LogRhythm SIEM Reviews

The most valuable feature is the AI engine, as well as the usual SIEM product stuff. The ability to have all of our logs in one place is a big thing for me.

It’s brought all of our devices into one area, so I am able to understand and manage all of our devices and understand what is going on with an individual device.

The reporting aspect is difficult to use and very difficult to get your own reports. So far this is it; they have a web UI and we had a recent update which fixed a lot of bugs and added a lot of great features. But the reporting is lackluster.

I've used it for 10 months.

We've had no issues with deployment.

Since we purchased one of their boxes, we've had 99% uptime. The only downtime has been for updates and upgrades. So we've had no issues with instability.

We foresee that it's scalable for our future developments. At the moment, we are using half of what it’s able to do.

I've been happy with the support in the initial setup. The support in our environment was well done. For any issues, we have had someone on the phone on that day, so there have been no downtime issue. They are super nice.

We didn’t have a solution before. It's usable out-of-the-box and it covers a lot of holes. It's done its job.

We looked at AlienVault and Qradar.

Definitely do a test run, a proof of concept, so it’s understood how it’s going to work in your environment. Also, take the training that they provide; i t's super valuable.

• SIEM
• File Integrity Monitoring
• Danned compliance reports (PCI, GLBA, HIPAA).

The solution has significantly reduced the time and effort necessary to manage and review logs and produce reports for regulatory compliance.

No current suggestions.

I've used it for six years.

No issues encountered.

No issues encountered.

No issues encountered.

8/10

10/10

No previous solution was in place.

Our entire implementation was completed in one day.

The vendor team was one of the best we have ever worked with. They were able to work through issues not covered in their implementation manuals quickly, and without further support.

No ROI. The solution is in place to meet PCI compliance and improve our overall security posture.

While LogRhythm's professional services are one of the best we have ever worked with, their hourly rate is generally quoted at a much higher rate than the industry standard. Additionally, the hours necessary for an engagement are also regularly over estimated.

Several other solutions were considered including Q1 Labs (now IBM), EMC, and HP.

There were two primary reasons we selected LogRhythm. First was the ease of implementation, which was extremely simple and straight forward. Second, was the integration of file integrity monitoring. LogRhythm at the time, and I believe still today, was the only vendor that provided a solution that included integrated SIEM and FIM.

Our primary use case for LogRhythm is using the log ingestion and analytic features.

LogRhythm improves our organization by giving us insight into user activity and potential security threats.

Our mean time to detect and respond has really improved with LogRhythm. We've got more people, more visibility, and on our team, looking at security incidents, and we're able to act on things more quickly.

I see room for improvement in the log ingestion. Customizing a log source is very technical, probably more technical than it has to be.

Our security program's maturity is, I would say, fairly advanced. LogRhythm uses a maturity model of crawl, walk, run, and I think we're just about to move from walking to running.

The most valuable features, for me as user, is probably the AI engine rules and dashboards, which give us a lot more insight into our security.

The playbooks functionality will be valuable down the road, but right now my team is too small to really take advantage of it.

Our messages per second right now is probably about 4,500.

I see room for improvement in the log ingestion. Customizing a log source is very technical, probably more technical than it has to be.

Stability of the products is mostly pretty good. Like anything else, there are incidents that we have to respond to. Some very small amount of downtime, some system administration that goes along with any implementation like that.

Scalability, for us, has been very good. We've had two appliances in five years. We've been able to upgrade without too much of a problem.

We have to use tech support pretty regularly and it is sometimes not very good. We've had issues where we can't get immediate responses that we need, and cases are open for far too long.

I was not involved in the initial setup. I inherited it from a previous admin.

We probably had close to 2,000 log sources at this time. Setup for them is variable. Some are straightforward, supported out of the box, some take a little more technical expertise.

If I had to rate LogRhythm on a scale of one to 10, I would probably give it a solid eight.

The primary use case is to monitor for compliance and the behavioral analytics of our users, tracking for potential threats to the company's infrastructure.

We are using both products. We are using NetMon integrated with the LogRhythm platform.

It has centralized monitoring for our security operations. Therefore, it improves our analysts' work. 

Our security program's maturity has been transformational for my staff. First from an educational standpoint, all the staff has started to go through either admin or analyst tracks and education. This definitely organizes my security operations to the point that it makes it easy for me to do security operations. It facilitates it throughout the organization.

Out-of-the-box, it already has a knowledge base solution. Therefore, if you do a little bit of work, such as configure the lists and log sources, you can have use cases implemented quickly.

Their current roadmap is what I want to see implemented. I want to be able to upgrade to 7.4 and have the playbooks implemented as fast as possible. 

Stability has probably been one area where Health Checks have not been great with the product. We have been told that they are going to improve Health Checks on product, though we do struggle with them on a daily basis.

Scalability misses the mark sometimes, especially when you have an integrated disaster recovery built into the solution. 

LogRhythm is looking at elasticity and trying to make the product more scalable.

We use the tech support on a daily basis. They are very easy to reach. There is always a person whom you can talk to and is focused on my issue at hand. They really pay attention to me, and that's worth it in my book.

I maintain the solution. Right now, I have two dedicated engineers and two analysts. However, we need more staff and are looking to hire more because we want to grow this solution to suit our needs.

It improves our mean time to be able to respond and remediate issues that we come across.

There is a different reason why you pick LogRhythm over its competitors. It is a security SIEM, where others are SIEMs but not focused on just security.

The capabilities of playbooks is in 7.4, which we are not able to utilize yet. Therefore, we have built outside of the solution playbooks. However, we are looking forward to the integration of playbooks in 7.4, or even version 8. 

We were shown today a couple of things where playbooks will be enhanced, even having SMARTResponse coming right out of the playbooks, so hopefully advanced SOAR capabilities.

We run two independent LogRhythms. On one, we have about 33,000 different log sources, which include endpoints and now IoT devices. On the other, we have a very small footprint. It somewhere around 3000 log sources.

On one of my LogRhythms, I have a message per second around 2400 to 2500. That spikes depending on the time of day. Sometimes, it goes up to 17,000. On average, it comes back down to about 2300. On the other LogRhythm, there are very few messages per second. It is around 600. 

Do your homework first. See what pie in the sky solution is supposed to be for your SIEM. Do not just check a box. LogRhythm will more than likely suit your needs.

What I found most helpful out of it is the ability to see all of the same data, that I would get from my appliances, in one place. I don't have to log in to six or seven different appliances and hunt for that kind of information. I can just do some queries within LogRhythm and it tells me the same information.

One of the things I find that would be helpful is the GLPR information, to be able to understand what is actually being processed. I've got, say, 20 different rules, but I don't know which one is getting more of the data, which is getting none of the data, because there's not really a good interface for that.

The stability, it's pretty high, there were some early issues, we were overrunning it with data, and part of it was a sizing issue. Once we got through that it's been running a lot better and it's been more stable. We haven't had to worry about it falling over on itself.

At this point we're still using a single XM appliance. The scaling that we've had is really just upgrading from an older-series to a newer-series XM appliance.

There were a lot of support calls we went through, and they would tweak and change a few settings here and there. Then eventually, what we did was we upgraded to different hardware because there wasn't anything else we could remove. We had to continue to keep getting those same logs.

I would say to us, the thing that matters most is the automation of the AI rules that are being sent to our emails to let us know what's happening within our network and within our environment.

When we set it up, we went through and probably turned on about 14 AI rules that we found to be really advantageous to us, and have tuned those over the past couple years. It's just worked out really well for us.

PCI compliance was our main driver for purchasing LogRhythm, but it turns out there was just a ton of other information that really came from having that appliance, other than just being PCI compliant and checking that box for us. 

Like I said, it was just more insight into our own network, our own users, our own flow of traffic, helping to alleviate a lot of that burden from our system admins by automating some of those alerts. So, all in all, it's just been a great fit for us.

I'm really excited about the CloudAI stuff. One thing I've asked, and I don't know if it's in the works or not, is for a better way to test our AI rules, to make sure they're working correctly, instead of having to manually go in to each one and doing an invalid login to see if the rule fires. Some better way to test all those rules that we have turned on and enabled would help.

Out of 10, I would give it an eight. We upgraded our firewall and that broke our parsing rules and it took a while to get that all fixed, but other than that it's been great.

We haven't taken in a whole lot of logs since our initial setup, so we haven't scaled it, I'd say, to its potential yet. 

We're on an upgrade path, we just got to 7.2.5 and we're on the beta program for 7.3 to get to CloudAI. Once we get that done, we plan on ingesting more logs, going to Office 365, pulling those down. So, we plan on really growing it.

Technical support has been great. I will be honest with you, I think that's one of the strengths of LogRhythm. Every time I've opened a ticket I've gotten a response back that day. They're great, they work through it. Even when we did our upgrade through Professional Services, she was great. She recorded the whole session so we could use that at our next upgrade. 

I've just found them to be tremendous.

For me, not having been in the security world, at least on the SIEM appliance side, it was a lot to take in at first. We had an onsite engineer come in, help us put it in play. We had a week's worth of training. All in all, it went pretty smoothly. 

There were gaps in our knowledge, I think, but that's where we opened up customer service requests and they came through and helped us out. But for me, personally, I would say it went well. It was just "a lot," it was new to us, it was new to our organization, so it was just a lot of information, but as far as it goes, it was pretty smooth.

We're really happy with it.

We did a bake-off with several others when we brought in LogRhythm, 10 months ago. And a lot of it was around a cost perspective. Also, its capability of easily ingesting event data from many different types of platforms. 

Some of the competitors require the use of agents that are deployed on those various end-points, or they'd be servers or otherwise, to ingest it. So this is a much quicker deployment. 

And through their upgrade processes that we've seen, it makes it a much more streamlined process, rather than having to touch on multiple end-points.

Any SIEM, in and of itself, should be easy to ingest data, it should also be easy for the analyst to assess the different types of events that are coming through, be able to sift through false positives, and ensure that they are only acting on things that are truly actionable, that need to have attention. It's not one of those things that you want to have analysts spending a lot of time on, and then seeing false positives in the system. It just gets to a lack of trust within the system.

LogRhythm has shown to us, to this point in time, that it has the capabilities of being able to deliver actionable intelligence to the security engineers and analysts.

The biggest thing that we need - in one of the presentations today here at the LogRhythm User conference they were talking about it - is automating your SOC and trying to get your systems to do as much as they can do without human intervention. Which is great. 

I provided feedback afterwards to say, "We need to be able to ingest all data. And we need to be able to parse all data." What that means is, my Checkpoints that I have today, which is my unified-threat management system, I'm only able to ingest firewall logs and events from the blade. I own all the other blades from Checkpoint: IPS, Threat Emulation, threat detection, Data Loss Prevention. All of those blades have data that I need to be able to feed down into LogRhythm. From there, we also need to be able to truly parse the data. I've had to have a couple of custom collectors built specifically for SQL Server-type events, for database analysis, to ensure that the data that's being brought in, the events are parsed, we can be actionable on that.

Stability has been, for the most part, quite good. We do have a HA, High Availability configuration, between two different datacenters. 

There have been a few challenges that we're working through. Mostly it's a Windows-based, all-in-one appliance that we have. We are in discussions with LogRhythm support right now in respect to HA breaking through automated patching. But we're encouraged that we're going to be able to get over that hurdle, and then we'll have a 100% up-time with it.

As the Security Officer of the organization, I don't have to interact with them directly. My team has found that there are some very good engineers that they've been engaged with, and have been able to work with them throughout different issues. They've said a lot of good things about the support portals; better than some of the other technology products that we offer. 

I know some of the other technologies that we use for our unified-threat management systems and the like, some of those portals are a little bit more cumbersome to actually put in support tickets. LogRhythm seems as if they want to really engage with you, so they don't make it overly cumbersome to put in a ticket.

It's been fairly good interaction, with the capabilities that they offer to quickly get an engineer on the line.

We were a QRadar shop for five years prior. To be honest, the product was great initially, when it was a Q1 Labs product. Things started to change a bit after IBM's acquisition of it. So we were looking to see if there were better alternatives. The top-two were LogRhythm and Splunk. 

We did a several week SIEM solutions comparison between the two of them. Splunk is a great product in and of itself, but it was too massive for us, for our size of organization. As well, it looked like it would require a little bit too much of an analytical programming background for my engineers and analysts, which they don't have. So they were really most satisfied with the LogRhythm platform, its capabilities, the ease of use. And then, from my perspective, from the company's checkbook, the sustainability of it, the upfront cost, and the long-term ownership of it.

I did oversee the implementation, and the initial setup that we did seemed to be fairly straightforward. My engineers were very happy with the simplified installation process. 

Being an all-in-one appliance, that helps a lot in the initial setup. You rack it, you perform the updates, being a Windows box. And even some of the software upgrades that we've done since our initial purchase and installation, those have been fairly trivial as well.

A lot of the competitors, IBM specifically, there's these WinCollector and other types of agents that you have to install and push the event data to the SIEM. 

LogRhythm is more of a collection using APIs to pull the data down, so it's much more efficient. And you don't have to get any of the other areas within infrastructure, or the application teams, to participate. You just go and point at the systems, assuming you have the correct level of authorization and credentials, and then the data is ingested naturally.

The solution, one to 10 at this time, would probably be a strong seven. Right now there is the concern about being able to gather all of the data into the system. That's key. It's one of those things, pre-sales versus post-sales, what is said can be done, and then what actually is fruition. There is only so much you can do in a proof of value, or what they sometimes call proof of concepts - in those bake-offs - because you only have a limited amount of time with it to do that connectivity, and analyze. It really is that integration and some of the customization that we've had to do from parsing rules, not only for SQL Server, but also for ingesting NetFlow data from our Gigamons - which is the core of all of the network activity that happens within our environment.

With this or any technologies, that pre-sales process is key. Really asking the intricate questions, try to get them to talk in-depth about the capabilities. Just saying that, "We have integration with this technology or the other," is not sufficient. You really need to have a good understanding of the capabilities that you are looking for, what your systems are capable of, and what you need that integration to be. The last thing that you want is to get in there and say, "Well, it works. But it only works 30% with that." You want it to be 80% at a minimum or better.

• Visibility
• The AI Engine for rule generation

We have two facilities, a combination of all different platforms, Linux, Windows, etc. It's just all across the board.

It's definitely given us a lot of visibility into areas that we probably wouldn't have normal visibility into, such as code execution and things like that. It allows us to really drill down as to what's happening on the servers as they are being used in production, to where we can really get in and figure out what's going on.

It's pretty effective. In some cases we have run into some issues: The way that the rules work, and the alarms trigger. We get a good number of false positives.

I wish that there were more instructional videos on how to do different things and more walk-throughs.

Also, easier generation of AIE rules, or custom ones.

So far it's been really good.

Scalability is very good.

I've used LogRhythm tech support. I would rate it as very good, not excellent. For instance, we were trying to deal with pass the hash, which is a very common exploit and LogRhythm tech support told us they were just going turn that rule off, that we can't use it. We had to keep pushing until we had someone in another department push to an upper level of tech support to finally get it to where it was working.

It's very important for a solution to be a unified, end-to-end platform for us.

It's a really good solution. It's been very stable. At the same time, we have had some issues, some false positives.

And that issue I told you with tech support, there have been some challenges getting it to be where we wanted it to be, for a solution, like LogRhythm, that is supposedly best in the industry. I just thought it was kind of poor that they would take a common exploit that's been in use for years and say we can't get it to work when, obviously, they could get it work. It was kind of lazy.

Still, I would say go with LogRhythm.