LogRhythm SIEM Reviews

It takes good log sources. We have investments in endpoint protection and Mail Gateway, and our firewalls are going to be catching up soon. To have all the logs centralized, we haven't had that before across the enterprise. We had it logging at one or two locations, but this is the first time this year that we actually had all the logs go to one spot and be able to have alerts and alarms set up.

We use CrowdStrike as our endpoint, so we are in the process of getting those logs into the SIEM and we haven't got that done yet, but that's going to be a real big win for half our logs are on the endpoints that the employees have. To have that visibility is really important.

Provides visibility into the network. We got it for PCI compliance for the most part, and we also do SOC 1 and SOC 2 compliance, so we can show that we're secure to our clients. We have a lot of financial and other customers that care about security with the kind of business that we do. But we're looking at it to do SOC Light, not 24/7, but we want have a visibility into everything that is going on in our network, be able to respond, and do incident response using LogRhythm as our main console.

Our key challenge is working with disparate IT groups. We are a brand new security team within our organization. It's a pretty small company. They have grown their infrastructure by acquisitions, so they have a lot of separate naming conventions at each location, different staff, different log sources, and firewalls, which are different at each location.

It is has been a challenge. This has been one of the first applications that we've had. This and a couple others that security teams brought in recently that works across the enterprise. So, we've had a lot of challenges just getting AD or DNS to work, real basic stuff.

Then, also the log sources for the servers, we didn't have a lot of the logging enabled, so we had to kind of go back and then we had to enable a lot of logs using GPOs, working with our IT, and actually doing a lot of the work ourselves, because challenges are resources. There is so much work to do and not enough staff.

I did see a lot of the web console features coming up. I think those dead on, exactly what's needed. A lot of them had to do with better case management and more sorting, going through your alarms, and drilling down in different ways. I think that is really important.

In terms of improvements, I would probably look for more things to go into the web console that is currently on the fat client. I think that is the trend. I think that is what LogRhythm is doing. I find myself going back and forth between the web console and the client console and I probably spend more time in the thick client and it'd be nice to just be in one.

LogRhythm is really on track and they're doing a lot of things very well. In some other areas, particularly with the UI, how things are done administration-wise and a little bit on LogRhythm University, some improvements are needed. There are some challenges with registering for classes and taking them.

I was not completely satisfied. I wasn't really sure what classes to take. I did not feel like I had the direction initially to understand how to deploy LogRhythm. When you get LogRhythm out-of-the-box, there are so many knobs to turn and so many things to configure and set up, that it's almost impossible to do it on your own, as an enterprise senior engineer. I have a lot of experience with a lot of advanced tools and I find LogRhythm very challenging. I do not think we really could have gotten where we are without Optiv coming out for a week and spending time setting up the appliance and optimizing it the way it should.

There are some improvements that could be made to make it easier to use.

We haven't had any issues. I believe we had an alarm for a service restart, it kind of self-corrected itself. Something I noticed, but other than that, it has been rock solid.

I am not even using a quarter of the resources on the appliance today, and that's good, but we still have some log sources that we are still enabling.

We got our biggest ones in there, except for Mimecast and CrowdStrike, so that will add quite a bit. Hopefully, it won't be an issue for us right away. My impression is that there's all sorts of ways to expand and build out.

We have an all-in-one appliance, but I'm fully aware that you can spread out the functionality, so we'll keep an eye on it. I feel like for our size organization, we're growing fast. We had double-digit revenue growth year-over-year for the last seven years. We are growing really fast, so I anticipate it will be a problem eventually, but not in the foreseeable future.

If they're a super, large enterprise company, they might want to weigh having a LogRhythm infrastructure that is spread out.

I am not completely convinced that LogRhythm scales to the highest, largest size enterprises. I really do like IBM QRadar, I think it is one of the best SIEM solutions. If it was a larger enterprise, I would maybe have them go head-to-head.

We have used technical support. The last issue that I opened was because I didn't have the correct parsing support for our Fortinet firewall at our main locations.

The version of firewall we're on, not very new. It's actually a year and a half going on two years, and it wasn't supported. We opened up a ticket, but it was already a known issue, and they did eventually release the parsing. We're seeing all our logs now.

We get pretty much same day response from them. I've opened up a total of two or three tickets, and each time it was right away. Their support is good.

We did buy the XM appliance, the 5GB, I forget the model number. We just got it, the largest one that they would sell us.

We are not using it completely, but it's a single appliance for the LogRhythm. We have a mixture of Microsoft clients, Linux, and Mac on the PC, the laptop side. We also have a lot of 12U servers, which is a little bit of a challenge getting support.

The other change that we made recently was upgrading to Mimecast. They don't have the integration with LogRhythm yet but it's coming. I just talked to the Mimecast SE a couple times in the last few days, and it's not here yet, but it'll be here soon.

I had a little bit of experience with QRadar and a customized SIEM solution at my last job where we had used an MSSP environment, so really a lot different scenario, and you didn't really get to work with the clients directly upfront and control the log sources. Now, I work an enterprise that is slowly gaining control of everything, and that is a lot better.

We chose LogRhythm because in the Minneapolis area, the security community is pretty close and there are a lot of other customers and associates, like my manager and myself, who know a lot of people using LogRhythm. So, we got a lot of good feedback.

I was involved in the initial deployment and setup.

We had some challenges. The problem that we ran into is that without doing a lot of due diligence was management decided that let's deploy LogRhythm on the cloud on AWS because we're going in that direction for a lot of things, so we had Optiv come out and do the installation and setting it up for us, letting us drive, control the mouse, the keyboard, and so on. We ended up discovering that it would be $100,000 a year to have the virtual appliance in AWS just for the spec requirements and we pulled back on that. It was cheaper just to buy an appliance basically. The cost for one year almost paid for the appliance that we got.

We lost a few days of consulting time. Because of that, we had to delay the project a little bit and start over. Then we realized that once we did start getting all of the agents and logs coming in, we were not seeing all the logs that we needed. Then a lot of the log sources that we really needed weren't there yet because of our infrastructure challenges.

That was a learning experience, knowing what it takes to install a SIEM from scratch:

1. Have your inventory down.
2. Understand your network infrastructure challenges upfront.
3. Having the appliance versus the cloud and really understanding the pros and cons of that.

I know when we spoke to our sales engineer (SE) that there were very few cloud implementations. It is still pretty new. They tried steering us away from it and we didn't listen. We probably should have listened a lot better.

We use Optiv, and I understand its LogRhythm's largest partner for third party support, and we have had good experiences working with Optiv.

LogRhythm is successfully employed in a lot of organizations. We tried using another large SIEM, I won't name it, but we weren't able to even get it deployed. It was just too complex, and this was at CenturyLink.

QRadar, it's really easy to use, but for our size organization, we only have about 270 employees. That is not a whole lot of log sources, so it seemed like LogRhythm fit into that profile a lot better for our needs.

When it comes to the SIEM, LogRhythm was pretty much our go-to. We really wanted to go with LogRhythm and we were hoping that there wasn't any reason not to. Because my manager and myself had some experience with some other SIEMs and knowing what the success rate of those, and then just knowing people who use LogRhythm and who have said good things about it. At that point it turns into, "Is the financial investment going to work out for us?" It turned out that it did. We wanted to go with LogRhythm and we're glad that we're able to make it work out.

Smaller, medium-sized companies, I would actually steer them towards LogRhythm and have them look into it, then I would share my lessons learned.

It is important to have a unified end-to-end platform, but you also do not want to get vendor locked in. Its from a value perspective and a productivity perspective, that is where it is very important.

You do not want to be stuck with one product that then changes course or evolves. You always want to be with the leader in the market that is innovating. You want to be able to maintain that flexibility and be nimble to switch up when needed but having a real good go-to vendor, and LogRhythm seems like they are developing into that.

There are a lot of different firewalls out there. There are a lot of different network devices and different servers. They fit their niches, and it is important from a staffing and training perspective to have fewer products and technologies to support, because it is just hard to find people that are experienced.

You have to balance it out with having the best tools to do your job, because the challenges we face and all the security threats that are out there, you got to take advantage of what's available. If you're using multiple vendors, then so be it, but it is a balance.

Most important criteria when selecting a vendor:

• Interoperability with our partners and the rest of our stack that we have.
• Usability and access to support and documentation are really key.
• Being able to get the value out of your investment in a security product.

There are so many security products out there and so many tools. To be successful, you have to understand how the product works, have the documentation, and training available. That is really key. LogRhythm does a pretty good job.

• Lower personnel requirements
• Improved vendor support services
• Ease of use

Key challenges are lack of personnel to manage LogRhythm. We are a small shop and we don't have a dedicated person to really manage LogRhythm, so our goal is for us to go to a level where we are doing a lot of automation.

• The SmartResponse piece of it.
• It supports most standard log sources.

We were having some challenges initially, especially ingesting those standard log sources. We ran into issues where it was not parsing correctly. That wasn't our expectation, because we considered them standard log sources, but there was some issue with parsing our logs.

As far as adding log sources, it is not as straightforward. At the same time, granting access we have noticed it's not using AD groups. It's more of the organizational unit in AD.

It will definitely help if the parsing side would be much easier, meaning it would be better if we could easily make adjustments on the parser, both on standard and non-standard log sources. The way it works right now, it looks like we have to engage LogRhythm in order for us to make adjustments on the parser.

In a two month period, we had one hardware issue, which might not be LogRhythm-related. It might be on the hardware side. It's fairly new, so we were expecting that to happen, the actually failure on the platform manager (PM) side.

I think it's scalable. So far, we haven't really reached the point where we can say, "Yeah, we can definitely expand the use of it."

They're pretty good. I'm impressed with their support. It has been easy to reach the right person.

We are migrating from a different product (Curator) to this product, and we think LogRhythm is better than the older product that we were using. We were looking for a solution with scalability and ease of management. Also, Curator is more expensive.

I was involved in the initial deployment and setup. I have used another SIEM solution. It's not easy, but it's not also that really complicated to setup.

Look for whatever will give you the most value. That's the main point. It is not one size fits all.

Splunk. Cost is the main reason LogRhythm stood out.

It is important solution be a unified end-to-end platform, especially because we are a small security group. If we can have it in one place, that would be a big plus for us.

Most important criteria when selecting a vendor: support.

The ability to threat-hunt and, being a small staff of five people, we can actually not put a lot of time in administration, the care and feeding of it, and get useful analytics out of it.

We have two facilities, roughly 500 logs per second. Microsoft shop, Cisco stack on the networking side. We run two FortiGate firewalls, and a slew of different security products that we have not integrated into LogRhythm.

We haven't seen the improvements yet. We bought it as a compliance tool, and it's still sitting there. It's part of the reason why came to the LogRhythm User Conference, to figure out what our next steps are. When we had to tackle PCI compliance, one of them was log aggregation, and so that was why we brought it in.

It's met all of our compliance issues, really easy to do. As I said, there's not a lot of admin overhead, so it doesn't cost an FTE for us, which is nice. I think the added benefit is when we start using it for actually doing some analytics and in increasing our security posture, we're just not there yet.

I can't think of any features they should add because we haven't used everything they've already released. They have Office 365 logs integration. They've got this new phishing engine that we haven't used. They've got dashboards we haven't used, so we're basically right at the very bottom, we need to start building with what they're already doing.

In terms of improvement, their community boards, where to go find things, as a customer. As they're growing and they're moving stuff around, and it would be nice if we knew exactly where to find what. They're constantly reinventing how they do things and where they put stuff, that's the one challenge I've run into. I've always found the answer when I got to the right person: "Yeah. That's over here now," but I know other customers have shared that same issue.

Being a small shop, we're in an XM, everything in one appliance, which is really easy for administration, but I think it can get more complex as you get bigger. They've scaled to really large Fortune 500 companies, so that's nothing that we're worried about.

Great, you have almost the service-desk model, where you're going to get a live person. They're going to answer the call. They're going to make sure you get routed to the proper team. They're really good at followup, when "Everybody's busy now," they're really good at scheduling times, when both the technical agent is available and our staff is available, which I really appreciate. You don't have those, "I tried to get a hold of you," going back and forth. Not a lot of vendors understand that. LogRhythm does a good job with that.

It's straightforward, to the point that we brought it. We did a week of engagement with our security value-added reseller, and we were basically shoulder surfing. Everything looked like it made sense and why they were doing it, and it's not that complicated.

Where it can get more complicated, like I said, is if you're a big organization, you didn't have it all on one platform. Those components would have to be put together, and there can be a little bit more to the infrastructure.

The SIEM's a very technical tool, but LogRhythm - that's one of the beauties of it - once you figure out how it's installed, the care and fitting of it, the updating of the SIEM to new versions, and even the monitor agents, it's really pretty straightforward. Good documentation.

ArcSight and Splunk, and that was it.

We went with LogRhythm because of cost, administration, and ease of use when you're in the tool. Those are the top three. The fact that it was the lowest cost one, easiest to use, and easiest to administer. It was a no-brainer for us. It wasn't even really a conversation, other than the fact that we have to shop at the three different vendors.

Right now our focus is on user behavior, and that's part of why we joined the cloud Beta, they are our biggest risk. We don't know what they're going to do when and why, and so we've rolled out some security awareness training, we've rolled out some phishing exercises, and really trying to figure out how we can stop them being their biggest risks. Learning about what we learned today at the conference, with LogRhythm doing their phishing intelligence engine, it's going to be nice to see how we can implement that into the SIEM as well.

Security solution, number one is FTE; being a small shop and how much FTE does it take to run that? If that's a challenge for somebody, so they have co-piloting that you can do. We were able to absorb that in with two different FTEs splitting the duties, and they probably spend 45% of the time doing that. Might be different for a bigger shop, but that's our focus.

The most important criteria when selecting a vendor:

• reputation
• have they delivered on what they say they can do
• are there customers out there that we can talk to, that can validate what they're saying is actually true?

Regarding a solution being a unified end-to-end platform, it's not necessarily so important. Going forward, as we mature, more maybe, but we're really just tacking on the stuff that we go after. It's addressing certain needs, it's a little bit siloed right now, so it's not a huge need for us.

I gave it a nine out of 10 because I hesitate to rate anything a 10, that's perfect. But I think they do a great job, and I think it's more on us to really engage them more. They're always happy to talk to us about where we want to go with it, and it's just us dedicating the time to them.

Talk to people in the industry, make sure it can fit those needs you're buying it for. Proof of concept is huge. Do a proof of concept, especially in a SIEM. You don't want to just buy one and then implement it, and then try to figure out is it going to actually work for me?

Compliance. It's the main focus of the solution, and that is what we've been doing: logging, monitoring, and alerting.

We keep an eye on all the events which actually are configured as an alert. This keeps us on compliant for compliance purposes.

Our key challenge and goal is maintaining a secure infrastructure. We are a power electric company, so we are trying to be as secure as we can.

It is a very good solution. It is very robust. It is very extensive. We're trying to go into the minimum requirements for compliance purposes, but I would like to start implementing more for administration purposes and security.

• More seminars.
• Reporting: A reporting tool would be good for us, especially if we have better knowledge of them.

It is very stable once it is configured. We have not had any downtime.

The scalability is very powerful. Our network is not very big, but we can configure it so we can always be up and running with redundancy. It's a great solution.

It is a great experience all the time working with them. They are very useful, if they don't have the answer, they find the people that have the answer.

On the last upgrade, I was part of the group to implement it. We did have some challenges, because the previous deployment was not configured right, then we did the implementation and it was very straightforward.

Alert Logic, but the laws were going outside of the company, so we want to keep it inside for security purposes.

LogRhythm was the best solution that we could find.

We have LogRhythm in place and it's been working well for us.

It's a great solution but training will be a big key on the implementation. We can troubleshoot it and get the technical support, but it always being very good to have technical training on LogRhythm.

We are about 5000 users. At this point, we only have one XM appliance with an external storage. We're looking for a vendor right now, for a sales engineer to work with us in trying to upgrade it. We're looking to expand it. We're looking at monitoring more our work stations. We have about 1000 servers on it, and about 300 to 500 routers and switches on our system. And of course, we are also a Windows shop, so we have about 4000 to 5000 units on it.

A lot of it is being a single point of log management for the whole company, not only for our compliance, but basically it has become an operational tool for our company, for our day-to-day stuff. And it's more, on my end, for the security solution.

It's a compliance tool for our needs.

Security analytics, cloud security, log management are also definitely valuable. We're looking at all the cloud features at this point, even antivirus is going to cloud. A lot of analytics are going to the cloud. So, we're looking at LogRhythm, what it's going to do at with the AI cloud stuff.

What I would like to see is improvement on the analytics, especially on the cloud and intelligence workspace.

We have one box right now. We're in the process of scaling that, so I can't speak to this.

I've been working a lot with technical support, technical professional services. We just recently did an audit of our system. I'm waiting to get a report from that, so that's one of the things I'm working with.

They're pretty much responsive. The only basic thing is, when support issues are passed on to a first-level support, it takes a while to get to the second-level support to make sure the first-level support answers all our questions. Sometimes it's a challenge to bring it to the second level of support and get the answers that we need.

No. We have always done our homework and we believe that LogRhythm continues to be our solution.

It was pretty straightforward. I was happy with the deployment team. They were onhand and they were explaining a lot of stuff that was happening, so I feel pretty good about the initial deployment.

No.

The driving factor for our company is compliance. And next, for our security team to make sure that there's no occurrence of anything that we don't know about, besides operational issues.

My key challenge is to make sure that LogRhythm stays relevant on our day-to-day stuff, making sure that we can have a quick analysis of what's happening in our network, what's going on, and what our security posture is at a given time. For my needs, I'm looking more for it to bring a more comprehensive picture of our security, for the whole network, since I'm routing all the logs to it.

The most important criteria when selecting a vendor is technical support. At the end of the day, when all is said, price and pricing and so on, you will have to deal with technical support one way or the other.

In terms of a solution being a unified end-to-end platform, it's one of the top 10 SIEM tools on my list right now. A lot of our auditors are saying, "We need to track to a one flat form where we could see a dashboard, where we could see how everything is going on in our network."

Being able to have all our logs all in one place, so we can easily correlate across the environment.

It has definitely matured our security posture. Before we started using it heavily, all our products were compartmentalized within the department that used it. Now that we have a central point, we have been having more integration with different departments.

The challenges are being spread out and using some of the technology that we do use, which are not easily integrated into the SIEM. We have a lot of custom parsers and just trying to get our custom products and applications to integrate into the SIEM, that was our biggest challenge.

As far as building custom parsers, it's very configurable. I've had some experience building parsers with it so far, and the ones that we have built have been working fine. Support has been pretty awesome with helping get those working well.

Adding more integration for security products would be an improvement.

I have not had to scale it out too much yet. The environment was already set up when I came in. As far as the ability to scale out, I know it's there. I haven't had to put it to use though.

I have used their support a lot. It is really good support. I don't think I've opened a case yet that I haven't got a solution on, and it is usually pretty fast It's easy to reach the right person.

We had a previous solution, but I don't know who they were. I don't know why we switched. Compliance was our biggest driving factor to why we purchased LogRhythm.

I would not know. This was done before I came onboard.

It is a really good product with good support.

If someone is reaching the solution, I would advise them to reach out to users and try to visit LogRhythm's online presence to see what they have. The LogRhythm community has been a pretty good resource.

Having a unified end-to-end platform is very important.

Most important criteria when selecting a vendor: support for the product.

• Log correlation
• Aggregation
• Being able to quickly identify threats in our network.

Key challenges, right now, are just having the resources. Whether it be humans in the seats, because, as of know, it's just me. I'm our security program. So the challenges involve just having the time and the resources to stay on top of threats.

The solution is pretty effective towards meeting these challenges. Though we don't utilize it heavily at this point in time, but we're looking to it. I think it will be a big help to us in the future.

There are a lot of pieces of it that are very complex and time consuming. If we can try somehow to just make it more simple, that would be better.

I would like to see more pre-integrated SmartResponses. Right now, I'm on 7.1.10, so I'm not even to the current version. If there were more pre-integrated SmartResponses, that would be really cool.

We are in our infancy stage right now.

It was deployed before I was there.

It's very scalable. Right now, we have the XML appliance cell all-in-one, but I am looking to move the web platform off to another server. Clustering has really been impressive to me with the product.

It is really good. I've had a few interactions with them. The first was really good. The second one, he was good, but I could tell he was new, which isn't a problem. Overall, I've been really satisfied with it.

Really understand what's important to you as far as what are you hoping to gain out of the product, what threats are you looking at, and what are your critical logs sources. Just have a fundamental foundation before you start looking into it.

Having a unified end-to-end platform is really important to me, because I am the only security professional at the college. If I can avoid having systems all over the place, that is only going to be beneficial.

Most important criteria when selecting a vendor:

• It is the problem that they are solving and solving effectively.
• Being able to rely on really good support.

It has benefited the IT team's security functionality.

Our key challenge is HIPAA compliance. Then obviously, protection against malware, and particularly ransomware, is one vital threat to our organization.

As a healthcare company, what we use it for is compliance, then to protect our data from exaltation.

• The greater AI
• API support

Increased total costs of ownership (TCO): We have had to staff up our SOC. This has required analysts, which has required salary and staffing requirements.

In the next release, I would certainly like to see more HIPAA compliance. I would also like to see more integration with Palo Alto Networks, particularly their Traps, which is their endpoint solution.

In addition, I'd like to see more automation coming in. Whilst they have SmartResponse, it does not yet configure with OpenAPI support. That is something that I feel they need to look at in their next edition.

The scalability is very good. One of the reasons that we bought LogRhythm was because of its scalability. We intend to scale up as we increase our company size.

It is mostly good. We are not always able to reach the right person. We have had a couple of problems that were escalated all the way to Level 3, but they have always been solved.

We did not have a previous solution.

As a healthcare organization, we obviously have to have HIPAA compliance. This was the main driver for purchasing the solution.

I was involved in the setup. It was mostly straightforward.

Look at your staffing. Do you have highly technical people on your staff? If you do, then you obviously want to buy the product and look at your scalability options. If you don't have your staff, absolutely look into the co-pilot and factor that into your cost evaluation.

The SIEM tool list we considered from included Splunk and SolarWinds.

For LogRhythm against Splunk, it was their pricing model. For SolarWinds, LogRhythm's reputation and scalability.

It is highly important for our solution to be a unified end-to-end platform.

Most important criteria when selecting a vendor:

• Scalability
• The ability to have support.

LogRhythm has their co-pilot, which is absolutely essential, and whilst we do not use co-pilot in our organization, knowing it is there is certainly absolutely valuable.