LogRhythm SIEM Reviews

Being able to centralize and have one view of all the threat events coming out of all my multiple security sensors.

It has been the easiest SIEM platform that I have worked with or seen in production.

It is an easy, centralized view of our environment.

Our key challenges and goals are maturing our security operations and security event management process.

• Better correlation of all events: We seem to get a lot of misinterpreted data coming from multiple sources. It would be nice to have an easier way to interpret the data and correlate it.
• The challenge of maintaining it: Maintaining compatibility with all of our log sources is still a challenge for us.

We have implemented it as a necessary feature, but we need to be able to mature that.

I was just involved in the decision-making process. However, I know that the deployment was straightforward.

It seems to be highly scalable and easy to scale.

I have not used LogRhythm technical support.

I was just involved in the decision-making process. However, I know that the setup was straightforward.

It is extremely important for our solution to be a unified internal platform.

I would recommend looking into it.

The recognition of many device types, log message formats, and the most common device types out there. Then, the ability to quickly display data, and do the classification on it. That is the big value.

I have used it a lot. I have used it against other SIEMs. I have used it in conjunction with other SIEMs, and it is the easiest to use and makes the most sense to me.

• Being able to gather the data into one central location.
• Being able to leverage alarm and case management features through there on that centralized single pane of glass. That lets us work through those issues that we find from all those disparate device types, fairly quickly and efficiently using that stuff.

Key challenges and goals are retaining talent. Guys tend to do really well in this field, oftentimes monetize those skills pretty quickly. So, there is always someone willing to pay a premium out there for those skills and that talent. Therefore, you find a lot of churn from that.

I would like to see additional features around alarm management. We are producing alarms right now, and we are able to change statuses on them. But, I would like to see more details around having timers on those alarms. So, if I have a new alarm that has been sitting there for 15 minutes and no one has gotten to it, I would want some sort of alert to tell me that or a threshold I can set.

I was not involved in this particular deployment, but have deployed about 25 LogRhythm deployments previously.

It is straightforward. Not too bad.

It scales well. It can go from 1,000 messages per second to 50,000 messages per second fairly easily.

I have used a lot of tech support, and I think it's the best out of other SIEMs that I have worked with: McAfee ESM and IBM QRadar. LogRhythm definitely has the best support.

Go ahead and do the evaluation with their other competitors out there. Understand each of the SIEMs capabilities by sitting down with them. I think you will find that LogRhythm will win out.

A unified end-to-end platform is extremely important, because as we get going to this more holistic security model, we will be looking at minimizing the number of tools that we have to have in our environment, and trying to centralize a lot of that work into one platform, which LogRhythm is definitely one of those platforms that does that.

Most important criteria when selecting a vendor: Selecting a vendor is pretty important. We go through a lot of things, a lot of due diligence. We like to put them up against their main competitors in the market. That is generally a step we take when evaluating different vendors for a solution.

The benefits are almost innumerable. You can't know anything unless you are capturing the data. Once you are capturing the data, you can then make intelligent decisions around what is and is not appropriate, and what is and is not dangerous. It improves the security posture, because you can then know when things are happening that are bad.

Before the LogRhythm solution, if someone was trying to login to a server with a local admin account, I would have no way of knowing that. Nothing would log it, audit it, and it would never show up. Now, I get an AIE alarm every time that happens, because it is considered a pass the hash attack.

If we know when these things are going on in our environments, we can identify rogue admins doing things that they should not be doing, and the questions can be asked, "Why are you using this process? What's failing you that you have to go around the normal procedure to do this?"

Another big one we found was just the ridiculous amount of PSExec running around the environment by non-admins to touch other things, which we have tried to curb. Then, we were able to ingest some custom log sources that have helped us become more proactive in alarming. Some of the stuff that we are using does not do good alerting, or it does not do role-based alerting. So I do not need an IT admin in Georgia to know about a potential issue in China. He does not care.

I need that alarm to go to China, and not to Georgia, but some of our solutions will only send their alarms to one source. So, you either send it to the entire IT organization, every time it happens, or you do not send them at all. It has helped us pair down the noise to our site level admins, and give them more actionable intelligence quicker.

We are a global company. We have 37 locations. China is one big country in Asia. We are on Australia, North and South America, and in Europe, with about 5,000 full-time employees. For the technology stack, we are running a single LogRhythm LR 6403. 2500 NPS license which we are currently hitting the lid on every day, and running a combination of Trend Micro and Malwarebytes. For endpoint, doing Cisco, Firesight for IPS. We are a Cisco shop, a 100% on the network, and we are a VMware shop, 100% for the servers.

Right now, my biggest challenge is distilling the technical data that I am getting out of the LogRhythm appliance, in my reports, and translating that to business value statements to the business units to justify that I need more NPS or I need a bump to NPS, or I need another VX, which is a lot of money to spend. I have to now, instead of making the fear argument of, "Oh my god, the world's on fire." Instead, it is more of, "Here is this device, here is how this solution partners with the business to enable them to make better decisions about risk." Also, they can feel safer in making somewhat more risky decisions, because they know that this solution is behind the scenes, watching, keeping an eye on things, and our team will tell them if something is going wrong.

The ability for me to go into the Web UI, and just learn what's going on in my environment. Being able to go in and show our company's management, "Look, this is what we can see. This is what we can now know about our environment."

Then, using the past several months to baseline what's normal, it has been invaluable, and we have also been able to stop things that were bad, at the same time. We were able to actually show value, while we were still building out the solution.

My biggest challenge always come back to log sources. We are a manufacturing company, so we have a lot of old stuff, and it has been a challenge to get some of our old stuff to light up within LogRhythm in a way that makes sense. I have probably submitted half a dozen log parser requests, and I keep finding more stuff that we need to keep an eye on that doesn't have a definition in LogRhythm. I keep pressing through, and I know they are working hard on it, but that is our biggest challenge.

It has been incredibly stable. I had one minor hardware problem, where it did not reboot at all. It just sat there, but it was just a minor hardware thing, other than that, the software itself has been incredibly stable.

It is near infinite. We are running a single appliance, but I can, even with my current license, break the Web UI off and put it on a VM if I need to, just to relieve some of the pressure. If I need to bring in another appliance, I can bring in another VX, and cluster those, or I can move AIE off onto another machine, it goes vertical and it goes east-west.

Customer Service:

I can't say enough about LogRhythm's tech teams, the staff, the SEs, and even my CRM. They have all been fantastic.

Technical Support:

We are on a first name basis with most of the technical support.

My company did not get me professional services, so I deployed LogRhythm by myself, with no knowledge. So I probably opened 50 tickets in the first three or four months.

They are amazing. They have an incredible depth of knowledge, even the Level 1 person that answers the phone, and their Level 3 support has been invaluable.

LogRhythm is the first SIEM that my company has ever owned. They never owned one before, and it took a lot of convincing to get them to buy it in the first place.

Definitely do a PoC.

• Get an appliance in your system and your company.
• Get your PoC guys to sign their CTU.
• Then, truly think through the business case for this device.

What is it that the business finds important, and how can this appliance/device enable the business to know more about the solution, and to protect that solution from anything.

Because if you start with what we like in the tech industry and what we want to do, you are going to be talking about red team exercises and hacking attempts, and those are all good things to have, but they just do not translate on that initial ask for $100,000s.

You really need to target the business, find out what is important to them, then focus that stuff in, and try to answer their questions with the PoC. Then, they will sign any check you hand them.

We were actually dead set on using Splunk. I came from a Splunk shop at my previous job, and I am a big fan, but I had never seen the Web UI before. So, it is a combination of a few things: The web UI, price pressure from the business, and dedicated hardware, which made LogRhythm the overriding choice for us.

I have seen the features that are coming in 7.3, and they look incredible.

It has far exceeded what I thought it was going to do for me in my job role. With the Web UI, over like a Splunk solution, it has actually become a tool that is used outside of security. I do not have to have people who have Lucene SQL Query Syntax memorized in order to get a value out of the system. They can jump in, log in as themselves, point and click, build themselves a query, and everything's great, then they love it.

The visibility that it gives us into all of our data at once.

It would take me a thousand hours a day to go through all that data, so, like I said, it lets me see everything in one place, and I'm able to see where the problems are.

A cleaner interface. I keep getting confused and forgetting where everything is. A more intuitive interface would be helpful.

It does seem to be good at gathering data. Like I said, it's hard for me to get that data. I would just like it to be more intuitive. When I go to look for stuff I frequently can't find it. Either it's not there or I just don't know the program.

It scales enough for us. We haven't had any issues, no complaints about it.

I've used their training. I have not used their tech support. Again, we have an administrator, he's been there. He probably knows more about this than I do.

In terms of a solution being a unified, end-to-end platform, that would be nice. It's not something that I think about. I just use what's there.

I would tell a colleague at another company who is researching this or a similar solution to try it out. That's the only way you're going to know whether you like it. Don't trust the marketing materials. Ever.

I like the direction they're going with the AICloud stuff. They're talking about the playbooks. LogRhythm seems to be on top of things and always looking to improve, I like that.

• The SmartResponse and the alarming
• The ability to write your own rule set

It allows us to delegate some of the alarming, where there's not just one person looking at it all the time. Some lower-level techs can handle basic alarming.

Sometimes our rules don't fire correctly, events don't get created correctly, but that's mostly just because we have to write custom regex.

Also, moving from away from the fat console, more into the web console for log sources and tuning and things like that, would be helpful.

At times It gets a little clunky, or resource-intensive, but it works.

It works pretty well. It's somewhat hard to delete something out of the system. That's probably our only challenge, because we reuse an IP address and then it's difficult.

We've used them a few times. They were pretty good.

We actually weren't using anything before. It was a conglomerate of a firewall and the Windows logs. But we had an IT architect that was more into security.

It was pretty easy.

Regarding a solution being a unified, end-to-end platfrom, it helps, but it's not completely necessary.

For what it does, LogRhythm works pretty well.

If I were to advise a colleague who is looking into a this solution, I would say train someone, as their full-time, job to use it. It's not an easy product to get around.

The important thing in LogRhythm is the correlation in the AIE rules. It correlates all the logs to give meaningful events.

It helps us to improve our procedures management by decentralizing log management. We collect all the logs from our security devices, Windows server devices, and all the network devices into one single platform, then we can see all the events that led to the securities.

Our key challenge is how we can convince our top management that we are in a very secure state/environment.

The Web Dashboard UI: Maybe it can improve more to indicate some of what Splunk is doing, because I also compare with other SIEM products. Maybe LogRhythm can have some sort of dashboard similar to what Splunk is giving to their customers.

The product is good, but maybe they can further improve what they are doing in the roadmap, such as cloud AI and some of the web dashboard enhancements.

Since 2015.

At first, it is quite straightforward, but in terms of the the meaningful events, the AIE rules, during the implementation stage, we had difficulties getting the correct AIE rules, but further on it is improving.

For overall performance, it is very good. In terms of the correlation to the alarms rules, the AIE rules, I think in those terms of the reporting, maybe it can be further improved upon. The customization of the reporting could give more information that we need.

We have been using quite a lot of technical support. Every time we have any issues, we will create a ticket to LogRhythm support. Example, when we have an error in our deployment monitor's usage, they will have us fine tuning or do some maintenance to improve the logs, the logs that we receive.

During the proposal, we are looking at three to four different vendors, such as LogRhythm, Splunk, and IBM QRadar, so in term of alarms and AI intelligence, we see that LogRhythm is giving more accurate and meaningful events compared to the others.

My advice, when they first implement the solution, they should make sure that they know what data source or log sources that they want to give to LogRhythm to do the correlations, because they cannot just simply dump all the log sources to LogRhythm. It will impact performance, so they will need to carefully choose the log sources first. Then, after that, they can move away to the correlation, the engine rules, and so on.

It is important for us to have a unified internal platform.

The most important criteria when selecting a vendor:

The most critical thing for us is in term of the correlations, because without the correct correlation, or alarms, then there will be no meaningful events. So what our priority is to give many people events that we can trigger our teams to do the mitigation and remediation action.

It's allowed us to have more visibility into our network as well as be able to respond more quickly to incidents seen on the network.

• Being able to gather logs in one place
• Being able to process them and generate alarms

I work in a highly regulated industry. I know the product has compliance mechanisms, but being able to get more governance surrounding some of the compliance. Merging things that we have to be on top of would be helpful.

LogRhythm has been able to show that their products are very scalable. Usually, when you buy things that are out of boxes, you get them, they're old. But the new enhancements and things that LogRhythm continues to integrate allow you to scale up with them as they grow. They scale with you also.

I've used tech support. They're very helpful, very knowledgeable people who genuinely care about you and want to see not just their product but you, as a company, be successful.

This is our first iteration of SIEM at my organization. At the time, my superior had used Splunk previously, and that was what he was a fan of. But LogRhythm is one of the emerging leaders, price point was very important, and also to be with a company that's on the cutting edge of technology.

I think that anytime you're integrating SIEM monitoring tools into an environment, it is complex, but the LogRhythm Professional Services help make things easier, and I've worked with them every step of the way.

It's very important to our organization that the solution be a unified end-to-end solution.

I don't think any company is perfect, but I know that they're striving, and that's why I give them such a high score.

I understand that whatever you're buying with LogRhythm, it is not going to be static. It's a very dynamic company and a lot of new technologies emerge, so ensuring that you get the proper level of training upfront, as well as continued training for your staff, is important for being able to wrap your hands around what LogRhythm is actually doing and where they're going.

You start to talk about some things like blockchain and quantum, I'm sure that LogRhythm is already researching some of those new computer technologies. I didn't know what to expect back in 2015 when we bought the product, but it's showing to be agile, scalable, and the people are very knowledgeable.

It's given us more insight into the traffic patterns that we see.

The dashboards and the AI Engine.

Mostly they should just expand on the features that are already there. More pre-built parsers, more pre-built AI rules, more dashboard widgets that we can put to use.

I would say scalability is very good.

Mostly very good. We have had some issues that have taken a long time to resolve, various technical issues that have taken longer to resolve than we desire.

The criteria that we look when selecting a vendor are usually support, and being and end-to-end solution, that is very important too.

I gave it a nine out of 10 overall because we have had some support issues that haven't been resolved quickly enough but, other than that, I've been very happy with the product.

If a colleague was researching this and other popular SIEM tools, I would say for the most part I'm very happy with it. I would advise them to schedule a demo and see if it meets their needs.