LogRhythm SIEM Reviews

The benefits are almost innumerable. You can't know anything unless you are capturing the data. Once you are capturing the data, you can then make intelligent decisions around what is and is not appropriate, and what is and is not dangerous. It improves the security posture, because you can then know when things are happening that are bad.

Before the LogRhythm solution, if someone was trying to login to a server with a local admin account, I would have no way of knowing that. Nothing would log it, audit it, and it would never show up. Now, I get an AIE alarm every time that happens, because it is considered a pass the hash attack.

If we know when these things are going on in our environments, we can identify rogue admins doing things that they should not be doing, and the questions can be asked, "Why are you using this process? What's failing you that you have to go around the normal procedure to do this?"

Another big one we found was just the ridiculous amount of PSExec running around the environment by non-admins to touch other things, which we have tried to curb. Then, we were able to ingest some custom log sources that have helped us become more proactive in alarming. Some of the stuff that we are using does not do good alerting, or it does not do role-based alerting. So I do not need an IT admin in Georgia to know about a potential issue in China. He does not care.

I need that alarm to go to China, and not to Georgia, but some of our solutions will only send their alarms to one source. So, you either send it to the entire IT organization, every time it happens, or you do not send them at all. It has helped us pair down the noise to our site level admins, and give them more actionable intelligence quicker.

We are a global company. We have 37 locations. China is one big country in Asia. We are on Australia, North and South America, and in Europe, with about 5,000 full-time employees. For the technology stack, we are running a single LogRhythm LR 6403. 2500 NPS license which we are currently hitting the lid on every day, and running a combination of Trend Micro and Malwarebytes. For endpoint, doing Cisco, Firesight for IPS. We are a Cisco shop, a 100% on the network, and we are a VMware shop, 100% for the servers.

Right now, my biggest challenge is distilling the technical data that I am getting out of the LogRhythm appliance, in my reports, and translating that to business value statements to the business units to justify that I need more NPS or I need a bump to NPS, or I need another VX, which is a lot of money to spend. I have to now, instead of making the fear argument of, "Oh my god, the world's on fire." Instead, it is more of, "Here is this device, here is how this solution partners with the business to enable them to make better decisions about risk." Also, they can feel safer in making somewhat more risky decisions, because they know that this solution is behind the scenes, watching, keeping an eye on things, and our team will tell them if something is going wrong.

The ability for me to go into the Web UI, and just learn what's going on in my environment. Being able to go in and show our company's management, "Look, this is what we can see. This is what we can now know about our environment."

Then, using the past several months to baseline what's normal, it has been invaluable, and we have also been able to stop things that were bad, at the same time. We were able to actually show value, while we were still building out the solution.

My biggest challenge always come back to log sources. We are a manufacturing company, so we have a lot of old stuff, and it has been a challenge to get some of our old stuff to light up within LogRhythm in a way that makes sense. I have probably submitted half a dozen log parser requests, and I keep finding more stuff that we need to keep an eye on that doesn't have a definition in LogRhythm. I keep pressing through, and I know they are working hard on it, but that is our biggest challenge.

It has been incredibly stable. I had one minor hardware problem, where it did not reboot at all. It just sat there, but it was just a minor hardware thing, other than that, the software itself has been incredibly stable.

It is near infinite. We are running a single appliance, but I can, even with my current license, break the Web UI off and put it on a VM if I need to, just to relieve some of the pressure. If I need to bring in another appliance, I can bring in another VX, and cluster those, or I can move AIE off onto another machine, it goes vertical and it goes east-west.

Customer Service:

I can't say enough about LogRhythm's tech teams, the staff, the SEs, and even my CRM. They have all been fantastic.

Technical Support:

We are on a first name basis with most of the technical support.

My company did not get me professional services, so I deployed LogRhythm by myself, with no knowledge. So I probably opened 50 tickets in the first three or four months.

They are amazing. They have an incredible depth of knowledge, even the Level 1 person that answers the phone, and their Level 3 support has been invaluable.

LogRhythm is the first SIEM that my company has ever owned. They never owned one before, and it took a lot of convincing to get them to buy it in the first place.

Definitely do a PoC.

• Get an appliance in your system and your company.
• Get your PoC guys to sign their CTU.
• Then, truly think through the business case for this device.

What is it that the business finds important, and how can this appliance/device enable the business to know more about the solution, and to protect that solution from anything.

Because if you start with what we like in the tech industry and what we want to do, you are going to be talking about red team exercises and hacking attempts, and those are all good things to have, but they just do not translate on that initial ask for $100,000s.

You really need to target the business, find out what is important to them, then focus that stuff in, and try to answer their questions with the PoC. Then, they will sign any check you hand them.

We were actually dead set on using Splunk. I came from a Splunk shop at my previous job, and I am a big fan, but I had never seen the Web UI before. So, it is a combination of a few things: The web UI, price pressure from the business, and dedicated hardware, which made LogRhythm the overriding choice for us.

I have seen the features that are coming in 7.3, and they look incredible.

It has far exceeded what I thought it was going to do for me in my job role. With the Web UI, over like a Splunk solution, it has actually become a tool that is used outside of security. I do not have to have people who have Lucene SQL Query Syntax memorized in order to get a value out of the system. They can jump in, log in as themselves, point and click, build themselves a query, and everything's great, then they love it.

The visibility that it gives us into all of our data at once.

It would take me a thousand hours a day to go through all that data, so, like I said, it lets me see everything in one place, and I'm able to see where the problems are.

A cleaner interface. I keep getting confused and forgetting where everything is. A more intuitive interface would be helpful.

It does seem to be good at gathering data. Like I said, it's hard for me to get that data. I would just like it to be more intuitive. When I go to look for stuff I frequently can't find it. Either it's not there or I just don't know the program.

It scales enough for us. We haven't had any issues, no complaints about it.

I've used their training. I have not used their tech support. Again, we have an administrator, he's been there. He probably knows more about this than I do.

In terms of a solution being a unified, end-to-end platform, that would be nice. It's not something that I think about. I just use what's there.

I would tell a colleague at another company who is researching this or a similar solution to try it out. That's the only way you're going to know whether you like it. Don't trust the marketing materials. Ever.

I like the direction they're going with the AICloud stuff. They're talking about the playbooks. LogRhythm seems to be on top of things and always looking to improve, I like that.

• The SmartResponse and the alarming
• The ability to write your own rule set

It allows us to delegate some of the alarming, where there's not just one person looking at it all the time. Some lower-level techs can handle basic alarming.

Sometimes our rules don't fire correctly, events don't get created correctly, but that's mostly just because we have to write custom regex.

Also, moving from away from the fat console, more into the web console for log sources and tuning and things like that, would be helpful.

At times It gets a little clunky, or resource-intensive, but it works.

It works pretty well. It's somewhat hard to delete something out of the system. That's probably our only challenge, because we reuse an IP address and then it's difficult.

We've used them a few times. They were pretty good.

We actually weren't using anything before. It was a conglomerate of a firewall and the Windows logs. But we had an IT architect that was more into security.

It was pretty easy.

Regarding a solution being a unified, end-to-end platfrom, it helps, but it's not completely necessary.

For what it does, LogRhythm works pretty well.

If I were to advise a colleague who is looking into a this solution, I would say train someone, as their full-time, job to use it. It's not an easy product to get around.

The important thing in LogRhythm is the correlation in the AIE rules. It correlates all the logs to give meaningful events.

It helps us to improve our procedures management by decentralizing log management. We collect all the logs from our security devices, Windows server devices, and all the network devices into one single platform, then we can see all the events that led to the securities.

Our key challenge is how we can convince our top management that we are in a very secure state/environment.

The Web Dashboard UI: Maybe it can improve more to indicate some of what Splunk is doing, because I also compare with other SIEM products. Maybe LogRhythm can have some sort of dashboard similar to what Splunk is giving to their customers.

The product is good, but maybe they can further improve what they are doing in the roadmap, such as cloud AI and some of the web dashboard enhancements.

Since 2015.

At first, it is quite straightforward, but in terms of the the meaningful events, the AIE rules, during the implementation stage, we had difficulties getting the correct AIE rules, but further on it is improving.

For overall performance, it is very good. In terms of the correlation to the alarms rules, the AIE rules, I think in those terms of the reporting, maybe it can be further improved upon. The customization of the reporting could give more information that we need.

We have been using quite a lot of technical support. Every time we have any issues, we will create a ticket to LogRhythm support. Example, when we have an error in our deployment monitor's usage, they will have us fine tuning or do some maintenance to improve the logs, the logs that we receive.

During the proposal, we are looking at three to four different vendors, such as LogRhythm, Splunk, and IBM QRadar, so in term of alarms and AI intelligence, we see that LogRhythm is giving more accurate and meaningful events compared to the others.

My advice, when they first implement the solution, they should make sure that they know what data source or log sources that they want to give to LogRhythm to do the correlations, because they cannot just simply dump all the log sources to LogRhythm. It will impact performance, so they will need to carefully choose the log sources first. Then, after that, they can move away to the correlation, the engine rules, and so on.

It is important for us to have a unified internal platform.

The most important criteria when selecting a vendor:

The most critical thing for us is in term of the correlations, because without the correct correlation, or alarms, then there will be no meaningful events. So what our priority is to give many people events that we can trigger our teams to do the mitigation and remediation action.

It's allowed us to have more visibility into our network as well as be able to respond more quickly to incidents seen on the network.

• Being able to gather logs in one place
• Being able to process them and generate alarms

I work in a highly regulated industry. I know the product has compliance mechanisms, but being able to get more governance surrounding some of the compliance. Merging things that we have to be on top of would be helpful.

LogRhythm has been able to show that their products are very scalable. Usually, when you buy things that are out of boxes, you get them, they're old. But the new enhancements and things that LogRhythm continues to integrate allow you to scale up with them as they grow. They scale with you also.

I've used tech support. They're very helpful, very knowledgeable people who genuinely care about you and want to see not just their product but you, as a company, be successful.

This is our first iteration of SIEM at my organization. At the time, my superior had used Splunk previously, and that was what he was a fan of. But LogRhythm is one of the emerging leaders, price point was very important, and also to be with a company that's on the cutting edge of technology.

I think that anytime you're integrating SIEM monitoring tools into an environment, it is complex, but the LogRhythm Professional Services help make things easier, and I've worked with them every step of the way.

It's very important to our organization that the solution be a unified end-to-end solution.

I don't think any company is perfect, but I know that they're striving, and that's why I give them such a high score.

I understand that whatever you're buying with LogRhythm, it is not going to be static. It's a very dynamic company and a lot of new technologies emerge, so ensuring that you get the proper level of training upfront, as well as continued training for your staff, is important for being able to wrap your hands around what LogRhythm is actually doing and where they're going.

You start to talk about some things like blockchain and quantum, I'm sure that LogRhythm is already researching some of those new computer technologies. I didn't know what to expect back in 2015 when we bought the product, but it's showing to be agile, scalable, and the people are very knowledgeable.

It's given us more insight into the traffic patterns that we see.

The dashboards and the AI Engine.

Mostly they should just expand on the features that are already there. More pre-built parsers, more pre-built AI rules, more dashboard widgets that we can put to use.

I would say scalability is very good.

Mostly very good. We have had some issues that have taken a long time to resolve, various technical issues that have taken longer to resolve than we desire.

The criteria that we look when selecting a vendor are usually support, and being and end-to-end solution, that is very important too.

I gave it a nine out of 10 overall because we have had some support issues that haven't been resolved quickly enough but, other than that, I've been very happy with the product.

If a colleague was researching this and other popular SIEM tools, I would say for the most part I'm very happy with it. I would advise them to schedule a demo and see if it meets their needs.

AI Engine

It's got intelligence. Does a lot of the heavy lifting, you can create custom AI rules. I'm looking forward to this CloudAI.

It definitely complements all of the other solutions we have. We can feed all the logs into our system, build dashboards that the products themselves cannot provide. For example, we have web filtering, their dashboards aren't so great for that product. But when we feed it into LogRhythm, we can build dashboards that really show us what we need to see.

Pretty scalable. We were on an HA setup. Got about 2000 messages per second. It's pretty scalable.

They're top-notch. Every time I call, there's somebody willing to pick up the phone, somebody willing to jump on a WebEx, so I have nothing but good things to say about LogRhythm. Compared to every other product we have, LogRhythm support is the best. Without a doubt.

I've used Symantec SIM, which wasn't so great. This is a real breath refresher, because it's more scalable, and I feel it's a better product overall.

The most important factor, for me, when selecting a solution is that it needs to be lightweight.

Advice I would give to a colleague at another company who is researching this sort of solution: Talk to me first.

We are primarily Windows-based. We have Linux. We have some Solaris. We are an isolated network. We have no connectivity to the internet, so we are more focused on insider threat and advanced persistent threat. One of the things that has really been a concern is we have a lot of software developers and engineers. These guys are gonna be able to create their own threat, so the behavioral analysis function of LogRhythm is really important, because there may not be a threat signature that we can find somewhere. We are going to need to see, "Oh hey, this guy, he is doing that at some weird hour. Okay, trigger an alert." That's probably the biggest difference. We are not going to have to worry about phishing attacks. We have really locked down. Our endpoints are going to a lot of thin clients just to eliminate a lot of potential access to systems.

LogRhythm has caught a few odds and ends, where things were done for sheer convenience. It caught this weird behavior, and alerted us, and we're like, "Why do we have a DNS server with a software install point on it?", which is completely strange because we have an official software repository where everything is supposed to be. LogRhythm caught that for us, and it was really a case of a privileged user account, which was no longer active, and someone just tried to login with it. We were like, "Who is this? It's not even the same format for the username." So, it caught something like that, and it turned out to be harmless.

Maybe years ago, they had brought someone in, not an IT guy, they were pushing out a lot of common software, and they didn't have an SCCM or a WSUS solution, so they had people going to machines, and downloading it from various locations. It is something we cleaned up, and got out of the way. We haven't had anything nefarious show up, yet.

It has also been helpful for tracking a lot of stuff, like user account activity. We have our own folks, we have vendors and contractors that come in. It's great to be able to see when their accounts are being created, and when they're being locked down, because our security people can say, "Okay, this person is a new hire. We know they are supposed to be here. This person is leaving the company. Good to see their account has been locked down." There is a lot of confirmation on account activity, which is great.

We need to catch everything before it does anything bad. Our biggest challenge is we have reporting requirements with our customer. They want to see specific types of activity, and while we want to be able to provide that, we also want to be able to catch things that might be on the edge or just outside of those boundaries. So that is our biggest challenge because I can watch the industry news and see, "Oh well, we have a threat that is coming in this way now that could possibly get on our system. How do I catch that?" Well, my customer's requirements might be too vague or too specific. I have to convince them that this is also important, include it, and here is why. So keeping my customer educated as to the threats is really critical.

It gives us insight into our entire installation, where we are multiple sites, going as far as the East Coast to the Central West Coast. Our operation is small. I am a one-man shop right now, so it gives me a chance to aggregate all my events and logging, alerting, in one spot. I come in and can see exactly what is happening.

The biggest thing is when you are looking at the client console:A lot of the data, the reports that you can generate, then you are given just a pie chart, a list of data, or both. I would really love to be able to take some of that and not have to export it to a CSV file, so I can pull it into Excel to turn it into some other kind of graph. I know some of that's being handed off to the web console, but that would be the one thing that would be really helpful.

It is a little hard to get integrated.

The one thing that would help me the most, because I am sort of isolated from things, and the guides that LogRhythm puts out are really good. However, a lot of times, it is, "Do this, do this, and this works because of this, this works because you do this." I would love to see something where they show or explain why doing something would break something or wouldn't work for you. That is the one thing, because I have done some things, like created a GLPR, just done them a couple of times, and I had two of work really well, and one that seems like it should be perfect, it is just a simple exclusion, but it does not work at all.

Stability has been great.

Customer Service:

I have done a lot of good work with the account reps and engineers. It really feels like we are on the same team.

Technical Support:

Technical support has been pretty good. It has been a challenge, because we are not connected to the Internet, and when they want to get our logs, we are like, "Well, it is going to be a few days before any of it gets to you." That's our biggest challenge, but they have tried to work with us.

Overall, they have been good. They have been pretty helpful

I was not involved in the initial setup.

I would recommend talking to the rep. That's the biggest thing because they will know what questions to ask.

It does what we want, but there is so much you can do with it. It is like buying the biggest tool set you can find, then you are trying to find out, "Okay, what am I going to do with all of these tools?" Trying to tune your system with the tools that you have available is a little daunting. It was for me because I did not have the security background. If you are new, it will be a little bit daunting. The training is a big help, though.

Understand what your scope is. What are you really trying to do with this tool? If all you want to do is collect logs and pile them up somewhere on a server, this is not going to help you, and it will defeat your security goals, probably. If you are looking for something, talk to the LogRhythm rep to find out, "Okay, we are really operationally-focused. Or, we are really security-focused."

Most important criteria when selecting a vendor:

• Vendor access, which is what LogRhythm is very good at. We have got the engineers coming to us saying, "Hey, we are coming to town, is there something we can talk to you about? Do you want us to visit?"
• Very flexible.
• Really good communication is important because if something is happening, I need to be able to get it taken care of quickly, and that is what's going on.
• Scalability: It looks like it is wonderfully scalable.
• Integration: I have been interested with what I have seen with the carbon block and the endpoint stuff.