LogRhythm SIEM Reviews

We have about 170,000 employees worldwide. We have thousands of unique log sources we're ingesting. Right now, it's kind of information overload in what we're trying to create logs off of.

Our key challenges are staffing and, right now, we're just trying to get the best bang for the buck on what we can create for alarms, so that's what we're trying to get out of being at the LogRhythm User conference.

We're about to ingest pretty much all of our log sources and write alarms based off the log sources. That's what we're working towards right now, getting valuable alarms to trigger for our SOC to action.

LogRhythm meets our problem statement, as a solution.

The UI. We can give it down to our SOC and we can train them.

The CloudAI obviously, that's going to be big for us. Hopefully that matures. I saw the problem statement video they did today at this conference, which is great. But I haven't seen anything tangible out of that yet, so looking forward to that.

I wouldn't give them a 10 out of 10 because there is definitely some room for improvement as far as in the GUI. Some of the things don't make sense. I think they need to better understand how a SOC would use that platform.

I don't think they understand that every morning we do a case review and we need a quick dashboard to go review open cases for our SOC. And that's not built into the dashboard, so we have to create that. There are some use cases that I think they should sit down a little bit more with the customer and understand how we use it.

It's pretty stable.

It was scaled inappropriately when we got it, so we had to buy a bunch of hardware after that. But, it's working now.

I don't use it. My cohort, who is more of the SIEM admin, he uses it quite a bit. I think he's happy with it, as far as I know.

We used Q1 QRadar. After IBM bought it, it kind of died on a vine. They quit supporting it, so that was the main driver for getting off of that and going to LogRhythm.

Pretty straightforward.

We did a RFP for all the major vendors, ArcSight, all the big ones. LogRhythm came out as the best SIEM tool.

When selecting a vendor, for us, the platform has to be a unified, end-to-end solution. We've got so many unique platforms around our business that it has to be.

All SIEMs suck, but LogRhythm is the best.

The most valuable part of the solution is being to view all of the logs whenever you want. Any time an issue comes in or something that needs to be researched, I have the logs there. I can go in, run an investigation. It's pretty much at my hands. Information is available on demand. I feel like I'm in control of it, which gives me warm, fuzzy feeling.

Pro's and con's I would say. We are short staffed, like the majority of the people are here at the LogRhythm World conference. We have a lot of alarms that get overlooked, there's not a lot of prominence to them. So our SLAs are over extended. But other than that, we're getting alerted on things that we need to quickly look at, glance, and see what needs our attention right away.

Usually, anything that's really hot, urgent, rated 90 or above, we answer those right away, and get those tasks completed.

If they continue to do innovation, and listen to their customers, then they'll move forward, and I think that will be the best thing for all parties involved.

One thing that surprised me was how many logs were being generated by our environment and how many logs are just a waste of time, looking at them. They're just there. It's just logging information, and we were able to reduce.

Deployment, I believe, took about two weeks, and going from, let's say, a 100 logs, we were able to reduce to about half of those logs in terms of what we're reviewing.

Stability is perfect. We have had no issues whatsoever with the servers, or with the Web Console or anything else.

The scalability is awesome. Initially, when we first purchased LogRhythm, we purchased only about 20 lite agents. Then we realized, as we were looking for additional log sources, we needed more. Pretty much within a day, we were able to purchase additional licenses and get them rolled out to our organization.

Tech support is amazing. They always follow up with a document on how to do something and if you still need further assistance, they're willing to get on the phone with you, without any doubt.

We were using a different vendor and we decided to go against it. We wanted to bring this in, in-house. We were using Dell SecureWorks, and we were just not satisfied with their ability to give us reporting and information on a timely manner.

It was a little complex, I did not have training prior to, so it was more of a hands-on learning, which I appreciate. I prefer to do hands-on. It's easier for me to learn that way. It was complex but at the same time it was educational. It had benefits.

Being at this conference I learned a lot. For example, I haven't been using the Web Console to the extent that I should be using it, and I think going back I'll be using that a lot more.

It's extremely important for a solution to be a unified, end-to-end platform. In terms of criteria when selecting a vendor, we look at it as a relationship between our organization and LogRhythm. We want them to work with us and we're willing to work with them to fit what's best for our environment.

I gave it seven out of 10 because we've only used the product for about a year and a half and it's still a building process, and I think it will always be a building process. You're always tweaking things. I can't imagine the company being the best at one specific thing, and then if you're the best at it, then there's no room for improvement. But I know as an organization, we are extremely happy, with LogRhythm.

I would definitely tell colleagues to at least PoC LogRhythm, and see for themselves what their getting in their environment and what other vendors might be missing.

The fact that I can quickly determine if there is a threat actor from internal to external. That's our primary goal. We have a lot of traders and a lot of developers, internal, so that's generally where our presence is. We don't have a whole lot of online presence. We're not so much worried about external actors.

Being able to determine what a user is doing is really helpful for us.

We've got two facilities. We pretty much have one setup, the DX. We don't have any failover, just because it doesn't work for us.

Our key challenge is weeding out who is actually trying to be a threat. Now, LogRhythm certainly helps us, but it's still very difficult because we've got not a super high turnover, but high enough that you're constantly going through them looking at stuff.

Being able to actually track somebody down and figure out what they're doing. Before, we didn't really have these insights, we were going by the the seat of our pants and trying to pull whatever logs we could, whatever Unix logs we could find, and it wasn't really helpful that way. Now it pulls it all into one spot and we're actually able to correlate data and say, "Hey look, this person's really actually being shady," and go from there.

We've been able to identify certain individuals and not have issues past that.

There is a Group-By field that they're breaking out, which stopped me from being able to have certain events. They're breaking it out in 7.3, so they've already got it. That was the one thing that bothered me, so I'm happy about that.

Stability is not great but I think that's our issue. Qualys seems to blow it up all the time, but that's more on us to stop Qualys from scanning LogRhythm.

Scalability is pretty good. We rolled it out at our primary company and then rolled it out past, to our sister company, which went really, really well.

It's awesome.

It's fairly important that a solution be end-to-end unified. The fact that LogRhythm is, is working out very well for us.

I gave it eight out of 10 because of some of the issues we've had with the system actually going down but, again, that might be entirely on us. We're still in the defining phase of that.

One thing that surprised me over the course of our deployment is the amount of logs that I didn't realize we had, different log sources that we're seeing pop up, pending, being brought into the system and we haven't even seen them before. People are standing them up left and right and I'm thinking, "Guys, stop it."

Make sure that your operations guys, your network guys can actively search through it well. Get them training. Don't do half a job with it.

Visibility, obviously. Seeing all the logs from all the various log sources, be it perimeter, internal, overall security controls; getting it in one pane of glass. And alerting, obviously.

I started here two years ago, no SIEM. Now we have visibility into any type of external attacks, perimiter attacks. We've found operational problems, misconfigurations, things like that.

Logging improvements. I think that the template to reporting is just difficult, it's hard to go back. You can't modify the templates. So more customization. That would be key.

We could also use more information on how to integrate with specific vendors.

Threat intelligence is a big thing. LogRhythm actually has a pretty good threat intelligence deal, but we happen to use a vendor that is not built-in. It'd be great if LogRhythm could expand more on the user forum on how to integrate more with the more non-mainstream vendors.

It's good. We have all-in-one, an XM unit, because we're a smaller shop. It's been a great, a single unit. As we've needed to expand, I've put out more collector systems feeding back into the XM unit, so it's good.

We've used them many times. I'd say overall good. I was actually an ArcSight user at a previous company, I'd rank LogRhythm higher than those guys.

As I said, it was ArcSight at my previous company. I was lucky enough to try to build the security practice where I'm at now. LogRhythm was one of three that we evaluated.

I'd say straightforward. We did have PS as well, so it was very helpful.

QRadar and Splunk. And, for whatever reason - it is not really a truly a SIEM player - Tripwire. Management wanted us to evaluate Tripwire.

We're about 1200 seats, 10 locations roughly, totally a Cisco shop, from perimeter ASAs to IDS, Sourcefire, to web filtering, it's a big Cisco shop that I stepped into.

Our key security goals revolve around maturation and pulling more information into the SIEM. We started off with the low hanging fruit, the Active Directory, the SOCKS servers, things like that. But now we need to get more - all our security controls as well - security systems. We need more from executive PCs, from application servers, we need more visibility I think.

In terms of meeting these goals, this solution, on a scale of one to 10, is an eight, at least in terms of how we've been able to adopt it.

The most important criterion when selecting a vendor interoperability, the ability to pull logs, and the ease of customizing parsing logs. By far.

In terms of advice to a colleague, if they're looking at this and similar solutions: I've dealt with ArcSight before, they're a magnitude higher in terms of operationally managing the software. I haven't used QRadar, but from the surface, looking at it form 10,000 feet, I would say and Logarithm and it are probably much easier to mange, much easier to use.

LogRhythm has been really a good partner, they've reached out, they're always wanting information, "How we can improve? How can we do this or that?" Our SE and sales guy are really great. Keep in touch, so I feel like there's someone I can always reach out to if there's a problem.

The visibility that it gives us into all of our data at once.

It would take me a thousand hours a day to go through all that data, so, like I said, it lets me see everything in one place, and I'm able to see where the problems are.

A cleaner interface. I keep getting confused and forgetting where everything is. A more intuitive interface would be helpful.

It does seem to be good at gathering data. Like I said, it's hard for me to get that data. I would just like it to be more intuitive. When I go to look for stuff I frequently can't find it. Either it's not there or I just don't know the program.

It scales enough for us. We haven't had any issues, no complaints about it.

I've used their training. I have not used their tech support. Again, we have an administrator, he's been there. He probably knows more about this than I do.

In terms of a solution being a unified, end-to-end platform, that would be nice. It's not something that I think about. I just use what's there.

I would tell a colleague at another company who is researching this or a similar solution to try it out. That's the only way you're going to know whether you like it. Don't trust the marketing materials. Ever.

I like the direction they're going with the AICloud stuff. They're talking about the playbooks. LogRhythm seems to be on top of things and always looking to improve, I like that.

• Reporting - we need to do a lot of security monitoring
• It doesn't have a lot of forensics, but we appreciate fact that it has the capability
• The ability to collect a lot of information, as we have 200 users and a lot of log sources

The fact we're able to create customized monitoring reports that extract info from event logs, helps us a lot. We used to have ad hoc reports created by IT department, which meant they could manipualte content. if they ever wanted to tamper with output. Now, there's no risk for us to worry about.

Lots of concern these days regarding vulnerability, and being able to interface with other tuypes of applications when creating event log. We have lots of other applications to monitor. Logrhythm can extract that info, but some require converting before LogRythem. Windows logs don't need converting, but SQL, & XML do require conversion and monitoring.

You should consult with LogRhythm experts because there are lots of features and customizations, and you need to figure out what's needed for your specific environment, for example, regulatory compliance issues. They do great job of making clear what's needed.

I use LogRhythm for PCI DSS compliance. All of our devices are sending logs to LogRhythm. I have set up Silent Integrity Monitoring, Data Loss Prevention, Registry Integrity Monitoring, and other alarms for detection, and we do investigations.

I don't have metrics, but it has really improved the monitoring and alarming for us. 

File Integrity Monitoring is really valuable because we have it set up on our core assets. This is one of the key features that I utilize. We also use it quite a lot for event management to do reporting.

It should have some more message monitoring features. It can also have some free message monitoring tools.

I have been using this solution for about two years.

It has been very stable. There are no major issues. It has been exactly doing what I expected it to do.

It has been very scalable in terms of adding new systems and stuff like that. It has been quite good.

We have plans to increase the usage of LogRhythm. We have some new solutions and new networks coming up. We might be looking to expand within the next two years to onboard new systems.

Technical support has been excellent so far. I never had any issues with technical support. Their support has been excellent.

I didn't use any other solution previously.

It was pretty straightforward. The actual deployment of it took about two days, but the implementation strategy took longer. It took a couple of months for meetings and planning with different experts, project managers, and engineers. They looked at our business requirements and other things.

We have two administrators and two analysts. Four of us are managing the system.

It costs a great amount, but its pricing is competitive with some of the other vendors. For licensing and support, we pay about 20,000. There are no additional costs or anything like that. 

When I was looking for a solution, I looked at Splunk and LogRhythm. There was one from SolarWinds as well. Cost-wise, LogRhythm was the one that impressed me the most. Splunk was really good as well, but it was a little too costly.

I would definitely recommend this solution for compliance requirements, such as PCI DSS compliance. It does cost a great amount, but its pricing is competitive with some of the other vendors. If it is a necessity to have a SIEM solution, I would definitely recommend LogRhythm.

I would rate LogRhythm NextGen SIEM a nine out of ten. It has been really good. So far, my experience has been seamless. They should keep doing what they're doing.

Our primary use case is for financial companies and telcos.

The most valuable feature is that we can alternate incident automations.

We need to get better training for things like creating code and playlists. The way it's done now takes a long time. 

I have been using LogRhythm NextGen SIEM for two years. 

The stability depends on the client we installing or integrating for based on the server's requirements. We can create them according to that defined time period. It's not that difficult but depending on the customer or the other server requirements.

We can have a dashboard in a single platform, we can get notifications via email or SMS, and we have Smart Response actions. So that kind of possibility is there.

Our clients are mostly on a larger scale. 

You can request support and they respond immediately. They're really good. 

The initial setup is easy. It can take two hours. The first day of deployment is easy. Then depending on the devices and log servers, it can take time. We can give them predefined or pre-created devices and logs. The deployment depends on the devices and systems we are integrating. But the initial stage is easy.

Because we are a developing country, the costs depend on country development. We implement it for large-scale companies because normal companies, startup companies, can't afford products at that price. We mainly focus on large-scale companies.

I would definitely recommend this solution if you can afford it. 

We get customized reports and we get reports including all the details, but when we start using them we couldn't start with the Outlook editor. We can customize a document and we can write a report. The dashboards are very user-friendly and very attractive. But when it comes to the reporting part, I think that could use improvement in the next release. 

I would rate it a seven out of ten.