingestion and the tuning efforts.

It seems scalable so far. I have not had to add more devices to our deployment yet, but it has yet to be discovered.

We have used LogRhythm tech support and they are excellent. They have been very helpful.

This is our first adoption of a proper SIEM product, so there is really nothing to compare it to with respect to the job that I am in right now.

It pre-existed before I got there.

I am very happy with the solution right now. I would absolutely recommend it and have.

Most of the basics have been tended to, and as we discover other things that we need to get more data on, and they are brought up, the company addresses them.

The most important criteria when selecting a vendor: It is very important for it to be unified.

Being able to centralize and have one view of all the threat events coming out of all my multiple security sensors.

It has been the easiest SIEM platform that I have worked with or seen in production.

It is an easy, centralized view of our environment.

Our key challenges and goals are maturing our security operations and security event management process.

• Better correlation of all events: We seem to get a lot of misinterpreted data coming from multiple sources. It would be nice to have an easier way to interpret the data and correlate it.
• The challenge of maintaining it: Maintaining compatibility with all of our log sources is still a challenge for us.

We have implemented it as a necessary feature, but we need to be able to mature that.

I was just involved in the decision-making process. However, I know that the deployment was straightforward.

It seems to be highly scalable and easy to scale.

I have not used LogRhythm technical support.

I was just involved in the decision-making process. However, I know that the setup was straightforward.

It is extremely important for our solution to be a unified internal platform.

I would recommend looking into it.

The recognition of many device types, log message formats, and the most common device types out there. Then, the ability to quickly display data, and do the classification on it. That is the big value.

I have used it a lot. I have used it against other SIEMs. I have used it in conjunction with other SIEMs, and it is the easiest to use and makes the most sense to me.

• Being able to gather the data into one central location.
• Being able to leverage alarm and case management features through there on that centralized single pane of glass. That lets us work through those issues that we find from all those disparate device types, fairly quickly and efficiently using that stuff.

Key challenges and goals are retaining talent. Guys tend to do really well in this field, oftentimes monetize those skills pretty quickly. So, there is always someone willing to pay a premium out there for those skills and that talent. Therefore, you find a lot of churn from that.

I would like to see additional features around alarm management. We are producing alarms right now, and we are able to change statuses on them. But, I would like to see more details around having timers on those alarms. So, if I have a new alarm that has been sitting there for 15 minutes and no one has gotten to it, I would want some sort of alert to tell me that or a threshold I can set.

I was not involved in this particular deployment, but have deployed about 25 LogRhythm deployments previously.

It is straightforward. Not too bad.

It scales well. It can go from 1,000 messages per second to 50,000 messages per second fairly easily.

I have used a lot of tech support, and I think it's the best out of other SIEMs that I have worked with: McAfee ESM and IBM QRadar. LogRhythm definitely has the best support.

Go ahead and do the evaluation with their other competitors out there. Understand each of the SIEMs capabilities by sitting down with them. I think you will find that LogRhythm will win out.

A unified end-to-end platform is extremely important, because as we get going to this more holistic security model, we will be looking at minimizing the number of tools that we have to have in our environment, and trying to centralize a lot of that work into one platform, which LogRhythm is definitely one of those platforms that does that.

Most important criteria when selecting a vendor: Selecting a vendor is pretty important. We go through a lot of things, a lot of due diligence. We like to put them up against their main competitors in the market. That is generally a step we take when evaluating different vendors for a solution.