LogRhythm SIEM Reviews

For me, the NERC compliance modules are probably the best thing. And the system monitors, they really pick up a lot for me.

It helps you get an eagle-eye view and then delve down granularly. The ease of that is pretty amazing.

I've got three main datacenters and then I'm processing somewhere in the vicinity of 20 million logs a day. My key challenge is making sure that I'm complying with federal regulations.

It's helping me in my compliance role. Helping me to provide evidence for our audits so that I can show we're doing what we're doing.

My main thing I'd like to see is, when you're using canned reports, that they're not blank. If there's no log source say, "No log source", or if it didn't find anything say, "It didn't find anything". I hate blank reports.

I think it's pretty amazing. We have two deployments. My deployment is a small one that is on secured systems. We also have another deployment that's way bigger and for our normal corporate environment. So it fits from small to huge.

I have used LogRhythm tech support and I would say those guys are phenomenal, outstanding. They get back to you quick. If they can't answer it right off the bat they get an engineer to give you a call back, and they follow it through till it's good.

I gave it an eight out of 10 because you can kind of dig around and find what you need, so it's fairly user friendly. And the support that you get from their tech teams is pretty phenomenal.

I'd say definitely give it a look, and talk with them. I would definitely say that the support that you're going to get is well worth it.

It has helped tremendously when following up on investigations and logs. We often get bogged down with many tasks during the day. We can actually come back to a particular scenario that we are looking into, so it has been very beneficial for that.

Key challenges are our users and network. In our network, we get logs from a particular product called a NetScaler, which hides our source IPs, so that makes it a little challenging. Our goals are to tune LogRhythm further and utilize all the different modules that they do offer us. It is a challenge to get it all done.

• The web console
• The case management

I did hear about the new playbook edition coming up and I am excited about it.

It is excellent.

I have used the tech support and think they are great. I have many vendors that I deal with for other tools and hands down LogRhythm has been the best SIEM solution.

It is a big project, but very worthwhile, and LogRhythm has plenty of documentation, support people, professional services, and classes that can help get a business implemented and push them all the way to completion. I definitely think it is worthwhile.

It is very important for me that the solution be a unified end-to-end platform.

The consistency of its interface, whether you go to a dashboard, a search, an alarm - everything comes back consistently. There isn't a different interface for every function that you do, so it makes it very usable.

The benefit is really getting insight into the security posture of my organization. Proof in the pudding was that we had a penetration test over the summer and we caught the penetration testers five times because of various LogRhythm alerts.

The biggest thing I want is, right now you have thick console and the web console. Most of the reporting has to be done in the thick console. I'd love more reporting in the web console. A lot of our users don't have access to the thick console, only administrators do, so a lot of users can't run their own reports.

I think part of the thing that LogRhythm has always done with the deployment is a lot of hand-holding by Professional Services. I would tell everybody that was going to do this to pay the money and get Professional Services. Don't try to do it by yourself.

Awesome. In fact, I just went through a scaling exercise where we outgrew our initial implementation and we were able to double, very easily, our capacity through an upgrade process.

They're awesome. We use them all the time. I tell my staff that whenever you have an issue, the first thing you do is you open a ticket with tech support, then you start playing with it. If you have solved it by the time tech support gets back to you, cancel the ticket.

We were previously using SolarWinds and we outgrew it. It wasn't scalable. We needed to find a solution that would scale as we grew it.

It was straightforward.

We're a big university. We're the 26th largest university. I've got 45,000 students, 10,000 researchers and faculty members, plus staff. Main campus is in Philadelphia, Pennsylvania. A mile down the road we have a Health Science campus that has a medical school, a dental school, a pharmacy school, and it's kind of attached to the hospital, which is separate from us. We also have campuses in Harrisburg and Center City that are small adjunct campuses. We also have a campus in Japan and a campus in Rome. We have a big international presence, that's the size and the scope.

Our key challenge is that the drivers of the university have been notoriously open, but with the threat landscape of today we have to be mindful that the openness that the faculty wants has to be balanced with the needs of protecting all of the data information that we have, like any business has.

When it comes to the most important criteria when selecting a vendor, a unified, end-to-end platform is really important, but it's one of the key features. We look at the overall value that a platform has. Cost comes in, but also leadership in the field, manageability, how many FTEs it's going to take to run this solution. All of those things are factors.

I've been around this field for 25 years. I've used many solutions. LogRhythm is scalable, it's robust, they're constantly growing it, their tech support is good, their Professional Services are good. We just went through a massive upgrade to double our capacity. They give us training credits on our old solution. They want customer happiness and customer success.

Definitely do your homework. Understand what logs are important to you and really evaluate what scope you need to do, and take your time. This is a big project, you can't do it all at once. You really have got to do it in phases.

• The user interface (UI)
• Ease of use, especially if you are starting off
• The AI

Key challenges and goals: Anytime you are building a program from the ground up, there is a lot of legwork to be done to get things tuned to the point where they are usable.

Effectiveness of solution in meeting security challenges and goals: It is very effective. It is a single pane of glass for all of the logs, that not just myself, but anybody who is looking for information about how the network is behaving can use. So, not just primarily a security tool, it is a tool for everybody if it is set up that way.

We run across the odd vendor which we are using that we think are large players in their environment, but there is not necessarily a native support for their log ingestion per se, where it requires customization in order to be able to parse and accept their logs. I would also like to see them expand on some of the ability to interact with other technologies in real time via the programming platforms.

It pre-existed before I got there. Once it was deployed, I have been responsible for most of the log ingestion and the tuning efforts.

It seems scalable so far. I have not had to add more devices to our deployment yet, but it has yet to be discovered.

We have used LogRhythm tech support and they are excellent. They have been very helpful.

This is our first adoption of a proper SIEM product, so there is really nothing to compare it to with respect to the job that I am in right now.

It pre-existed before I got there.

I am very happy with the solution right now. I would absolutely recommend it and have.

Most of the basics have been tended to, and as we discover other things that we need to get more data on, and they are brought up, the company addresses them.

The most important criteria when selecting a vendor: It is very important for it to be unified.

Being able to centralize and have one view of all the threat events coming out of all my multiple security sensors.

It has been the easiest SIEM platform that I have worked with or seen in production.

It is an easy, centralized view of our environment.

Our key challenges and goals are maturing our security operations and security event management process.

• Better correlation of all events: We seem to get a lot of misinterpreted data coming from multiple sources. It would be nice to have an easier way to interpret the data and correlate it.
• The challenge of maintaining it: Maintaining compatibility with all of our log sources is still a challenge for us.

We have implemented it as a necessary feature, but we need to be able to mature that.

I was just involved in the decision-making process. However, I know that the deployment was straightforward.

It seems to be highly scalable and easy to scale.

I have not used LogRhythm technical support.

I was just involved in the decision-making process. However, I know that the setup was straightforward.

It is extremely important for our solution to be a unified internal platform.

I would recommend looking into it.

The recognition of many device types, log message formats, and the most common device types out there. Then, the ability to quickly display data, and do the classification on it. That is the big value.

I have used it a lot. I have used it against other SIEMs. I have used it in conjunction with other SIEMs, and it is the easiest to use and makes the most sense to me.

• Being able to gather the data into one central location.
• Being able to leverage alarm and case management features through there on that centralized single pane of glass. That lets us work through those issues that we find from all those disparate device types, fairly quickly and efficiently using that stuff.

Key challenges and goals are retaining talent. Guys tend to do really well in this field, oftentimes monetize those skills pretty quickly. So, there is always someone willing to pay a premium out there for those skills and that talent. Therefore, you find a lot of churn from that.

I would like to see additional features around alarm management. We are producing alarms right now, and we are able to change statuses on them. But, I would like to see more details around having timers on those alarms. So, if I have a new alarm that has been sitting there for 15 minutes and no one has gotten to it, I would want some sort of alert to tell me that or a threshold I can set.

I was not involved in this particular deployment, but have deployed about 25 LogRhythm deployments previously.

It is straightforward. Not too bad.

It scales well. It can go from 1,000 messages per second to 50,000 messages per second fairly easily.

I have used a lot of tech support, and I think it's the best out of other SIEMs that I have worked with: McAfee ESM and IBM QRadar. LogRhythm definitely has the best support.

Go ahead and do the evaluation with their other competitors out there. Understand each of the SIEMs capabilities by sitting down with them. I think you will find that LogRhythm will win out.

A unified end-to-end platform is extremely important, because as we get going to this more holistic security model, we will be looking at minimizing the number of tools that we have to have in our environment, and trying to centralize a lot of that work into one platform, which LogRhythm is definitely one of those platforms that does that.

Most important criteria when selecting a vendor: Selecting a vendor is pretty important. We go through a lot of things, a lot of due diligence. We like to put them up against their main competitors in the market. That is generally a step we take when evaluating different vendors for a solution.

The benefits are almost innumerable. You can't know anything unless you are capturing the data. Once you are capturing the data, you can then make intelligent decisions around what is and is not appropriate, and what is and is not dangerous. It improves the security posture, because you can then know when things are happening that are bad.

Before the LogRhythm solution, if someone was trying to login to a server with a local admin account, I would have no way of knowing that. Nothing would log it, audit it, and it would never show up. Now, I get an AIE alarm every time that happens, because it is considered a pass the hash attack.

If we know when these things are going on in our environments, we can identify rogue admins doing things that they should not be doing, and the questions can be asked, "Why are you using this process? What's failing you that you have to go around the normal procedure to do this?"

Another big one we found was just the ridiculous amount of PSExec running around the environment by non-admins to touch other things, which we have tried to curb. Then, we were able to ingest some custom log sources that have helped us become more proactive in alarming. Some of the stuff that we are using does not do good alerting, or it does not do role-based alerting. So I do not need an IT admin in Georgia to know about a potential issue in China. He does not care.

I need that alarm to go to China, and not to Georgia, but some of our solutions will only send their alarms to one source. So, you either send it to the entire IT organization, every time it happens, or you do not send them at all. It has helped us pair down the noise to our site level admins, and give them more actionable intelligence quicker.

We are a global company. We have 37 locations. China is one big country in Asia. We are on Australia, North and South America, and in Europe, with about 5,000 full-time employees. For the technology stack, we are running a single LogRhythm LR 6403. 2500 NPS license which we are currently hitting the lid on every day, and running a combination of Trend Micro and Malwarebytes. For endpoint, doing Cisco, Firesight for IPS. We are a Cisco shop, a 100% on the network, and we are a VMware shop, 100% for the servers.

Right now, my biggest challenge is distilling the technical data that I am getting out of the LogRhythm appliance, in my reports, and translating that to business value statements to the business units to justify that I need more NPS or I need a bump to NPS, or I need another VX, which is a lot of money to spend. I have to now, instead of making the fear argument of, "Oh my god, the world's on fire." Instead, it is more of, "Here is this device, here is how this solution partners with the business to enable them to make better decisions about risk." Also, they can feel safer in making somewhat more risky decisions, because they know that this solution is behind the scenes, watching, keeping an eye on things, and our team will tell them if something is going wrong.

The ability for me to go into the Web UI, and just learn what's going on in my environment. Being able to go in and show our company's management, "Look, this is what we can see. This is what we can now know about our environment."

Then, using the past several months to baseline what's normal, it has been invaluable, and we have also been able to stop things that were bad, at the same time. We were able to actually show value, while we were still building out the solution.

My biggest challenge always come back to log sources. We are a manufacturing company, so we have a lot of old stuff, and it has been a challenge to get some of our old stuff to light up within LogRhythm in a way that makes sense. I have probably submitted half a dozen log parser requests, and I keep finding more stuff that we need to keep an eye on that doesn't have a definition in LogRhythm. I keep pressing through, and I know they are working hard on it, but that is our biggest challenge.

It has been incredibly stable. I had one minor hardware problem, where it did not reboot at all. It just sat there, but it was just a minor hardware thing, other than that, the software itself has been incredibly stable.

It is near infinite. We are running a single appliance, but I can, even with my current license, break the Web UI off and put it on a VM if I need to, just to relieve some of the pressure. If I need to bring in another appliance, I can bring in another VX, and cluster those, or I can move AIE off onto another machine, it goes vertical and it goes east-west.

Customer Service:

I can't say enough about LogRhythm's tech teams, the staff, the SEs, and even my CRM. They have all been fantastic.

Technical Support:

We are on a first name basis with most of the technical support.

My company did not get me professional services, so I deployed LogRhythm by myself, with no knowledge. So I probably opened 50 tickets in the first three or four months.

They are amazing. They have an incredible depth of knowledge, even the Level 1 person that answers the phone, and their Level 3 support has been invaluable.

LogRhythm is the first SIEM that my company has ever owned. They never owned one before, and it took a lot of convincing to get them to buy it in the first place.

Definitely do a PoC.

• Get an appliance in your system and your company.
• Get your PoC guys to sign their CTU.
• Then, truly think through the business case for this device.

What is it that the business finds important, and how can this appliance/device enable the business to know more about the solution, and to protect that solution from anything.

Because if you start with what we like in the tech industry and what we want to do, you are going to be talking about red team exercises and hacking attempts, and those are all good things to have, but they just do not translate on that initial ask for $100,000s.

You really need to target the business, find out what is important to them, then focus that stuff in, and try to answer their questions with the PoC. Then, they will sign any check you hand them.

We were actually dead set on using Splunk. I came from a Splunk shop at my previous job, and I am a big fan, but I had never seen the Web UI before. So, it is a combination of a few things: The web UI, price pressure from the business, and dedicated hardware, which made LogRhythm the overriding choice for us.

I have seen the features that are coming in 7.3, and they look incredible.

It has far exceeded what I thought it was going to do for me in my job role. With the Web UI, over like a Splunk solution, it has actually become a tool that is used outside of security. I do not have to have people who have Lucene SQL Query Syntax memorized in order to get a value out of the system. They can jump in, log in as themselves, point and click, build themselves a query, and everything's great, then they love it.

The visibility that it gives us into all of our data at once.

It would take me a thousand hours a day to go through all that data, so, like I said, it lets me see everything in one place, and I'm able to see where the problems are.

A cleaner interface. I keep getting confused and forgetting where everything is. A more intuitive interface would be helpful.

It does seem to be good at gathering data. Like I said, it's hard for me to get that data. I would just like it to be more intuitive. When I go to look for stuff I frequently can't find it. Either it's not there or I just don't know the program.

It scales enough for us. We haven't had any issues, no complaints about it.

I've used their training. I have not used their tech support. Again, we have an administrator, he's been there. He probably knows more about this than I do.

In terms of a solution being a unified, end-to-end platform, that would be nice. It's not something that I think about. I just use what's there.

I would tell a colleague at another company who is researching this or a similar solution to try it out. That's the only way you're going to know whether you like it. Don't trust the marketing materials. Ever.

I like the direction they're going with the AICloud stuff. They're talking about the playbooks. LogRhythm seems to be on top of things and always looking to improve, I like that.