LogRhythm SIEM Reviews

• The integratedness
• The parsing
• Their partnerships with various device manufacturers

They keep it up to date, you don't have to worry about that when their products change.

I think as an aggregator it works very well, and as a case management tool it works very well. I think it works reasonably well for parsing. I think there's always room for improvement there; I'm thinking any solution that I've seen, it's just a difficult problem to solve.

We're an MSSB, we have about 10 or so different customers that all host with us. Currently we're licensed for 15,000 MPS, average, and we use about 8000 MPS average, consistently, and we're growing.

Among our key challenges is getting everybody on the same page about the value of security, and why it's worthwhile to pay for security solutions, and the people to staff them.

LogRhythm has absolutely helped improve the security of our organization. We're able to respond to potential threats in a unified system, where that was impossible before. This is our first SIEM product.

I would like to see more focus on it being a data lake. We have around 100 terabytes of data stored in LogRhythm, machine data, sensor data. That all could be used for operations tasks as well. It would really be awful to have to stand up another Splunk instance at 100 terabytes alongside of it.

Also, seeing more analytics features, and more flexibility around that, and their schema.

Bringing it out completely horizontally scalable, and also continued focus on supporting lots of different vendors, for a lot of data sources.

Scalability is not great, at the moment. That's changing with newer releases, and I know that's been a focus of the team. It's actually the purpose of my coming to the LogRhythm user conference, to learn more about that.

They're moving towards a horizontally scalable system, and frankly a lot of their competitors don't have this yet either, so it's kind of a wash in that. I think once they get to that point where they're completely horizontally scalable in all components, they'll have a leg up on the competitors, at least for a little while, until they get there as well.

Great in some areas, not so great in others. We had a lot of challenges during our initial deployment, self-inflicted in some ways. Others, we didn't have the right support, and the technical services team was stretched pretty thin when we used them.

It was hard to schedule time with them and get pre-deployment meetings, a proper architecture review on time, so we knew that our environment was ready for the deployment.

We used EiQ. It was terrible. Just straight up, they didn't fulfill support promises. They pivoted from being a self-hosted company to hosting in the cloud and offshore, using offshore analysts. So, it just wasn't a fit anymore. And their product didn't scale.

We needed something that would give us a single pane of glass, that visibility over our whole organization - and correlate all the data - without too much staffing needs.

We undersized the environment from a hardware perspective, which led to the system not performing well.

I'd say the requirements weren't really well defined, in our particular situation, but from what I've heard, other customers don't necessarily have that same issue. I think it was more so that LogRhythm was just growing at that time, and they had more customers than they knew what to do with.

We looked at RSA, we looked at Alien Vault, we looked at a vanilla ELK Stack homegrown solution. We actually evaluated that one. And we also looked at McAfee/Intel at the time, security.

We went with LogRhythm because aligning with the critical security controls, SAN security controls, was important for us. Also, the price was good, MSSP support was good. I think ultimately it was the combination of their willingness to partner with us, and the price.

I would say for us, being an MSSB, when selecting a vendor, scalability is paramount. And the support ability. If we're going to drop a lot of money on a solution, it needs to be easy for our analysts to get up to speed with it. That's worth a little bit extra, versus going with something that requires months of training just to do the basic running of the system.

If I were to advise a colleague looking at this or a similar solution, I would say take a look at all the options, figure out what you need out of a solution first, and then just make sure you evaluate it. If possible, test drive it. See what it can do, not in a sales presentation. Don't just look at a PowerPoint, actually test drive it.

I am a new user who just made the decision to purchase Intuit.

We are in the process of deployment. At this point, we're in the middle of rolling it out to servers and just collecting logs, so as far as the actual deployment of rule sets, and anything like that, we haven't gotten that far yet.

Our environment is Windows and Linux. We have about 1200 users. We have about 500 servers and about 1200 machines that we can be collecting from, as far as endpoints. 

The initial configuration was easy. 

We worked with professional services, and they remoted in and got us the setup and explained the setup. 

We looked at eight or nine other vendors. 

We quickly eliminated four or five of them. We ended up with a final four, which was LogRhythm, Splunk, McAfee's solution, and AlienVault. From there, for various reasons, we narrowed it down to LogRhythm and Splunk. AlienVault, we felt was a nice solution as far as being able to plug it in, get it up and running quickly, but we felt we'd outgrow it. Splunk was on the other end of the spectrum. We felt that it was very powerful, probably more powerful than any of the other solutions, but we didn't have the manpower to configure it out-of-the-box. 

From our own analysis and a lot of other customers we talked with, they confirmed the configurations on Splunk is just too top-heavy, so we felt that LogRhythm was the happy medium. A lot of customers recommended it, because of the built-in rules, and the out-of-the-box configuration is much better than Splunk, and given our team size and our internal resources, we made the decision to go with LogRhythm.

Our key challenges in security include

• standardizing our policies
• having the end user population be aware on the security side of things.

And the solution, LogRhythm, is helping us today to enforce it. We see now what it is that we're trying to propagate into the environment, based on the policies that we're monitoring today. The goal is to 100% enforce our policies.

It has improved things tremendously. Going from a third-party vendor to an in-house solution, such as the LogRhythm solution, has given us visibility into the entire organization, compared to the limitations, based on budget and whatnot, from a third-party vendor. Absolutely, we have a lot more visibility now.

I can tell you that having the ability to monitor the semi-subsidiaries that are a part of our organization, is huge in that sense.

We have 10,000 EPS, as it is. And we have between about 500 and 1500 incidents daily.

One of the most valuable features is the investigation tab. It allows us to dig in deeper into the alerts that we receive today, based on the policies, that get triggered by our end-user population.

I think a must-have feature would be better reporting. Today, as you can imagine, the organization would like to see what is happening in our environment, and the reporting feature within LogRhythm, I would say, is very limited.

The reports do not provide information such as, who are your top ten end users generating the most activity within the environment, or appliances, per se, so that's very limited.

So far, from my end, I haven't experienced any challenges. We are able to integrate all of the solutions that we have out there: our antiviruses, our data-loss prevention tools, and even our web browsing filtering.

At this point, I really don't have any challenges. Maybe the architectural team has different ones for integrations, but no issues on my end.

I have not used technical support, as I do not troubleshoot the application itself. We are technically just administrators of it, monitoring.

Because the organization wanted to have an in-house solution, when we looked at what was out there, we thought that LogRhythm, based on the user interface that was somewhat easier to follow compared to the competition, was a must for our security analysts.

And the additional features within the investigation side of it, to dig deeper into what's going on out there. Those were two big selling factors for us.

• Curator
• Splunk
• Dell SecureWorks

We chose LogRhythm because, as I said before, the user interface was really a plus for us. It was easier to understand, compared to the competition. And the ability to dig in deeper in the investigation tab, those were the two major selling points.

The most important criterion, when selecting a vendor, is how easy it is to adapt to the solutions we have in house. Every organization, I understand, is different, but based on what we required, for the most part I'd say about 85% of our needs were met with LogRhythm, compared to all other competitors.

It's very important for our solution to be a unified, end-to-end platform because the organization might adapt new technologies. Our security architect needs to have the ability to integrate them. If it's a challenge then, definitely, that's going to be a downside for us.

If a colleague at another company was doing a SIEM solution comparison with this and similar solutions, I would say to give LogRhythm a shot and, if the possibilities are there, to implement a PoC to understand how the solution can help them.

It helps by collecting logs from a lot of different security items, like firewalls and IPSs. It helps to give us alerts to let us know if something is happening on our network. It has really good log collection and event and alerting capabilities, so we have used those alerts to help us mitigate issues more rapidly.

We have been able to stop ransomware by being alerted through LogRhythm. That was probably one of the biggest things. Also, malware events and things like that.

Using the web console to get a quick look at what's happening on the network, so the different dashboards that are available. Those are probably the things I look at first. Probably very useful at really analyzing what's going on.

We haven't seen issues with the product itself. There are updates which are now automatic through the knowledge-base. So, I'd say it's a stable product.

We have not had issues with scalability as far as LogRhythm's concerned. We're not big enough to have issues of scalability with it. It is a much bigger product than that. We're not a huge global organization, so it's more than enough for a company our size.

Our environment is about a 1000 users, about 900 workstations, and a couple 100 servers. It is a Windows and Cisco shop.

They are really good. Whenever I've needed their help, opened up a ticket, I haven't had any issues getting help from them. We have a guy right now who is really excellent, and will go out of his way to help us with making sure we are getting things setup properly, so that's really been a big help. They have really smart people there. When you work with them over the course of a number of years, you see how bright these guys are, so it's nice.

We're fairly close to Boulder, so buying something that was local, I like to do that, and it is a great product. We're happy with it. I think it is one of the best SIEM tools out there. So, no regrets about going local, and it's nice to have them down the road if we need to get to them.

It is a great product. We brought it in initially as a central event log for PCI compliance. It's been really good for PCI compliance, but then we leveraged it for security across the network, so it has been really good that way. It really requires somebody to be able to dedicate a lot of time to getting sources into it. It's hard if you're a partial user of it. It takes a lot longer to really understand the product, because it's big. There's a lot to it.

We used to use a third-party vendor. We migrated to an in-house security operation center, so it's been a big difference.

We're doing almost 10,000 EPS right now and we have anywhere between 5000 and 6000 servers, and a couple thousand network devices more or less.

Our goal is pretty much to gather all those logs. Keeping track of when new servers are deployed and new network equipment gets put out there and then have them report to LogRythm. That's mainly the biggest challenge so far.

Mostly for us the most valuable feature is its aggregation of all the logs into a single platform, and then doing the real-time monitoring based on that.

Also, the real-time monitoring piece of it, that's extremely valuable. Plus you can tweak a lot of their settings while other systems don't really let you.

Dashboards, reports. Right now I know there's a big issue with reporting. It's challenging, at least for us, to do some of the reporting within the system itself. Hopefully that's something that gets improved.

Also, when you're reaching out to any other solution out there, any third party, most of them have integrations with Splunk; that's something that it's lacking on the LogRythm side. They're lagging behind when it comes to integration to main platforms.

So hopefully, with the help of the entire community, we can build something a little bit more flexible when it comes to integrations.

We had some issues. Unfortunately, it was not sized properly from the beginning. But now with the additional boxes on everything, so far it's pretty solid.

They're pretty good. Sometimes I wish they would be a little bit quicker getting back to you, at least when you open a ticket, but apart from that they're pretty good. We usually do reach the right person within the SLAs they have.

We were using a third party, Dell SecureWorks. We wanted to go away from that and go into more of a centralized system in-house. We went through a bunch of factors and LogRhythm came out on the top.

It was good. We have a lot of collectors, we ended up having almost 50 collectors in total, so it was a little bit challenging, but it's not bad.

• Curator Security
• Splunk
• ArcSight

We took it as far as they were able to help us with very specific things we do as a company, and LogRhythm came out on top.

We're migrating to a dumb-terminal type of environment. That's the end goal that we have, because we have noticed that there's no way for us to secure everything. There's really no way. So having the users centralized into one location, it makes a big, big difference.

So far it's working fine. Like I said, we had some little things here and there but we've revised the architecture and now it's good.

For selecting a vendor we had a matrix. There were a bunch of points that we were trying to cover. How easy is it to use? For Roger's group, for example, to see how easy it was to adapt from the GUI base to the console.

In terms of a unified, end-to-end platform, I'd say we're not married to specific vendors or companies, that's the nature of our business, at least how we run. But it's good to have everything in one solution.

If I had a colleague at another company researching this and other SIEM security tools, I would give him my matrix.

It's all in one solution since we bought the network monitor along with it. It has made finding issues or threats on our networks a lot faster and easier. Something that would have taken our team and multiple IT people 5-6 hrs to resolve before, can now be done by one person in 1-2 hrs. Plus with built in case tracking it makes it easy to track what is going on and what has been reported.

With built in reporting it makes change tracking and compliance reporting a lot easier. WE use to have to update the documents by pulling in data from multiple sources and having to wait to get data from other departments.

My favorite part of LogRhythm is its ease of use. Everything I have used is designed very well, and makes sense after little time on the system. The new web interface is very fast and easy to use and see what is going on in a glance.

The AIE rule set is easy to setup and use. They have a lot of built in modules that have the rules already created for you. The deployment guides are easy to follow for setting up the modules. Personally I love the UBA or threat modules. These will first do a system baseline then start flagging events outside your normal operations. Creating new rules is very easy with the GUI.

Compliance reporting is another great feature of this product. It has built in reports right out of the box. Plus it was one of the few products with FIPS 140-2 encryption for the data base.

Only area I can think of to improve on is the proof reading and using the guides before releasing them. Out the the 20+ guides I used one had issues with wrong information in it.

We have a HA setup and have had zero down time so far.

Haven't had to scale it up yet.

Customer Service:

10 out of 10. They are fast to answer any tickets or questions I have had.

Technical Support:

10 out of 10. They have had a fix or answer for every question or problem I have had

Yes we did. It just wouldn't handle our environment all. It was going down all the time. One update caused it to delete all of our logs over a month old.

The setup was easy and straightforward. Even the HA setup was simple.

The first network was done by a team from LogRhythm, the other networks where handled in-house. The team from LogRhythm was very good at the setup and deployment.

The calculated ROI around 90-100% for the first year because of our implementation and design of this solution allows me to cut my team in half. This includes the costs of setup and training. We will how this plays out in the years to come.

Look closely at the cost of licensing of other products. This should include setups and the need for support services. I did a RFQ to 2 other vendors before choosing this product.

One major issue for me was a product that you can't use if you go over on logs collected. Where I work it can take forever to get funding to fix a overage issue. This is one product that use a true up at the end of the year to address this issue.

Yes we evaluated and used a few other products.

ArcSight, Solarwinds LEM, Splunk, and IQ radar. Splunk and IQ radar where the products we evaluated with LogRhythm. The other two products are products we used before.

Work closely with your sales and engineering team for your setup and give them all your requirements and use cases.

The reporting feature is valuable.

We used it primarily for security logging of events. We created reports based on traffic awareness for security.

We would like to see a better base templates for reporting.

I've used it for six months.

The only issue we had was getting the Net Flow incorporated. However, that was issue was because of our implementation. Once we made a change it worked.

There were no issues with the stability.

We had no issues scaling it for our needs.

I'd rate customer service a 10/10.

I'd rate technical support a 10/10.

I've also used QRadar.

It was fairly straightforward.

LogRhythm's vendor team helped us set it up. The box was delivered and they helped us get the licensing in and the initial setup.

I would make sure you have Events Per Second set high enough for all of the events. This will cost a little more.

It will take time for fine tuning, expect for four months to fine tune it to exclude the false positives.

The web interface, especially since the move to the open source storage system in v7, allows almost instant access to detailed log data from across the platform.

I work in the IT Security channel, reselling LogRhythm and associated consultancy services. The improvements from implementation of LogRhythm are to my clients' organizations.

The reporting engine is poor in comparison to other areas. It should be moved to the web interface to improve its functionality and usability.

I've been using it for over four years, since v3.

We have had no issues with the deployment.

We have had no issues with the stability. We haven't experienced instability.

The scalability before v7 was sometimes difficult due to the hardware performance required. Since v7 was released, the clustering and scalability options have improved significantly.

The UK-based technical support is good, and the engineering and lab teams based in the US are great.

I have experience with Splunk and ArcSight. LogRhythm's correlation capabilities (part of the AIE component) is much better than Splunk's, and the solution as a whole is generally cheaper and easier to implement than ArcSight.

The initial setup is straightforward. Follow the initial setup guide and the solution works within hours. Easy to use configuration tools are included.

I work for a reseller and consultancy firm in the IT security channel. I would recommend using a vendor or reseller to assist in the deployment, as although the basic build and set up is easy, on-boarding log sources and setting up the system to report and alarm on events requires experience and expertise.

As part of your plan for SIEM, identify what you expect the SIEM to be able to do for you / your organization. SIEM is not a silver bullet. SIEM will take a considerable amount of use by a security analyst or similar to get the best out of it. SIEM managed services offered by resellers or system integrators may be good value and should be seriously considered to ensure the best outcomes from the SIEM.