LogRhythm SIEM Reviews

We really appreciate the new cloud functionality. The cloud is really showing its dominance. 

Technical support is very helpful and responsive.

The product has a lot of useful features.

There aren't really any missing features. It's quite a complete solution.

Most of the clients using the on-prem are using customized applications. In the customized applications, we are facing parsing issues and a minimum of two days is required by the LogRhythm team for parsing logs. 

Parsing is totally controlled by LogRhythm and they do not allow any partner or any third-party to handle this part and this is a key challenge on my end. This is a huge cost impact -at least on the Pakistani market. It needs to be addressed.

The solution should be less expensive.

It would be very helpful if there was Kashif a package to help users migrate from QRadar to LogRhythm.

In Pakistan, the government is in the process of developing its final recommendation of cybersecurity and data protection process. We hope this solution will prove to be compliant and will meet the requirements in the future.

I've been using the solution for approximately one and a half years at this point. It hasn't been too long just yet.

We have four or five people using the solution in our organization. They are managing the LogRhythm infrastructure.

We are in touch with their support. It's government support, and they're quite supportive, and they are quite responsive. They have a divisional team is quite responsive. 

The initial setup is complex with LogRhythm. In that Pakistan market, with LogRhythm, the climate is very limited at this point. For the on-prem, there may be only two customers, for example. One is a bank and one is serving as an MSSP.

We've added four customers to a pay-as-you-go model. You apply Windows 2000 MPS or a cloud environment. The initial setup is quite difficult, however, after making certifications we are able to provide the initial setup and got it working with the LogRhythm support team.

For maintenance, I have five engineers that are part of my security team, including me and my sales and operations. Approximately we have 14 to 15 people that can handle maintenance.

We had some assistance from the LogRhythm support team. We did not entirely do it ourselves.

The cost of the solution should be reduced. In the Pakistan market, they have competition from IBM QRadar. They have quite a significant core difference. While the quality of this product is better, IBM has a stronger penetration in the market base don price. 90% of financial institutions are doing the QRadar in Pakistan. The Central Bank is using QRadar and simply due to the cost differences.

Initially, we tested out the QRadar, however, due to some delay and due to some market awareness tests, we did not continue.

We are using the solution for our own infrastructure and we are also offering it as a service. We are the largest service provider, cloud service provider, in Pakistan. However, we use a variety of deployment models - including cloud and hybrid.

We have an ISO position for government-certified infrastructure. We have a PCI-certified infrastructure as well as a GDPI compliant infrastructure.

We work closely with this product in particular. We have a lot of hands-on experience.

I'd rate the solution eight out of ten. If it weren't for some parsing limitations in the product, I would rate it even higher.

Our primary use case would be for compliance. We needed a check in the box for compliance. Right now, it's performing and doing its job, allowing us to say that we are compliant with HIPAA, PCI, etc.

It has improved the way our organization functions. It has allowed us to dive deeper into our network and figure out what is going on by parsing logs properly and being able to reduce the time it takes to work cases down from seven days to approximately two days.

LogRhythm has increased productivity because all the tools that we need are in the web UI, allowing us to find threats on our network fast and efficiently.

Our security program is still in its infancy. There is a lot of work that needs to be done. We finally were able to get our SIEM. A few things that we need to do are data loss protection, user behavior analytics, and another feature that LogRhythm offers that we're probably going to invest in the future. The program could use some work, but it is pretty solid now.

The most valuable feature is the Threat Intelligence Services (TIS).

We would like to see more things out of the console into the web UI. I guess this is what they are doing in 7.4.

In the three weeks that we have had it, we have had 99 percent uptime. It is a very stable platform.

It is scalable. They don't charge for going over your messages per second. It does scale with the business. 

Technical support could use a little work in the terms of responding back. The feedback that we received is they do need a little more staff, but every issue that we've opened a ticket up for has been resolved.

We did not have a previous solution that we were using.

The initial setup is straightforward and complex as it requires a lot of work. It's very straightforward and very organized. Our consultant guided us as to what we needed to do, but the entire thing is complex. One misstep or incorrect character can bring the whole thing down.

I do all the deployment and maintenance.

The sales engineers and salespeople who come in and scope out what you need are very knowledgeable. They are not there to upsell you. They get you what you need for what you have, so everything runs perfectly. The consultants are extremely knowledgeable. Getting LogRhythm up took less than a week. It's a very solid solution.

When it comes time to renew, they say, "This is what you are using. This is what we can do for you." So, they work with you on pricing.

There were multiple competitors. We almost went with Splunk, but LogRhythm ended up being the best for the price. It ended up being everything we needed in one solution.

Everyone needs a SIEM. Go with LogRhythm.

We are not using the full-spectrum analytic capabilities yet, as we are brand new.

We have not used any of the playbooks. We do have them. We find them to be very detailed and organized. We just need to find a way to implement them.

I run in about 45 log sources with 12 of them being domain controllers, aka DNS.

Messages per second are fluctuating between 3000 and 9000. We are still trying to figure out why. We think it is our very chatty domain controllers, as we do deal with the Hard Rock and Seminole tribe, but I would say that we average about 5000.

Most important criteria when selecting a vendor: customer service. Do they care about our business as much as we care about our business? Also know as, do they care about our data as much as we care about our data?

There are multiple use cases for the solution, such as long log formatting, log consolidation, data isolation, malware detection, identifying suspicious attacks, and locating ISU records across the network.

The GUI is very intuitive and the solution has good integration.

The built-in functionality of the solution for NDR, SOAR, SIEM, and EDS has room for improvement.

The price of the solution has room for improvement.

I have been using the solution for ten years.

The solution is stable.

I give the scalability an eight out of ten.

The technical support is good.

The initial setup is straightforward.

I give the price a six out of ten.

I give the solution an eight out of ten.

The solution can meet the most mature customer's requirements.

We are consultants providing governance solutions for the banking sector. We have a lot of use cases. We have more than 400 use cases for the client side.

Its ease of use is valuable. It has improved a lot from the previous versions. It had a lot of issues before, but now, it's way better in terms of integration, the console part, report creation for use cases, false positive numbers, and so on. Its AI engine is a lot more advanced in the latest version.

The web and on-premise console interface should be the same instead of having a separate engine for each. 

I hope that they remove the console and have only one GUI. There should be one engine for both the web and the console. They shouldn't have two different engines for each one of them.

There should be easier deployment status, and like Splunk, there should be a more professional way to write the search. There shouldn't be only a drop-down menu. It'll be a good thing to add.

I have used LogRhythm for about three years now.

LogRhythm SIEM is stable.

LogRhythm SIEM is highly scalable. We have more than nine users working with this solution.

The technical support depends on the technician you get. Some are good, but some aren't.  We had multiple sessions with one person for over a year with no results. Other engineers are excellent. 

Setting up LogRhythm is complex. It took our team more than a month to deploy. We have a large team in my company because we are working with dozens of clients. Our BS team is almost 15 people. 

Its implementation is handled by a different team. We have a very big team in our company because we are working with a lot of clients. Our implementation team has almost 15 people.

There don't seem to be any costs in addition to standard licensing.

I'd recommend LogRhythm SIEM to others. I'd rate it an eight out of ten.

This solution's use case is abnormal administrative lockouts, most of the time.

I'm happy with their AI in general. 

We're able to make useful dashboards. 

The initial setup is now complex if you have a bit of knowledge going in. 

The solution is stable. 

We'd like to receive alerts for zero-day attacks in the future. We'd like alerts that offer us better security. For example, if there are abnormal occurrences, we'd like to know right away. 

We've had issues with scaling and local support.

We've been using the solution for two years. 

It is stable. There are no bugs or glitches and it doesn't crash or freeze. It's reliable and the performance is good. 

We have seven people, admins, who are working directly with the solution. 

It's not easy to scale. Sometimes we have difficulties. For example, when doing updates, we cannot depend on our local support. In some cases that we have found, they don't have much knowledge. We have to work on separate tickets for the kinds of issues we have.

We have local support. If they cannot assist us, they do offer in-house support we can use. The first step in terms of getting help would be our local partner. 

The issue is that local support sometimes isn't as knowledgeable as they need to be. The solution should work to do more training in order to improve local support.

Neutral

We were working on RSA. We switched due to the cost and the lack of local support. The RSA cost is a little bit too high.

The solution offers a pretty straightforward and simple setup. That said, you need some knowledge going into the process. 

The deployment itself took about 90 days. 

I'd rate it a three out of five in terms of the general ease of deployment as there is some complexity and a learning curve. 

There's not much maintenance. We do have to do the updates of the servers and if there is a new release and update, we work on those. For the day-to-day, we try to focus on more log-related tasks.

I can't speak to the exact cost of licensing the product. My understanding is that it is less expensive than RSA. 

We are an integrator and service provider. 

We are not currently using the latest update.

I'm not sure if I would recommend the solution to others as they still need to improve a few things. For example, support, at least on the local level, is lacking. 

I'd rate the solution five out of ten.

Our primary use case for bringing on a SIEM in general was the need to correlate our data across dozens of different solutions that were spitting out logs. We got to a level of complexity where it became mandatory.

This solution has been almost like a transformative change in how we detect and then respond to incidence. Quite honestly before, we didn't know what was going on and we couldn't detect anything other than  a random virus that sent an email from our AV solution. For us, it really took off when I was a little onboard the Office 365 logs and then we were able to start monitoring locations of login and we actually detected multiple accounts that were logging in from countries that had no business being there.

That led to some investigatory work and actually led to some password resets. It was really positive and we continued to detect that type of activity and enhanced the rules, changing here and there. That was a big one for us because we had never even looked at the Office 365 audits because we didn't have a way to do it. LogRhythm brought that in and within a day or two, we're like, "These three accounts are popped and we need to get these guys off the network now." It was amazing.

We're currently processing about 3,500 messages per second. We have experienced a massive decrease in our mean-time to detect. It's actually hard to improve on nothing. It's hard to get worse than no detection, so we went from being able to like, "Oh, a virus happened," to, "This user went to a weird website. We got that from your DNS logs and then 10 minutes later, their antivirus fired on something." And now we know that we can go over there and triage that system quickly as opposed to maybe not getting the virus log for a day. The other thing is detecting when we think breaches are happening, which is something we just didn't have the capability to do before we brought in LogRhythm.

When it comes to our security maturity, I was the first person at my company to do security, and the company had been around for 30 years. I bet that started from scratch, and I started where we were bleeding which was our endpoint detection for malware and ransomware. And then be added on more layers. We added on like IPS and we added on a lot of perimeter type stuff.

While LogRhythm was probably the last component that I have onboarded in like first two-year time frame, it's now the center of the program. Everything feeds into it and that's where I go for just about everything. There are a few solutions that I still have to go out to those solutions to look at stuff but even like from a purchasing perspective, even my IT operations team, my IT applications team, my company asks vendors two questions right out of the gate. Do you have a cloud offering, and do you natively support LogRhythm? And those two are heavy, heavy hitters when it comes to whether or not we're going to put you in the running to buy your software.

The most valuable features in LogRhythm, honestly for me, the single most valuable feature is the web console. That is actually the primary reason we chose LogRhythm over some of these other solutions because I was able to leverage web console usage across multiple layers of IT, and I didn't have to sit back and teach everybody complex SQL queries. Just that point-and-click interface, it's nice and bouncy and it's beautiful to look at has really driven the adoption of the use of the software. Secondarily, I think another really great feature is the LogRhythm community. And the content that that provides has enhanced our adoption over the years.

We don't use the full-spectrum analytics capabilities of the SIEM mainly because I'm a lone wolf in running it. It's just a matter of timing and focus. We do a lot of analytics around user behavior although we're not a cloud AI customer yet. We're doing a lot of what they call the AI engine to do user behavioral modeling and we're starting to onboard some network behavior modeling analytics as well.

It honestly comes back to me for log sources. The time to get support to onboard a log source runs about 18 months, and that's just too long. Like I said, I'm a lone wolf running the system. I don't have a lot of free time to write ReGex and build out my own policies, and I tend to write bad ones that are very inefficient. It is tough when I get a critical source or when a part of the business went out and just bought something, never consulted IT, and now we have to audit it and it doesn't support LogRhythm or it doesn't even like have a function that gets us the logs. We have a cloud solution where we can't even get the logs out of it. It's crazy bad. But when we do get those logs in, it would be really helpful if we could get a supported log source policy from LogRhythm in a shorter amount of time

I have had a lot of trouble with stability, perfect timing. We onboarded way too many log sources on the get-go and overran our appliance's capabilities. And I've spent probably the last 12 months working to stabilize the damage that I caused the system when I did that. It's been a rough year for stability. Even just before I came to this conference, I think I got it finally stabilized. I'm cautiously optimistic that I can take a deep breath and start focusing more on the logs instead of the appliance itself.

We've scaled the solution twice. I haven't done a whole lot of like large-scale build-outs. We're still a single appliance. What we did scale was we scaled the memory and we scaled our NPS license and then I added in some external storage. And all of those things went great. We're to a point now where they're recommending that we buy what they call a data indexer separately. My leadership is more interested in moving it to the cloud than buying more hardware, so I'm working to get a POC started up to get it up into Azure and see if we can scale horizontally in Azure as opposed to buying more hardware. I might have a lot more to say about scalability next year.

Tech support LogRhythm is one of my favorites. Of all the solutions I deal with, those guys and girls are insanely good at their jobs. And so when we bought the solution, my leadership did not buy professional services to help me deploy it. I did it blind, basically, with the user guide. And I think in the first year, the number was about 75 tickets that I opened in the first year. And they still answer me when I call them, so that's great. And they're very willing to stick with you as long as you need.

The only challenge I do have with their tech support is the time shift because their tech support is all based here and I'm on the East Coast. They want to meet it like 5:00 p.m. Denver time, it's like, "Oh, no. I'm at 7 o'clock, dude. I'm done for the day." One little annoyance but it's well worth it in the end to get the support that we get.

The support for log sources is fantastic. It is challenging because you're always going to come up stuff that you need that is not recognized, and writing my own policies has been very challenging. As far as log sources, the last time I checked on Friday, I think we were at 2,900 log sources. It's a lot for this little appliance.

When we went shopping for a SIEM, I had come from a Splunk shop. I was very familiar with Splunk the interface. I like the software, so Splunk was number one on my list. And who was number two? SolarWinds had a SIEM solution that we had played with a little bit at my company, so they were also in the running. And then actually one of my partners talked to me about LogRhythm because I'd never even heard with LogRhythm before and so we did a demo.

And ultimately, it was two big factors. From a Splunk perspective, cost. Cost to build it out and then cost of licensing, it's just unattainable for us. And number two, LogRhythm's WebUI and the speed with which you can run searches in it was hands down my primary reason for going with LogRhythm.

I'm going to give them an eight. It's a fantastic solution and I totally support what they're doing and I like where it's going. But there is room for improvement, and there are some pain points and honestly I've had a rough year. That kind of influences it too. It's been a lot of time on the phone with support this year.

I will tell them what I wished I have known the day I started onboarding logs, and that is when you're looking for a SIEM, put all the features and everything to the side. Go talk to your business people and find out what's important to them because that's how you're going to know what to bring on initially. And once you know those things that are critical and the things you have to do, then you can evaluate the different solutions to see who has the native support because we didn't do that.

We bought it simply because it was awesome and fast and less expensive than Splunk. And then I onboarded 1,500 log sources in a week and brought the system to its knees. And I'm even now today still cleaning up and removing log sources that just bring no value. It's just noise.

Take the time and plan that out before you even go talk to vendors. Figure out what logs are out there, which ones are meaningful to you and the business and then find the solution that fits best with that.

It's our central security monitoring platform. It's where we bring all of our events together so we can monitor our network.

It's helped us be more streamlined in our monitoring processes. We used to have multiple places where we'd have to do this work and now we have centralized all of it into one platform.

Also, the alarm functions have helped us cut down on the manual work. They bubble things up to us instead of our having to go look for stuff.

In terms of our security program maturity, I think we're fairly mature. We definitely have some ways to go still, but we're continually improving. We've had a security program for some 15 years, so it's been around and had time to mature. LogRhythym has definitely been a part of that. For the operations and monitoring pieces, going from what we had before to it being the central component for us, it has really helped us become more mature in those areas.

From an operational perspective, day to day, the Case Management functions are really useful for us. They allow us to track what we see in the incidents that we have.

We use the full-spectrum analytics capabilities. We have a number of rules that we've built, and built-in rules that we leverage as well. We've got a whole bunch of dashboards and the like to do the analytics. We definitely find the full-spectrum analytics to be valuable.

Hearing the roadmap items, it's pretty good. I especially like the fact that the playbook is coming with the ability to integrate the smart responses into the playbooks. That way, we can not only have the playbooks, take those steps, but start to automate those steps as well. I think that is really powerful.

We played around with the CloudAI portion during the beta. We're not currently using it. But I think more in that area is going to be really important, where we can look at machine-based patterns, as opposed to just, "I saw two of these and three of these things, so set an alarm." I'm really excited about that.

Generally, the stability has been good. We have run into problems with stability going through upgrade processes. Recently, we have been on the front edge of the upgrade path. When that happens we tend to run into issues either with certain functionality not working after the upgrades or stability issues because of the upgrades.

It will definitely meet our needs going forward. We're not a huge shop, so we haven't had a whole lot of problems there.

But going back to the upgrade issue, in a previous upgrade from 6 to 7, we ended up with some hardware problems, because of scalability, with the software change. The hardware that we had didn't meet the needs anymore. But we were able to get that resolved.

Technical support is not bad. The lower-level, first-line support is not always great, but if we can get to the right people, then it's pretty good.

At this point, it's a pretty core platform for us, so we haven't been looking around.

We do not use any of the playbooks currently. We'd definitely like to. It's a feature that we're planning to implement pretty soon.

Regarding our log sources, it's in the high hundreds, probably not in the thousands. When it comes to messages per second that we are processing, looking at the average, we're at about 1,000, but we peak somewhere north of 1,500.

I rate the solution an eight out of ten. It's a great platform, but I don't want to give them too much confidence, there's always room to improve.