We have about 600 employees supported by this solution. Our goal is to try and bring in at least one additional application into our SIEM tool each month so that we can get better insights for those particular platforms.
Information Technology with 501-1,000 employees
Video Review
Provides a comprehensive and powerful view of our environment from one dashboard
Pros and Cons
- "This solution has improved our organization in many different ways. The biggest benefit is being able to view all information in one dashboard instead of having to look at several different applications and dashboards. I can see information across our entire environment and every aspect of our network."
- "Better integration with different services is needed, as there are quite a few platforms that we use that don't integrate very smoothly with LogRhythm."
What is our primary use case?
How has it helped my organization?
This solution has improved our organization in many different ways. The biggest benefit is being able to view all information in one dashboard instead of having to look at several different applications and dashboards. I can see information across our entire environment and every aspect of our network.
LogRhythm really helps with our cybersecurity exposure because it gives us insights to make us more proactive versus reactive regarding events happening in our environment. LogRhythm gave us so much insight into blind spots that we didn't even know we had.
LogRhythm also really helped our environment in terms of security posture because it gives us so much more information that we can use in a timely manner. Some of our other providers don't give us reports until as late as the next day. With LogRhythm, we can have alarms triggered within seconds that let us know that there are particular things that need to be addressed. This is much quicker than if we just trusted that particular vendor to let us know.
What is most valuable?
My favorite feature is the Drill Down which allows us to look at several different logs originating off of one particular alarm. If there is suspicious activity, we can use that feature to access one dashboard with different anomalies that might stand out or different places where alarms would've been triggered for particular events.
We use the Event Log Filtering feature quite often. It makes it much easier to find useful information in our SIEM tool in a quick and efficient manner. There have been several times when we have imported 20,000 plus logs within a matter of minutes and it makes it much easier to find what we're looking for, especially when time matters.
The Event Log Filtering utility also allowed us to find information much quicker in our environment because it simplified the process of finding information.
What needs improvement?
Better integration with different services is needed, as there are quite a few platforms that we use that don't integrate very smoothly with LogRhythm. We would like to plug in an API key for another system and have that vendor's information readily available.
Buyer's Guide
LogRhythm SIEM
November 2023

Learn what your peers think about LogRhythm SIEM. Get advice and tips from experienced pros sharing their opinions. Updated: November 2023.
746,635 professionals have used our research since 2012.
For how long have I used the solution?
We've been using LogRhythm as our SIEM provider for about five or six years now. I have personally only been using it for the last six months, learning the ins and outs of how it can support our organization.
What do I think about the stability of the solution?
LogRhythm is very stable and reliable.
What do I think about the scalability of the solution?
LogRhythm has amazing scalability potential for whatever your particular needs are.
How are customer service and support?
We've had really good experiences with LogRhythm's technical support for things that are already in the environment. When it comes to trying to innovate with some of the newer things, this has been a little bit more difficult. I feel like they could be a little bit more intuitive going forward. I would rate their technical support an eight out of ten.
How would you rate customer service and support?
Positive
What other advice do I have?
I would rate LogRhythm an eight out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.

Global Security Manager at Chart Industries Inc
Video Review
The solution reduced our investigation time from days to hours and assists in managing our workflows
Pros and Cons
- "LogRhythm does a very good job of helping SOCs manage their workflows."
- "One of the challenges of the SIEM for the LogRhythm 7 platform is the amount of time it takes to bring new log sources into the MDI."
What is our primary use case?
LogRhythm works within the core of our SOC. It's where our analysts work every day and where we do all of our investigatory work for security incidents.
It created our security posture. It is the central component of all of our security tools and it is the heartbeat of our SOC and our daily operations. It sets the tone for everything that we do.
How has it helped my organization?
This solution improves our organization daily. It saves us countless hours doing correlation work and reduces our investigatory process from days to hours. It routinely brings issues to the forefront using the AI engine and the use cases that we've built that need investigating. We constantly find new sources of logs to bring into the system to continue to make it better.
LogRhythm does a very good job of helping SOCs manage their workflows. Our SOC is very young and we're not leveraging that feature yet. I've seen other companies' SOCs and watched them use the workflow features and it's incredibly well done. We're not mature enough yet to use it.
For cybersecurity exposures, the one downside from LogRhythm's perspective is that it can only tell me about use cases that I've already defined. It cannot identify unknown cases at this time. However, we have just recently purchased the NDR solution and that does have this capability.
This solution is our principal mechanism for doing all investigatory work. When we get alerts from LogRhythm, we'd go back to the logs and trace those events back to their source. This is is how we shut down attacks.
What is most valuable?
One of the features that we use the most and find the most valuable includes the Web Console. My analysts really like the interface and the ability to build queries using point-and-click without having to write Query languages. My favorite feature is the actual Admin Console and the ability to monitor all aspects of the SIEM's health and the ability to build new use cases for my analysts to work with.
We also use the Machine Data Intelligence feature for classifying and contextualizing logs. It does struggle with unknown log sources and we've had some challenges over the years getting new log sources incorporated into the MDI Fabric.
The ability to authenticate successes and failures using MDI is incredibly easy. For the log sources that we bring into the SIEM, that work is pretty much done for us by the MDI. We don't have to do any additional work.
What needs improvement?
One of the challenges of the SIEM for the LogRhythm 7 platform is the amount of time it takes to bring new log sources into the MDI. We've waited a couple of years on some sources before they were incorporated. Writing our own custom MDIs is very challenging because it requires expert-level regex in order to write those rules and to make them efficient. Bringing in sources that aren't natively understood is where we've struggled the most.
For how long have I used the solution?
We have been using LogRhythm SIEM Solution for six years.
What do I think about the stability of the solution?
The stability of the solution, if it's deployed properly with the right resources, is rock solid. We have not experienced any performance issues. When we first bought the SIEM, we undersized it, and the performance was compromised.
What do I think about the scalability of the solution?
This is a scalable solution. I've load-tested the SIEM at its current resource allocations up to four or five times as much as my daily ingest and the system handled it just fine.
How are customer service and support?
Their technical support is second to none and is one of the reasons why we continue to invest in and consider LogRhythm as a strategic partner. Their support team are really good at their jobs and they always come through when we need them. I would rate their support a ten out of ten.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
LogRhythm is the first SIEM I have used and the only SIEM I have a lot of experience with. I've demoed other SIEMs and we've gone to market twice to look at whether LogRhythm was still the right decision. Both times we concluded that it was.
How was the initial setup?
The setup of the SIEM is complex in its own right. LogRhythm typically recommends professional services assistance to deploy the SIEM properly. My company did not purchase those professional services so I had to figure it out for myself. Their support structure was so good and they helped me so much that we were able to get it working without professional help.
LogRhythm is an out-of-box solution and this was why we bought it. I had no experience with SIEM when we bought it six years ago. I needed something that I could plug into the network, get up and running and get value out of immediately.
What was our ROI?
We get a vast amount of ROI from this solution. We get way more out of it than we put into it. One of the metrics that I track pretty closely in our SOC is the mean time to detect. Prior to the SIEM, the mean time to detect was measured in weeks and it's now measured in minutes.
What's my experience with pricing, setup cost, and licensing?
LogRhythm's pricing and licensing are extremely competitive and it's one of the top three reasons we continue to invest in the platform.
Which other solutions did I evaluate?
We looked at Securonix, Azure Sentinel, IBM's QRoC, and QRadar on Cloud. What really won us over with LogRhythm was the ease of use of the interface and the simplicity of the underlying architecture. It really lends itself to being a low-cost solution to own over time.
What other advice do I have?
The nice thing about LogRhythm is that they continue to innovate and come up with new capabilities like their NDR solution that we recently invested in. They continue to stay relevant.
I would rate LogRhythm a nine out of ten. The on-prem version of the solution is fantastic and is the core of my SOC. It's our daily tool for all of our investigations.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
LogRhythm SIEM
November 2023

Learn what your peers think about LogRhythm SIEM. Get advice and tips from experienced pros sharing their opinions. Updated: November 2023.
746,635 professionals have used our research since 2012.
System Administrator at GOLDENWEST FEDERAL CREDIT UNION
Video Review
Has pre-built pieces for third party vendors and does not take a long time to implement
Pros and Cons
- "One of the main features that I like about LogRhythm NextGen SIEM is that there are a lot of pre-built pieces. Like with our AV, we didn't have to tell it how to read the logs; they already had it pre-made. So, we essentially just had to follow their guide to get the logs imported in and set up some rules for it. We've only had to manually create the parsing rules for a few of our vendors so that we could interpret the logs correctly. Most of them had already been pre-created for us."
- "When we originally got LogRhythm, their tech support was fantastic, and I loved them. Now, we don't quite get as quick of a response. I've been disappointed in the more recent tech support. When you call in, they'll say that they will get you somebody, and you'll finally get someone who will contact you back a day or so later. Whereas before, I would get help right away."
What is our primary use case?
We have a lot of use cases. Originally, it started out pulling in a bunch of the logs so we could get some ideas on network traffic. More recently, we have proceeded with pulling in logs from some of our other vendors. This really helped out a lot with our AV, which didn't always notify us as quickly as we wanted it to. LogRhythm made it possible for us to get notifications faster so that we can remediate things faster. We've been expanding it more and more as we've gone through the years to include more traffic, giving us more insight into our network.
How has it helped my organization?
LogRhythm really gave us a better understanding of what our overall risk is within our network and has opened our eyes to include other products that helped address different types of issues. Whether it's getting into vulnerability scanners or different pieces of other software, it's opened the door to what's out there. It helped us to turn on different features or other products along the way and helped us to identify what we need to improve on and present it to our executive team.
What is most valuable?
One of the main features that I like about LogRhythm SIEM is that there are a lot of pre-built pieces. Like with our AV, we didn't have to tell it how to read the logs; they already had it pre-made. So, we essentially just had to follow their guide to get the logs imported in and set up some rules for it. We've only had to manually create the parsing rules for a few of our vendors so that we could interpret the logs correctly. Most of them had already been pre-created for us.
We use the Event Log Filtering feature a lot. We use it for simple troubleshooting tasks like when a user is logged out, to more important tasks like trying to investigate a threat. As far as its effect on productivity, we can go and search instead of trying to troubleshoot and guess what is causing an error. We can identify what the program is or where the hiccup is.
LogRhythm helped us to identify a lot of blind spots. Originally, we didn't have a SIEM tool. We had auditors say that this is something that we should be doing. My management team asked me to go and find a product, and I researched a bunch of them and found LogRhythm. It really opened our eyes to see how much traffic we have, whether it's other IP addresses that are scanning us or external users trying to hit certain ports that could then get closed. It helped us tighten down some of those firewall rules that may have been left open unintentionally through other changes. It helped us a lot early on to identify who was trying to communicate with us or, essentially, who was trying to attack us.
As far as our overall security posture, our SIEM tool was the initial push that really got us going into identifying where all of our threats were. We expanded over the seven years that we've had it, and I implemented at least eight other products that are all security related because the SIEM tool indicated the need to identify other risks. It really helped us as an organization to identify risks and move forward to a more secure environment.
What needs improvement?
When we originally got LogRhythm, their tech support was fantastic, and I loved them. Now, we don't quite get as quick of a response. I've been disappointed in the more recent tech support. When you call in, they'll say that they will get you somebody, and you'll finally get someone who will contact you back a day or so later. Whereas before, I would get help right away.
For how long have I used the solution?
We've had LogRhythm for almost seven years now.
What do I think about the stability of the solution?
It's very stable. We've been on the same system for the seven years that we've had the product. We've had no issues and haven't even had to upgrade any of the systems or increase anything hardware-wise up to this point.
What do I think about the scalability of the solution?
I haven't really had much of a chance to do any scalability because we haven't had to scale anything up. Ours is a virtual instance, and if we needed to scale up, we could just shut the server down, add some more resources, spin it back up, and it would be good to go.
How are customer service and support?
Initially, tech support was a solid ten out of ten when we first started. Over the last couple of years, they have changed how they handle tech support requests, and the response time decreased from what it used to be. You call in, they'll take your information, and then they'll call you back later. That can take 24 hours or more. When you actually do get somebody on the phone, they're very good and know exactly what they're doing. They'll take care of you.
In terms of response time, I'd give tech support a six out of ten, but in terms of how good they are as tech support, I'd give them a seven or eight.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
We didn't have a designated security person on staff, and our auditors came in and said that we should be doing this. As a help desk person, I looked for something specific that was going to give me the flexibility I need but also allow me to spin up and run while doing the rest of my duties, and LogRhythm was the best one that I found that could do that.
How was the initial setup?
It's pretty complex to set up, in a way. However, now that I've done it and have done an upgrade as well, it doesn't seem as bad.
I did something wrong on one of the initial upgrades, and it threw an error. I called in support, and they immediately jumped in and started working on a lot of the backend pieces that I don't normally touch. It's pretty complicated if you have to get into that, and that's where the tech support comes in.
With this last upgrade, I did not run into any errors, and it went through just fine. I thought that I was going to be doing this for six hours throughout the day, and I got it done within two or three hours.
What about the implementation team?
I set it up and upgraded it twice, once with help from LogRhythm and once all by myself.
What's my experience with pricing, setup cost, and licensing?
We're on a perpetual license, but they're trying to move us to a subscription-based license. We've been with them for so long, and we'd like to keep it the way it is rather than switch to a subscription-based license.
Which other solutions did I evaluate?
We looked at four products including QRadar and Rapid7 InsightIDR. We did POCs for all four solutions, and LogRhythm was the best solution for our needs.
One of LogRhythm's distinguishing features was its AI engine which analyzed the tools and allowed it to alert for specific events, instead of me having to dig down and create all these rules. It came with pre-created rules.
Another piece that was really important was the implementation. They had a lot of pieces for third-party vendors as well. We could pull in the logs. All we had to do is just create a rule that says, "alert." It came pre-programmed with a lot of alarms that would automatically correlate with our AV, along with our firewall. We didn't have to create them because they just came in pre-made, and that was a big feature that we looked for. Just implementing it or adding to it didn't take up too much time.
What other advice do I have?
If you are one who thinks that SIEM is an outdated security tool, I would be very curious to know what other solution would be better than a SIEM to accomplish the same goals. A SIEM tool gives you such an open perspective into what is going on in your network and gives you the ability to dig in if you really need to. Whereas if you have a completely managed solution or one that uses AI and does everything for you but doesn't provide you the logs, you might know what's wrong but won't know what else is going on out there. With a SIEM tool, you can dig in as far as you want to, and specifically with LogRhythm, you can be as hands-free as you want to be. It'll tell you what's wrong, and you can address those problems. You have a lot more flexibility with LogRhythm SIEM.
Overall, I'd rate LogRhythm SIEM a nine out of ten. I really enjoyed the solution. If you have to program anything yourself, there is a little bit of a learning curve. They've got lots of guides that you can use, and depending on your skill set, you may be able to figure it out sooner rather than later. The resources are all there, and the community is there to help you, which makes the product really great and easy to use.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Cybersecurity Analyst with 201-500 employees
Video Review
Can search through metadata in different ways and helps reduce administrative overhead costs
Pros and Cons
- "The most useful feature that I've found so far is the search function. I like all the different ways you're able to search through metadata and the different ways you're able to correlate or search through logs to find out what's going on."
- "The user interface needs improvement. The more the user can slide around and know what's going on, the better it will be."
What is our primary use case?
We've been using this solution to aggregate and correlate logs to dive a little bit more into auditing any sort of suspicious activity or malicious ideas that are going on within our network and using it for compliance purposes.
How has it helped my organization?
We partner with another company to help co-manage LogRhythm SIEM, and it definitely brings everything down to a single pane of glass, especially for people who are coming into the cybersecurity industry and don't have as much experience. It helps to correlate things to where they're more human-readable.
It has also increased our overall rate of efficiency by about 10 to 15%.
What is most valuable?
The most useful feature that I've found so far is the search function. I like all the different ways you're able to search through metadata and the different ways you're able to correlate or search through logs to find out what's going on.
The Event Log Filtering feature filters out certain logs that we don't need, and it has definitely helped decrease costs and increase efficiency for all of the products. With its hardware being on-premises, it reduces resources all around and makes it more efficient.
The Event Log Filtering feature has also helped us reduce our administrative overhead by approximately 10 to 15%.
In terms of managing workflows and cybersecurity exposure, LogRhythm SIEM is very efficient and is a good tool to use for locating and auditing any sort of activity that goes on in the network. It's very helpful for tracking and finding, even down to a granular level or up to events.
It's definitely been helpful with blind spots, especially in terms of vulnerabilities that aren't picked up by the scanners that we have. There were multiple instances where we've had brute force and various types of attacks that were quickly escalated to us via alarms and that were easily read and acted on.
What needs improvement?
The user interface needs improvement. The more the user can slide around and know what's going on, the better it will be.
For how long have I used the solution?
I've been using LogRhythm SIEM since 2016.
What do I think about the stability of the solution?
The stability is great. We had an agent go down on a DC once or twice, and it just involved a restart. That is about it. The stability of the hardware and the software itself is awesome.
What do I think about the scalability of the solution?
We're going to be scaling soon, and there hasn't been any reason to switch away from LogRhythm. So far, scalability-wise, it's been able to fit our environment well.
What other advice do I have?
You would be wrong to think that LogRhythm SIEM is an outdated solution. I use it every day, and it has helped me fix or see vulnerabilities or compromises in our network that I wouldn't have seen before. It's still definitely around.
On a scale from one to ten, I'd rate LogRhythm SIEM an eight.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Security Analyst at a transportation company with 501-1,000 employees
Video Review
Helps with productivity, reduces administrative overhead, and offers useful dashboards
Pros and Cons
- "The dashboards in the LogRhythm SIEM really help us as a starting point. It gives us a starting point we can go to every day. We walk through several dashboards to see anomalous activity for further investigation."
- "We use Windows Event Forwarding to collect the logs from our Windows clients, and the logs get aggregated as one data source on that collector. Therefore, finding logs specific to one particular Windows system requires some creativity in how we search the SIEM."
What is our primary use case?
It's our primary threat-hunting tool. We use it to look for anomalies. We use it for investigations. We use it for just about everything security related. If we find it in another tool, we use the SIEM to cross reference what activity we would see either from that user or from that machine that we saw in the other tool.
How has it helped my organization?
It's improved our organization in a number of ways.
Before we got the current SIEM, for example, the previous SIEM was not our primary threat-hunting tool. It was a data point we would go to occasionally. Today, LogRhythm SIEM is our primary threat-hunting tool thanks to the user-friendly interface, which is much better compared to what we've had previously.
The ability to return relevant information from a search to provide either corroborating evidence for an investigation we were already undergoing or just being in a better place to go hunt for threats has made me feel that the environment is safer than what we had previously.
Previously, with McAfee SIEM, we had no confidence that it would help us in an investigation, so we frequently did not lean on it. It let us down so many times. LogRhythm SIEM gives us a sense of confidence that, during an investigation, it's a solid source of information that we can use to complement the investigation or perhaps complete the entire investigation within the SIEM.
What is most valuable?
Our previous SIEM did not have dashboards, so there wasn't a starting point. With our previous SIEM, we had to have a specific thing we were looking for, and only then we could find it.
The dashboards in the LogRhythm SIEM really help us as a starting point. It gives us a starting point we can go to every day. We walk through several dashboards to see anomalous activity for further investigation. The dashboards, therefore, are our favorite feature of the SIEM.
The solution helped with productivity and the ability to process logs. We do Event Log Filtering for certain log types, which we don't want in our SIEM as they're just too noisy. Having too much noise in the SIEM makes it harder to find relevant things. Therefore, we use Log Filtering to limit the noise. It's also given us the ability to bring more logs in, so we bring them all from all of our workstations and servers. Doing the log filtering this way allowed us to bring in other log sources and keep the noise manageable.
It's helped reduce our administrative overhead. Before we started doing the log filtering, we exceeded our license capacity for what we were licensed in terms of logs in our SIEM. The filtering allowed us to bring the noise down and helped us with the removal of junk logs that are not useful. We have a lot of firewalls, and anytime you're traversing internally inside of the firewall, it generates a lot of traffic. That kind of traffic is the type of traffic we took out, allowing us to bring our workstation traffic logs in to give us a better view of our environment.
It's very big for us that the solution is out-of-the-box. To have the solution be turnkey was significant as it enabled us to ramp up and get the logs onboarded immediately. There wasn't a lot of configuration to get to a point where we could bring logs in. It was essentially turnkey.
What needs improvement?
We use Windows Event Forwarding to collect the logs from our Windows clients, and the logs get aggregated as one data source on that collector. Therefore, finding logs specific to one particular Windows system requires some creativity in how we search the SIEM.
I've heard that in a future release, it may come to a point where the Windows systems would be dedicated log sources, so you can choose just that log source. That would greatly improve our ability to threat hunt with our SIEM.
For how long have I used the solution?
We've been using this LogRhythm SIEM for about three and a half years.
What do I think about the stability of the solution?
The solution's been very stable for us. We bought a high-availability solution, so we have two systems in a high-availability pair. That redundancy gives us resilience. It comforts us to know that if we lose one data center, we've still got logs going into our SIEM in the second data center.
What do I think about the scalability of the solution?
The hardware we bought has the ability to process logs at twice the limit that we are licensed for, and we've not had to increase that. We've had it for three and a half years, and it's robust and keeps up with our needs.
How are customer service and support?
I've had to engage LogRhythm technical support on many occasions. They've always been quick to respond and are very knowledgeable, professional, and helpful.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
The previous SIEM we have was McAfee Nitro. There were a couple of reasons why we switched. We switched due to the fact that it wasn't easy to just stumble into finding things. You had to know what you're looking for and we didn't like that aspect of it. Also, we had a really bad support case that was the catalyst for making the move to a different SIEM.
How was the initial setup?
We have a different setup, and we keep the SIEM in our PCI environment to limit our PCI scope. We had to think through the architecture so that we had the logs in the places we needed them without having our firewalls wide open. It was very quick to deploy since we used Windows Event Log Forwarding. We were able to use a GPO to have logs sent to a centralized server and, from there, ingested directly into the SIEM, so we were onboarded in less than a week's time. We were able to onboard the majority of our log sources quickly.
What about the implementation team?
When we bought the SIEM, we bought a block of professional service hours that we utilized to help implement the SIEM. They were a tremendous help with adding dashboards and getting our fingers in it enough to where we learned our way around it before we actually even got training. It was LogRhythm professional services, and I highly recommend them. They were excellent.
What was our ROI?
We've absolutely seen an ROI. We felt it immediately since the out-of-the-box dashboards gave us visibility into our environment that we had not seen before, as we didn't have a SIEM that presented the data in a usable manner.
What's my experience with pricing, setup cost, and licensing?
The license model is similar to other SIEM solutions that we looked at, which is a log volume pricing model. That pricing model works well, especially being able to filter the logs and get less important logs in so we have the ability and the headroom to put in other log sources.
Which other solutions did I evaluate?
We evaluated a few other options. Since we're a government entity, procurement rules limited us to just a handful of options, and of the options that we had, LogRhythm was clearly the better choice for us.
We had the option to renew and get a refreshed McAfee SIEM, which we didn't feel good about. The other two options that we were able to use were IBM and Rapid7. IBM was just another vendor I've not had good luck with in the past. Rapid7 was a smaller player. We didn't feel they had the ecosystem, the robust ecosystem, to support what we were looking to implement.
What other advice do I have?
I'm a senior security analyst. I work at a government organization that employs between 500 and 1000 people.
We are on-prem with high availability, so we have two self-contained systems, sequel logs, and everything, and they can run either box.
In terms of helping us manage workflows and cybersecurity exposure, we haven't leveraged smart responses in the SIEM. It looks like a powerful asset. We have some automated responses with a different tool for ransomware detection and prevention. However, the workflow ability in the SIEM is actually quite powerful. We just haven't leveraged it since we haven't felt that the right use case presented itself to us yet.
When it comes to affecting our rate of efficiency, we don't measure those metrics, so it's kind of hard to say there's a measurable amount or how much it's improved. It has given us a threat-hunting tool previously unavailable to us. We are very happy to have the SIEM be our primary threat-hunting tool.
Those who say SIEM is an outdated security solution should note that SIEM technology has been around for a very long time. It's still relevant thanks to the continual development that companies have done to bring more usability to extracting threats from logs. That's timeless. That's not something that's going to go away over time. The LogRhythm SIEM continues to add features, and improvements and makes finding and presenting data from raw logs easier. Digging through logs before we had a SIEM was tedious and very time-consuming. It's made it a big-time saver. To have the way it presents the logs in a usable manner has been a tremendous help for us.
I'd rate it a solid nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
SOC Analyst at PLS Financial
Video Review
Robust with helpful workflow management and good log filtering
Pros and Cons
- "It's positively affected our overall rate of efficiency."
- "In terms of blind spots, we are looking for more improvements since we don't have visibility over everything."
What is our primary use case?
I found it very useful in our day-to-day operations with monitoring user activity and looking at system analytics and system performance. I found it very useful when investigating threats like IPs, and seeing what's going on with our endpoints, like certain lateral movements that we've noticed.
I definitely found it very useful when looking at, for example, a compromised host, or a suspicious IP that has been scanning us. I've definitely found it very useful when I look at a log, it'll give me a detailed drill-down of all the information that's needed, including what the rating is, the rating of the threat, and what actions should be taken.
It gives my team a better idea of what we should do to improve our security posture.
How has it helped my organization?
It's improved our organization. For example, if we have a user who's traveling overseas, or we get a suspicious login from the VPN, from a country that we're unfamiliar with, it gives us the ingest logs. The SIEM gives us a better comprehension of what type of threat activity it is and helps us decide if it's benign or legitimate.
What is most valuable?
Looking at the logs and how much detail each log has when it is ingested into our dashboards is quite useful. I found it very useful when looking at, for example, what emails are inbound and outbound of our networks.
I like how detail-oriented the logs are in terms of what the origin is and what network it's coming from.
I also like how the detailed logs give us what host or user it's coming from. On sight, I have a pretty cohesive understanding of what threat intelligence looks like in terms of reviewing what we have to deal with.
I use the Event Log Filtering feature daily. Every day when I look at event logs, I use the filters on certain time ranges and AIU engine rules. Overall, it's had a very positive impact. It helps us expedite certain security incidences very quickly, thanks to how detail-oriented the logs are. It really helps me report threats to my supervisor. For example, if someone's trying to scan us, my boss will ask me, "Can you look into this further?" I'll go ahead, and use the searches and the lists that the LogRhythm console has to offer, and I will get back to him in a timely fashion, with more details on the threat.
The Event Log Filtering feature has definitely helped reduce administrative overhead. On a scale of one to ten, I would rate it a seven.
It helps us manage workflows and cybersecurity exposure. In terms of managing workflows, it definitely has given us leverage on what our overall security posture is, and gives us a better understanding of what we need to focus on more in terms of what threats are persisting. Our workflows have been pretty seamless so far. I would say our workflow is pretty seamless in terms of static manual investigations.
In terms of blind spots and our ability to shut down attacks, while we don't see all the blind spots, it gives us enough understanding and information about where we can classify a threat.
Overall, it's had a very positive impact on our security posture. It gives us good visibility of what we need to see right now. It definitely gives us a better understanding of what we deal with, and what we should focus on in terms of what threats are more critical than others. In terms of our daily operations, it's very helpful.
It's positively affected our overall rate of efficiency. It's given us what we need for now. We're looking to improve our efficiency by looking into what LogRhythm offers in its newer products. Still, it's pretty efficient. On a scale of one to ten, I would rate it around eight or nine in terms of efficiency. My immediate coworkers in my department could use what we have right now for looking at critical alerts, user analytics, and overall IT operations since we usually have daily operations where we look at all user activity throughout our organization.
What needs improvement?
So far, it's pretty robust, and yet, we look for more improvements.
On a day-to-day basis, maybe we could look for more improvements with automation, however, so far, it's good.
In terms of blind spots, we are looking for more improvements since we don't have visibility over everything. Right now, we just use LogRhythm for our on-prem solution, not our cloud solution. We could definitely use more improvements with that in the next product.
Ingesting logs into the web console user interface and probably updating the threat intelligence database are the two places where we'd like to see improvement. We get a lot of noise. Oftentimes, we see a lot of false positives, so possibly using AI or machine learning would be ideal. Implementing that more into the next product would help us actually determine whether it's a false positive or legitimate threat.
For how long have I used the solution?
I've used the solution for about a year and three months.
What do I think about the stability of the solution?
In terms of using it on-premises, it is very stable. Granted, we have some hiccups here and there. However, that's what we reach out to tech support for. They're able to provide us with immediate support, and they're willing to really put in the effort to figure out what the cause of the problem is and will work until it's fixed in a timely fashion.
What do I think about the scalability of the solution?
The scalability is, so far, very robust. I look forward to hearing more about the latest LogRhythm products and what they can do in terms of on-premises and cloud.
How are customer service and support?
The product offers excellent service and technical sport. They're very prompt with getting back to our team regardless of the severity of the incident. Overall, I've had a great experience with this so far.
How would you rate customer service and support?
Positive
What other advice do I have?
I'd rate the solution ten out of ten.
Those that say SIEM is an outdated security system, don't understand cyber security. SIEM is what allows analysts like myself to be successful. Without a SIEM, how can we see everything? We can't.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
An extremely valuable correlation engine that uses machine learning to identify network issues
Pros and Cons
- "The correlation engine is extremely valuable because it uses machine learning to process information from the central manager and identifies issues in the network."
- "The security playbook could be pre-defined and available to other analysts with similar security issues."
What is our primary use case?
Our company manages the solution as a threat hunting platform for a semi-government client in the Hong Kong insurance industry. We collect logs for video, active directories, antivirus, and firewalls to consolidate them in the solution.
From the central log collector, we build detection policies to identify threats or possible breaches. The solution also serves as a data storage platform to troubleshoot issues and find root causes.
In addition, logs that include performance data are created for devices such as routers and switches to monitor the availability of the office network.
We also perform ongoing maintenance of the solution and all components to ensure everything runs smoothly.
What is most valuable?
The correlation engine is extremely valuable because it uses machine learning to process information from the central manager and identifies issues in the network.
The engine accurately and quickly identifies problem areas as it correlates events from various devices.
Without this engine, logs would have to be built individually for each device.
What needs improvement?
The security playbook could be pre-defined and available to other analysts with similar security issues. Currently, playbooks are individually written for various actions and threats.
It would be faster and easier to react to issues if pre-defined playbooks were accessible to all analysts.
For how long have I used the solution?
I have been using the solution for seventeen years.
What do I think about the stability of the solution?
The solution is stable.
What do I think about the scalability of the solution?
The solution is scalable.
How are customer service and support?
I have escalated issues to technical support and rate the assistance I received an eight out of ten.
How would you rate customer service and support?
Positive
How was the initial setup?
The initial setup is complex and I rate it a six out of ten.
What about the implementation team?
We implement the solution for our customers.
Which other solutions did I evaluate?
The solution remains a top choice for our customers because of its performance, indexing rate, and coalition engine speed. Customers trying to use SIEM to collect logs and identify threats require a solution that responds quickly.
The solution's correlation engine is very important because it uses machine learning to automatically collect and analyze quite a bit of data.
What other advice do I have?
When choosing a solution, it is important to determine what you want to achieve instead of how the solution works. Most solutions have a method for collecting logs, relaying information, and identifying issues so selection is more about the speed and accuracy of end results.
I rate the solution an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Assistant Manager Enterprise Security
Easy to configure, user-friendly, and has simple and informative dashboards, but the UI needs some minor changes
Pros and Cons
- "What I found most valuable in LogRhythm NextGen SIEM is that it's user-friendly. I also like its dashboard, which shows all the logs and information I want to see."
- "One area for improvement in LogRhythm NextGen SIEM is that it's a Windows-based tool, and I feel it should be on the Linux operating system instead. Another area for improvement in the tool is the UI. There should be minor changes in the UI to make it better, though I like the dashboards in LogRhythm NextGen SIEM."
What is our primary use case?
We're using LogRhythm NextGen SIEM only for a few databases. Members keep their data on our FTP server, and we monitor firewalls, endpoint management solutions, and some critical endpoints.
How has it helped my organization?
LogRhythm NextGen SIEM has improved the organization through the alarm system my team has configured. The alarm system is key to looking after all the hardware and endpoints.
What is most valuable?
What I found most valuable in LogRhythm NextGen SIEM is that it's user-friendly. I also like its dashboard, which shows all the logs and information I want to see.
What needs improvement?
One area for improvement in LogRhythm NextGen SIEM is that it's a Windows-based tool, and I feel it should be on the Linux operating system instead.
Another area for improvement in the tool is the UI. There should be minor changes in the UI to make it better, though I like the dashboards in LogRhythm NextGen SIEM.
For how long have I used the solution?
I've been using LogRhythm NextGen SIEM for one month now.
What do I think about the stability of the solution?
LogRhythm NextGen SIEM is a stable tool. I didn't find any instability in it.
What do I think about the scalability of the solution?
LogRhythm NextGen SIEM is a scalable tool. Scalability is one of the reasons why my organization uses it.
How are customer service and support?
When I joined the company, a ticket was previously opened with the LogRhythm NextGen SIEM technical support team. Though I didn't directly connect with support, I have information that the problem was resolved and that the support team was very cooperative and very technical in solving the problem.
How was the initial setup?
Though I didn't configure LogRhythm NextGen SIEM as it was pre-configured when I joined the company, any solution won't be difficult to implement, as long as you have an understanding and knowledge of the product or tool. I was an implementer once.
What's my experience with pricing, setup cost, and licensing?
Senior management is in charge of purchasing the license for LogRhythm NextGen SIEM, so I have no information on how much it costs.
Which other solutions did I evaluate?
I worked on McAfee SIEM for six months, but that was when I was part of another team. If you compare McAfee SIEM with LogRhythm NextGen SIEM, I prefer LogRhythm NextGen SIEM because it's a user-friendly tool. It's also very easy to configure. The dashboards in LogRhythm NextGen SIEM are also very simple and very informative, and I've configured them to better understand what's happening in the organization. You can also create an alarm system in LogRhythm NextGen SIEM, that's very helpful.
I also evaluated IBM QRadar, and I found IBM QRadar to be a better tool than LogRhythm NextGen SIEM.
What other advice do I have?
I work in the enterprise security department or the SOC, and I just have to deal with the logs. The tool being used within the organization for log management is LogRhythm NextGen SIEM, particularly the N-1 version.
My organization uses the on-premise version of the tool, and it's been applied to the data center.
I belong to a very small organization with a data center that has sixty people using LogRhythm NextGen SIEM. In terms of maintenance, the tool isn't difficult to maintain.
The only advice I have for anyone who'd like to start using LogRhythm NextGen SIEM is that it's a very good tool, with good features and functions.
My rating for LogRhythm NextGen SIEM is seven out of ten. I didn't give it a ten because it's Windows-based, plus I also don't like its UI that much. LogRhythm NextGen SIEM is also not as good as IBM QRadar.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.

Buyer's Guide
Download our free LogRhythm SIEM Report and get advice and tips from experienced pros
sharing their opinions.
Updated: November 2023
Popular Comparisons
CrowdStrike Falcon
Splunk Enterprise Security
Datadog
Zabbix
Microsoft Sentinel
Elastic Security
IBM Security QRadar
Vectra AI
Graylog
AWS Security Hub
Sumo Logic Security
Rapid7 InsightIDR
Fortinet FortiSIEM
Buyer's Guide
Download our free LogRhythm SIEM Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Between AlienVault and LogRhythm, which solution is suitable for Banks in Gulf Region
- IBM QRadar is rated above competitors (McAfee, Splunk, LogRhythm) in Gartner's 2020 Magic Quandrant. Agree/Disagree?
- Does LogRhythm NextGen SIEM offer good security?
- What Solution for SIEM is Best To Be NIST 800-171 Compliant?
- When evaluating Security Information and Event Management (SIEM), what aspect do you think is the most important feature to look for?
- What are the main differences between Nessus and Arcsight?
- Which is the best SIEM solution for a government organization?
- What is the difference between IT event correlation and aggregation?
- What Is SIEM Used For?
- What Questions Should I Ask Before Buying SIEM?