LogRhythm SIEM Reviews

• The SmartResponse and the alarming
• The ability to write your own rule set

It allows us to delegate some of the alarming, where there's not just one person looking at it all the time. Some lower-level techs can handle basic alarming.

Sometimes our rules don't fire correctly, events don't get created correctly, but that's mostly just because we have to write custom regex.

Also, moving from away from the fat console, more into the web console for log sources and tuning and things like that, would be helpful.

At times It gets a little clunky, or resource-intensive, but it works.

It works pretty well. It's somewhat hard to delete something out of the system. That's probably our only challenge, because we reuse an IP address and then it's difficult.

We've used them a few times. They were pretty good.

We actually weren't using anything before. It was a conglomerate of a firewall and the Windows logs. But we had an IT architect that was more into security.

It was pretty easy.

Regarding a solution being a unified, end-to-end platfrom, it helps, but it's not completely necessary.

For what it does, LogRhythm works pretty well.

If I were to advise a colleague who is looking into a this solution, I would say train someone, as their full-time, job to use it. It's not an easy product to get around.

The important thing in LogRhythm is the correlation in the AIE rules. It correlates all the logs to give meaningful events.

It helps us to improve our procedures management by decentralizing log management. We collect all the logs from our security devices, Windows server devices, and all the network devices into one single platform, then we can see all the events that led to the securities.

Our key challenge is how we can convince our top management that we are in a very secure state/environment.

The Web Dashboard UI: Maybe it can improve more to indicate some of what Splunk is doing, because I also compare with other SIEM products. Maybe LogRhythm can have some sort of dashboard similar to what Splunk is giving to their customers.

The product is good, but maybe they can further improve what they are doing in the roadmap, such as cloud AI and some of the web dashboard enhancements.

Since 2015.

At first, it is quite straightforward, but in terms of the the meaningful events, the AIE rules, during the implementation stage, we had difficulties getting the correct AIE rules, but further on it is improving.

For overall performance, it is very good. In terms of the correlation to the alarms rules, the AIE rules, I think in those terms of the reporting, maybe it can be further improved upon. The customization of the reporting could give more information that we need.

We have been using quite a lot of technical support. Every time we have any issues, we will create a ticket to LogRhythm support. Example, when we have an error in our deployment monitor's usage, they will have us fine tuning or do some maintenance to improve the logs, the logs that we receive.

During the proposal, we are looking at three to four different vendors, such as LogRhythm, Splunk, and IBM QRadar, so in term of alarms and AI intelligence, we see that LogRhythm is giving more accurate and meaningful events compared to the others.

My advice, when they first implement the solution, they should make sure that they know what data source or log sources that they want to give to LogRhythm to do the correlations, because they cannot just simply dump all the log sources to LogRhythm. It will impact performance, so they will need to carefully choose the log sources first. Then, after that, they can move away to the correlation, the engine rules, and so on.

It is important for us to have a unified internal platform.

The most important criteria when selecting a vendor:

The most critical thing for us is in term of the correlations, because without the correct correlation, or alarms, then there will be no meaningful events. So what our priority is to give many people events that we can trigger our teams to do the mitigation and remediation action.

It's allowed us to have more visibility into our network as well as be able to respond more quickly to incidents seen on the network.

• Being able to gather logs in one place
• Being able to process them and generate alarms

I work in a highly regulated industry. I know the product has compliance mechanisms, but being able to get more governance surrounding some of the compliance. Merging things that we have to be on top of would be helpful.

LogRhythm has been able to show that their products are very scalable. Usually, when you buy things that are out of boxes, you get them, they're old. But the new enhancements and things that LogRhythm continues to integrate allow you to scale up with them as they grow. They scale with you also.

I've used tech support. They're very helpful, very knowledgeable people who genuinely care about you and want to see not just their product but you, as a company, be successful.

This is our first iteration of SIEM at my organization. At the time, my superior had used Splunk previously, and that was what he was a fan of. But LogRhythm is one of the emerging leaders, price point was very important, and also to be with a company that's on the cutting edge of technology.

I think that anytime you're integrating SIEM monitoring tools into an environment, it is complex, but the LogRhythm Professional Services help make things easier, and I've worked with them every step of the way.

It's very important to our organization that the solution be a unified end-to-end solution.

I don't think any company is perfect, but I know that they're striving, and that's why I give them such a high score.

I understand that whatever you're buying with LogRhythm, it is not going to be static. It's a very dynamic company and a lot of new technologies emerge, so ensuring that you get the proper level of training upfront, as well as continued training for your staff, is important for being able to wrap your hands around what LogRhythm is actually doing and where they're going.

You start to talk about some things like blockchain and quantum, I'm sure that LogRhythm is already researching some of those new computer technologies. I didn't know what to expect back in 2015 when we bought the product, but it's showing to be agile, scalable, and the people are very knowledgeable.

It's given us more insight into the traffic patterns that we see.

The dashboards and the AI Engine.

Mostly they should just expand on the features that are already there. More pre-built parsers, more pre-built AI rules, more dashboard widgets that we can put to use.

I would say scalability is very good.

Mostly very good. We have had some issues that have taken a long time to resolve, various technical issues that have taken longer to resolve than we desire.

The criteria that we look when selecting a vendor are usually support, and being and end-to-end solution, that is very important too.

I gave it a nine out of 10 overall because we have had some support issues that haven't been resolved quickly enough but, other than that, I've been very happy with the product.

If a colleague was researching this and other popular SIEM tools, I would say for the most part I'm very happy with it. I would advise them to schedule a demo and see if it meets their needs.

AI Engine

It's got intelligence. Does a lot of the heavy lifting, you can create custom AI rules. I'm looking forward to this CloudAI.

It definitely complements all of the other solutions we have. We can feed all the logs into our system, build dashboards that the products themselves cannot provide. For example, we have web filtering, their dashboards aren't so great for that product. But when we feed it into LogRhythm, we can build dashboards that really show us what we need to see.

Pretty scalable. We were on an HA setup. Got about 2000 messages per second. It's pretty scalable.

They're top-notch. Every time I call, there's somebody willing to pick up the phone, somebody willing to jump on a WebEx, so I have nothing but good things to say about LogRhythm. Compared to every other product we have, LogRhythm support is the best. Without a doubt.

I've used Symantec SIM, which wasn't so great. This is a real breath refresher, because it's more scalable, and I feel it's a better product overall.

The most important factor, for me, when selecting a solution is that it needs to be lightweight.

Advice I would give to a colleague at another company who is researching this sort of solution: Talk to me first.

We are primarily Windows-based. We have Linux. We have some Solaris. We are an isolated network. We have no connectivity to the internet, so we are more focused on insider threat and advanced persistent threat. One of the things that has really been a concern is we have a lot of software developers and engineers. These guys are gonna be able to create their own threat, so the behavioral analysis function of LogRhythm is really important, because there may not be a threat signature that we can find somewhere. We are going to need to see, "Oh hey, this guy, he is doing that at some weird hour. Okay, trigger an alert." That's probably the biggest difference. We are not going to have to worry about phishing attacks. We have really locked down. Our endpoints are going to a lot of thin clients just to eliminate a lot of potential access to systems.

LogRhythm has caught a few odds and ends, where things were done for sheer convenience. It caught this weird behavior, and alerted us, and we're like, "Why do we have a DNS server with a software install point on it?", which is completely strange because we have an official software repository where everything is supposed to be. LogRhythm caught that for us, and it was really a case of a privileged user account, which was no longer active, and someone just tried to login with it. We were like, "Who is this? It's not even the same format for the username." So, it caught something like that, and it turned out to be harmless.

Maybe years ago, they had brought someone in, not an IT guy, they were pushing out a lot of common software, and they didn't have an SCCM or a WSUS solution, so they had people going to machines, and downloading it from various locations. It is something we cleaned up, and got out of the way. We haven't had anything nefarious show up, yet.

It has also been helpful for tracking a lot of stuff, like user account activity. We have our own folks, we have vendors and contractors that come in. It's great to be able to see when their accounts are being created, and when they're being locked down, because our security people can say, "Okay, this person is a new hire. We know they are supposed to be here. This person is leaving the company. Good to see their account has been locked down." There is a lot of confirmation on account activity, which is great.

We need to catch everything before it does anything bad. Our biggest challenge is we have reporting requirements with our customer. They want to see specific types of activity, and while we want to be able to provide that, we also want to be able to catch things that might be on the edge or just outside of those boundaries. So that is our biggest challenge because I can watch the industry news and see, "Oh well, we have a threat that is coming in this way now that could possibly get on our system. How do I catch that?" Well, my customer's requirements might be too vague or too specific. I have to convince them that this is also important, include it, and here is why. So keeping my customer educated as to the threats is really critical.

It gives us insight into our entire installation, where we are multiple sites, going as far as the East Coast to the Central West Coast. Our operation is small. I am a one-man shop right now, so it gives me a chance to aggregate all my events and logging, alerting, in one spot. I come in and can see exactly what is happening.

The biggest thing is when you are looking at the client console:A lot of the data, the reports that you can generate, then you are given just a pie chart, a list of data, or both. I would really love to be able to take some of that and not have to export it to a CSV file, so I can pull it into Excel to turn it into some other kind of graph. I know some of that's being handed off to the web console, but that would be the one thing that would be really helpful.

It is a little hard to get integrated.

The one thing that would help me the most, because I am sort of isolated from things, and the guides that LogRhythm puts out are really good. However, a lot of times, it is, "Do this, do this, and this works because of this, this works because you do this." I would love to see something where they show or explain why doing something would break something or wouldn't work for you. That is the one thing, because I have done some things, like created a GLPR, just done them a couple of times, and I had two of work really well, and one that seems like it should be perfect, it is just a simple exclusion, but it does not work at all.

Stability has been great.

Customer Service:

I have done a lot of good work with the account reps and engineers. It really feels like we are on the same team.

Technical Support:

Technical support has been pretty good. It has been a challenge, because we are not connected to the Internet, and when they want to get our logs, we are like, "Well, it is going to be a few days before any of it gets to you." That's our biggest challenge, but they have tried to work with us.

Overall, they have been good. They have been pretty helpful

I was not involved in the initial setup.

I would recommend talking to the rep. That's the biggest thing because they will know what questions to ask.

It does what we want, but there is so much you can do with it. It is like buying the biggest tool set you can find, then you are trying to find out, "Okay, what am I going to do with all of these tools?" Trying to tune your system with the tools that you have available is a little daunting. It was for me because I did not have the security background. If you are new, it will be a little bit daunting. The training is a big help, though.

Understand what your scope is. What are you really trying to do with this tool? If all you want to do is collect logs and pile them up somewhere on a server, this is not going to help you, and it will defeat your security goals, probably. If you are looking for something, talk to the LogRhythm rep to find out, "Okay, we are really operationally-focused. Or, we are really security-focused."

Most important criteria when selecting a vendor:

• Vendor access, which is what LogRhythm is very good at. We have got the engineers coming to us saying, "Hey, we are coming to town, is there something we can talk to you about? Do you want us to visit?"
• Very flexible.
• Really good communication is important because if something is happening, I need to be able to get it taken care of quickly, and that is what's going on.
• Scalability: It looks like it is wonderfully scalable.
• Integration: I have been interested with what I have seen with the carbon block and the endpoint stuff.

• AI Engine
• Alarm rules correlation
• Web interface
• The amount of information it has throughout the web interface
• The drill-down

We've been able to go ahead and find more with less effort, just on the web interface itself.

Functionality, ease of use.

There are a few "gotchas" in the applications. One of the issues that we're having right now is on the AI Engine, when you do the drill-down. There are no events that are being populated for the drill-down. The recent upgrade and release fixed some of that.

And some of the other parsing rules. Parsing isn't done correctly.

We've only been a customer for maybe about five months.

It seems to be fairly scalable.

We have used LogRhythm technical support. The response is really good.

We were using McAfee Nitro. The administration of the application was very cumbersome, and trying to get reports, customizing the analytics on there, is a bit difficult. We looked at LogRhythm, and LogRhythm seemed to have a lot of the stuff built in, canned already.

It was pretty straightforward. There were some things that were a little bit complex after the setup, and trying to troubleshoot some things. For example, log indexer was indexing most things, but not everything. It got backed up, so we had to go in and troubleshoot some of the processes.

It was pretty significant for our solution to be a unified end-to-end platform because we did have a wide range of systems out there; trying to make sure that it was able to bring in the sources and correlate the events.

The only thing that surprised me was the logs filling up for some of the indexing jobs. Other than that, there was nothing that support wasn't able to go ahead and help us with and get resolved.

My advice to a colleague at another company who is researching a similar solution would be: Make sure you do your research. Understand what it is you're looking for in a SIEM. Have a plan of attack on what it is that you're looking for, and what do you want to get out of the tool.

Visibility. Being able to see the system, see what's coming in, and being able to report on the logs coming in. Seeing what other people are doing and being able to track down quickly what is going on in your network.

We're a worldwide company with 50,000 employees, in probably 15 locations, three SOCs and four or five data centers.

It's made it quicker for us to see threats. It's an easier platform to work with. Its more user friendly, GUI based.

Easier creation of rules and parsing, and more user-friendly. A more user-friendly basis of using the tool to create rules and alarms to be able to report off of, and quickly stop any attacks and the like.

Also, more in-depth training on how the security platform works with other pieces of software like Sequel, firewalls, or PowerShell.

A ten again. It's very easy to scale.

Great. They respond quickly and are very knowledgeable and they also allow us to be hands-on. Instead of them doing it for us, they actually teach us how to do it. So better knowledge transfer.

We were using RSA Security Analytics and, before that, we were using RSA enVision. The challenges behind them were that they were very clunky, not very user-friendly, and you had to know coding, and you had to know command-line interfaces to even use them. Even on their GUI side. With LogRhythm we don't have to.

It was straightforward and, like I said, a lot of good knowledge transfer on what to do and how to proceed.

IBM QRadar and RSA Security Analytics, but LogRhythm stood out because of their scalability and their interface and their user friendliness. Being able to easily navigate through the system.

It is very important that our solution to be a unified end-to-end platform. Very important. We wanted a one-stop shop with LogRhythm. We didn't want to use anything else to record our logs and stop threats.

I would give LogRythm a 10 out of 10 just purely on the fact they are very helpful, very knowledgeable. The software is very easy to use. Easy to learn. I came into security with no knowledge of security or how to do anything, and within a year I'm an administer of the software. So it's pretty good.

I would say go with it. Hands down, one of the best security platforms I've seen. Easy to use, ease to scale, huge visibility into your network. You just see everything and you see it easily. You don't have to go search for things.