Coming October 25: PeerSpot Awards will be announced! Learn more

Netsurion EventTracker OverviewUNIXBusinessApplication

Netsurion EventTracker is #13 ranked solution in Log Management Software and #14 ranked solution in top Security Information and Event Management (SIEM) tools. PeerSpot users give Netsurion EventTracker an average rating of 9.6 out of 10. Netsurion EventTracker is most commonly compared to IBM QRadar: Netsurion EventTracker vs IBM QRadar. Netsurion EventTracker is popular among the large enterprise segment, accounting for 56% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 24% of all views.
Buyer's Guide

Download the Security Information and Event Management (SIEM) Buyer's Guide including reviews and more. Updated: September 2022

What is Netsurion EventTracker?

EventTracker by Netsurion is a co-managed security solution that delivers actionable security intelligence that empowers organizations of any size to effectively detect and respond to insider threats as well as advanced cyber criminals.

Netsurion EventTracker defends your organization against advanced threats and streamlines IT compliance management by converging multiple layers of security technology such as SIEM, EDR, UEBA, IDS, and more. Most importantly, we augment the technology with our 24/7 SOC for continual monitoring, threat remediation, and system tuning. With EventTracker, you can orchestrate all the critical capabilities needed to predict, prevent, detect, and respond to cybersecurity incidents. We monitor for anomalies and suspicious network activities and respond with built-in response rules to block or terminate harmful activities. 

Netsurion strengthens your security defenses, controls costs, and optimizes your team’s capabilities to respond quickly with a single end-to-end solution. We increase your efficiency and effectiveness by reducing false positives and enabling audit-ready compliance reports. Netsurion provides a comprehensive, scalable platform for security monitoring, threat detection and response, and compliance – as a software solution, in the cloud and on-premises, or as a co-managed solution that augments your IT team.

Netsurion EventTracker was previously known as EventTracker SIEMphonic, EventTracker Essentials, EventTracker Log Management, EventTracker Security Center .

Netsurion EventTracker Customers

The Salvation Army, The FRESH Market, Pacific Western Bank, NASA, American Academy of Orthopaedic Surgeons (AAOS), and Talbot’s Stores

Netsurion EventTracker Video

Archived Netsurion EventTracker Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
JeffHaidet - PeerSpot reviewer
Director of Application Development and Architecture at South Central Power Company
Real User
SIEMphonic gives us an expert set of eyes on things, and assistance with rules has been a huge time saver
Pros and Cons
  • "I like EventTracker's dashboard. I see it every time I log in because it's the first thing you get to. We have our own widgets that we use. For the sake of transparency, there are a few widgets that we look at there and then we move out from there... Among the particularly helpful widgets, the not-reporting widget is a big one. The number-of-logs-processed is also a good one."
  • "It would be great if they had a client for phones by which they could push a notification to us, as opposed to via email."

What is our primary use case?

It's a system incident and event management platform. The typical use cases that go along with that are alerting and syslog aggregation.

How has it helped my organization?

Their run-and-watch service (now renamed SIEMphonic) has saved from having to hire at least one FTE. In addition, having an expert set of eyes on things and their assistance with rules has been a huge time saver. They've been a really good partner.

We are logging everything from Windows client workstations through our server stack, through important, critical web and cloud pieces, like Office 365 logs and web server logs. The latter would include IIS and Apache. All of that information is being streamed directly into, and assimilated by, the EventTracker product. It seems to be doing the job quite well. Having that visibility into the data is useful. Their interface is simple enough for us to be able to use but advanced enough that if we wanted to do some more advanced queries — which some of their competitors admittedly do a little better out-of-the-box — it hits the wheelhouse perfectly.

We're signed up for their weekly observations, so if they find something big they're going to notify us immediately. But having a management-level synopsis once a week has allowed us to not only replace the one FTE, but also streamline our prioritization of work, based off that data, as well.

What is most valuable?

Other than the log aggregation and alerting, their reports modules have come a long way. But for the most part, we stay right in the wheelhouse of the product to use it to the fullest extent.

The previous version, version 8, had a somewhat antiquated UI. The new version 9 is much easier to use and brings it into the current realm of development. It's very easy, very sleek, and designed relatively well. The version 8 to version 9 upgrade was complete night-and-day. It's significantly improved, and they're putting resources into it to make sure that they continue to stay up to date.

I like EventTracker's dashboard. I see it every time I log in because it's the first thing you get to. We have our own widgets that we use. For the sake of transparency, there are a few widgets that we look at there and then we move out from there. We're into the product looking more at the log information at that point. Among the particularly helpful widgets, the not-reporting widget is a big one. The number-of-logs-processed is also a good one. We call that log volume. They're helpful, but we try to dig in a little deeper, off the dashboard, more often than not.

What needs improvement?

In terms of advanced queries, I wouldn't say EventTracker is lagging behind its peers. The latter just make it easier to get to them. EventTracker is designed more for a small to medium type business, which is where we fit. With a competitive tool like Splunk or LogRhythm, you're not going to get what you get with these guys out-of-the-box. With EventTracker, you're going to have to build all that yourself from scratch. You're going to have to learn that markup language to do so.

I want to stress: We're very happy with not having to deal with that out-of-the-gate. If we need to, we can always call support and they can assist us in writing those more advanced queries. The functionality exists to do advanced queries, they're just not right in your face like they are in a competitive product. But for us, that's what we want.

There's always room for improvement in terms of performance and alerting options. It would be great if they had a client for phones by which they could push a notification to us, as opposed to via email. But those are all things that they'll grow into over time.

Buyer's Guide
Security Information and Event Management (SIEM)
September 2022
Find out what your peers are saying about Netsurion, Splunk, IBM and others in Security Information and Event Management (SIEM). Updated: September 2022.
633,184 professionals have used our research since 2012.

For how long have I used the solution?

We've been using EventTracker for just a smidge over three years.

What do I think about the stability of the solution?

It has been extremely stable. Very rarely do we even realize that it's still running, and that's good.

What do I think about the scalability of the solution?

We did have a few concerns with the scalability in the beginning. Our initial concerns were about scaling it and, if we blew it out, were we going to run into performance issues with their agent piece using too many resources on the client or running out of space on the server? But those concerns proved to be unfounded. We have 700 or 800 endpoints streaming data into it without any noticeable performance or any other issues.

We're using it almost to its full extent at this point. We're in that 90 percent range. We currently don't have any plans to move away from it. We're utilizing the features that pertain to us. Anytime that there's a patch or release, we look at the new features to see if they're applicable for us.

How are customer service and support?

The EventTracker team itself has been great. We can call them for pretty much anything related to their product. They will offer suggestions, advice, and best practices on ways to do things. It's like having another team member here at our disposal, working with their product. I believe that is their standard tech support.

We're paying for the run-and-watch (SIEMphonic) so we're getting an extra set of eyes on things, but when we call in, their support is top-notch. I would give their support team a 10 out of 10. That is a given. Of all the products and vendors that we've used, I've never had a more positive experience with a support team than with EventTracker's support team.

Which solution did I use previously and why did I switch?

We did not have a previous solution. We do annual audits, and the lack of a SIEM showed up in one of our audits as a piece that we needed to start investigating, four or five years ago. We knew that issue was coming. We were too busy dealing with some other things, but when it showed up in the audit, we pushed it up the priority food-chain. We weren't really having any issues by not having a SIEM, but having all the logs in one place sure makes troubleshooting a whole lot easier. if there was an Achilles heel, that was it.

We were looking for an easy-to-manage SIEM that provided the functionality that we needed. Since we're a relatively small IT staff, the part that really made EventTracker stand out to us was the run-and-watch service (SIEMphonic), where they are an active partner, reviewing the data that we get, so we don't miss anything. They're acting as a backstop to us.

How was the initial setup?

The initial setup was completely painless. They gave us a spec sheet for the on-premise server. We built a VM that matched that spec, and they then installed their software and got it up and running. We could be as involved or as uninvolved as we wanted to be; that was our choice. When it came to deploying the client pieces, they worked with us to identify which machine should get it and when. They took care of the pushing of that information out. When we started getting the data in, and it came time to start tweaking the rules, they took the lead on that as well. It really, truly was a painless process.

The deployment took less than a week. We had an analyst at that time who was running point on it. I wasn't even involved. I didn't need to be involved in it at that level. One of our entry-level analysts was able to work with them to get everything caught up.

I and one analyst are involved in the day-to-day maintenance of the application. Our entire IT staff, nine people, uses it for log review and incident correlation. We try to put the information out there for the rest of our team members to use.

What was our ROI?

We have been able to save at least one full FTE. The amount we would have to pay that FTE, including benefits, is way more than what we're paying EventTracker for the annual maintenance. It had a positive return on investment almost immediately for us.

What's my experience with pricing, setup cost, and licensing?

Our cost is significantly less than what it would have been for one of the competitor's products, and that includes the run-and-watch service (SIEMphonic). You can go with one-, two-, or three-year agreements. We pay annually for maintenance on the product.

Which other solutions did I evaluate?

When we acquired EventTracker, we went through an assessment process, reviewing five or six different manufacturers of SIEMs. The frontrunners were the typical players: Splunk and LogRhythm. There were a couple of freeware options out there, but what really set EventTracker apart was their SIEMphonic. That was the big differentiator. We were able to get much more value for our money, and it met all the requirements that we had set out when we started the research.

There weren't really major differences between EventTracker and the other players. Ultimately, SIEMs do the same things. They collect logs, they index those logs, and they make them searchable. There's not really a difference on the surface.

What other advice do I have?

The biggest lesson really isn't an EventTracker lesson, it's more of a SIEM lesson. And that lesson is: It's a lot of data. When you have a lot of data, it's going to take a while to study and learn that data, so you can react appropriately. Not all data is actionable.

Be prepared for the data. Be prepared to know what you didn't know before. And be prepared to weed out the noise from the actual data. That's where EventTracker's SIEMphonic becomes very helpful. My advice would be, if you're going to go with EventTracker, to go with the SIEMphonic service and leverage their support team to get your knowledge up to speed. So far, our experience with their support has been top-notch.

In terms of how we view EventTracker, we're typically just in a browser, so it's on whatever our standard is. I've got a couple of 20-inch monitors on my desk. It's sleek enough that it will work on a normal 15-inch laptop screen too. I have not looked at it on mobile yet, given the fact that it's an on-premise service. If I'm in the building, getting VPN'ed in across my phone is a little tough. But that would be the next iteration of the product, if we would decide to push up towards the cloud instead of being on-prem. We would definitely be looking for some sort of a mobile or a tablet-based mobile interface.

We have not integrated EventTracker with other products. Our service-desk tool is a tool called Samanage, which was recently acquired by SolarWinds and has been renamed Solar Winds Service Desk. We have not integrated anything with that since SolarWinds acquired it, because we wanted to see what SolarWinds was going to do with it. Integrating it into EventTracker is on the list. We'll do it if it makes sense.

I never rate anything a 10 out of 10, because nothing is ever perfect. But this solution would be at the upper end of that range. This partnership with EventTracker has been one of our better ones.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Senior Director, Information Security at a pharma/biotech company with 1,001-5,000 employees
Real User
Enabled us to mature the discipline of operational teams by seeing activity outside of standard practice
Pros and Cons
  • "I like the UI, overall. I like the main page and there are aspects of the search page that I like. When you bring it up on the left-hand side of the page, as you look at the events, the ability to simply hit and click the plus/minus to pull events in and out of the overall view is well done and is very effective from a threat-hunting and an analysis perspective. I like the detail it shows."
  • "Where there is an opportunity for improvement is in the interface used for performing the searches. You have to understand Elasticsearch search too well for the security team to be able to take really full advantage of that part of the product. It's not as intuitive as I would like it to be for new staff coming in. The general query capability is a little bit challenging."

What is our primary use case?

We use it for logging all of our Active Directory activities, including authentication, alterations, and modifications to the AD controls and privileges. We use it for events coming off of both the servers and the desktops. And we also roll in the logs from our various security controls and devices, such as our antivirus tools, backup service, firewalls, the IPS, etc. Those are all rolled back into the EventTracker system. The goal is to eventually start taking advantage of the ability of EventTracker to correlate activity and alert on something that looks a bit unusual that we should then pay attention to.

We get a daily report that they've built, which summarizes all of the activity across all of those areas, on a daily basis for us. The types of log data we import into it include firewalls, server event logs, user workstation event logs, all of the Active Directory activity and authentications, and all of our antivirus logs and our patching service logs.

It's in the cloud. We use their console and we take advantage of their storage. We have them manage our logs and our archivals. 

How has it helped my organization?

The result of the reports on activity and the archiving for research has been that the operational teams are more consistent in the usage of standard practice which, from an efficiency perspective, has removed the need for the information security team to investigate issues that are out-of-norm activities. We are no longer doing an internal incident three or four times a week. We may do three or four in a month. That saved us significantly on the incident investigation side. We have pulled back 10 hours a week, on average, just from the security team. I would contend that it's probably also saved time that I'm not able to measure from the operations team because now they're not remediating things that we're pushing to them, and the user community is getting a more consistent experience from the support teams as a result.

There's this downstream value that I don't think people really think of when they look at products like this: What is the cause and the effect that it has on operations? In our case, it was to improve the efficiency and the consistency of the operations which, in turn, resulted in the user community getting a better experience. It's really hard to measure the user community improving its view and opinion of the IT support teams.

What is most valuable?

The report, each day, of the activities that have happened and the ability to archive and go back and research have been extremely advantageous for us. Examples would be a user having either inappropriately touched a file, or an administrator of the infrastructure altering rights or privileges for a user outside of an approved change-control or approved ticket. We have found that, over time, we've been able to mature the discipline of our operational teams by having the ability to see activity that might have occurred outside of standard practice.

In terms of the log data importing, our data went in very easily. That was one of the things that was appealing to us because the product set we use here for antivirus, single sign-on, the authentication services, and the patching services were all in the supported-product suite. So adding them in was simply getting them pointed over there and getting through the change-control windows.

There are a couple of widgets that I use. One is titled "A Possible Compromise" or "Potential Compromise." I use that because it is generally giving me feedback on the login velocity. I can see people who have authenticated to a system but, geographically, have authenticated to another system, and it's not possible to have done that within the time window that those authentications occurred. I find that it's generally a result of them authenticating to their mobile phones, because you don't necessarily egress the carrier's network from the cell tower you're associated to. In our case, we're in Boston. If you happen to be on an AT&T phone, you actually egress either out of Wisconsin or out of New Jersey. So if you log into your laptop and then you pull up email on your phone, it looks like you logged in from one of those two locations as well. We can dismiss those because we're getting used to what that looks like. 

As a result of that, we have picked up two or three folks who have shared passwords, usually with their administrators. They're traveling, they log in from someplace like Japan or Germany, and their admin happens to log in to help take care of an expense report. We tell them, "You have to stop that." We've picked up a few of those types of events. These are the kinds of things that we look forward to the product giving us more and more of as our usage of it matures.

I like the UI, overall. I like the main page and there are aspects of the search page that I like. When you bring it up, on the left-hand side of the page, as you look at the events, the ability to simply hit and click the plus/minus to pull events in and out of the overall view is well done and is very effective from a threat-hunting and an analysis perspective. I like the detail it shows. It gives some hints.

Occasionally, I'll use EventTracker on my phone because I got a phone call or an alert, but generally, it's on my large panel displays. All of the team has the same setup: multiple, large displays driving off of a laptop.

I tend to like more flexible and detail-structured interfaces. As an example, I don't like to manage my firewalls through the graphical interface. I like to use the command line because it's more granular and it lets me do things a little more quickly. EventTracker has done a nice job in providing both that graphical dashboard and Elasticsearch capabilities. As far as the direct command line goes, I would like there to be a little bit better help in that space. But the fact that they've got both in place is a bonus for the product. As I've learned more about how to do Elasticsearch, it's been beneficial. It's just taking a long time to educate.

What needs improvement?

I like the dashboard. Where there is an opportunity for improvement is in the interface used for performing the searches. You have to understand Elasticsearch search too well for the security team to be able to take really full advantage of that part of the product. It's not as intuitive as I would like it to be for new staff coming in. The general query capability is a little bit challenging.

Once I expand an event I can usually cut and paste out of there into the Elasticsearch side of it to get a broader view. But it's a multi-step process. I'd would like to see them add something that lets me right-click and immediately search to it, instead of having to walk through a couple of windows. When you're doing research on events, that kind of stuff adds up in your day. It's two or three clicks, but when you're driving through a bunch of analyses, that can start to add up quickly. When it's an event that you've got going on and you need to find out what's truly happening, time is of the essence. Anything that can shorten that would be beneficial.

For how long have I used the solution?

We've been using it for just under a year.

What do I think about the stability of the solution?

The only stability issue we've run across would be the log forwarding off of the devices occasionally hanging up. I don't know if that's the EventTracker agent or the server itself, because there are a lot of applications running on those servers. But the console itself, I don't think it's ever been down, other than his patch which we just experienced.

What do I think about the scalability of the solution?

We've done searches going back in the archives all the way to February when we first started, and it surprised me as far as the performance goes. We're not enormous. We're taking in about 3 million events a day. We're about 3,000 employees, worldwide. I don't know that I can give a good analysis on scaling.

It's meeting our needs really well from a scale perspective. We haven't seen a performance issue associated with the volumes we're running with, and we're almost fully deployed. Of the 300 servers, there are only about 10 now that don't have it. All of the 2,500 end-stations have it. It's taking all of that. We're 90 percent where we want it to be with the log sources and it hasn't changed its performance or behavior at all. It has scaled very well so far for us.

Our plans to increase usage are only as we grow. The company has growth plans associated with it, and as new staff comes on and the machines get provisioned, it continues to increase the systems that are feeding to it. We don't have any plans at this point to be putting in any other log sources, other than those we've already identified. I'm thinking of either homegrown applications or unique applications that might generate log files. We don't have anything on the roadmap today for that.

How are customer service and technical support?

The support team was really good. They've got a very good support organization. Everybody we worked with on the phone, as we were doing the initial setup, and even as we've done different support calls or requests for help, has done a lot of work for us, which is terrific as a company. We'll need to figure something out or we'll need help to investigate a problem. We'll put a ticket in and they'll call us right back. They'll help run queries for us, they'll run reports for us for a specific incident. They're a very responsive support team, and that's their standard tech support.

It's a "wow." It's nice to see a company that does things the way they used to be done. I think it's because they feel they've got a good product. The support team is terrific. I've been doing this a long time and it's one of the better support organizations I've run across in the last 15 years.

Which solution did I use previously and why did I switch?

We did not have a solution in place prior to EventTracker. Prior to this, in a company I had been at just before I got here, we used IBM's QRadar and, although we did look at that product here, I found that EventTracker was more appropriate for us.

I don't think that QRadar offered the same robust integration opportunities with logs and it did not offer the same correlation capabilities that EventTracker does. Also, we get a much better licensing structure and pricing structure. It's a much better value for the dollar with this product.

How was the initial setup?

The initial setup was very straightforward. They stood it up, we started pointing log sources to it, and away it went.

They built the infrastructure, the receiving side of things, within a week. We were up and shipping logs within two weeks of the contract being signed.

In our particular case, and it's not a product issue but an operational issue, it took us until June or July of this year to get the logs rolled out or captured from the systems, after we started using it in February. The effective time window is that we've probably only had it for about three months. That was not because of the product. It took us that long to get the logs forwarded over to them.

The reason it took us so long was that we were, at the time, a pre-stage pharma. We didn't have product on the market yet. Just as we were bringing EventTracker into production here, we got approval for our first medication, which changed the nature of our operations from a research community to a fully controlled FDA manufacturing firm, as well. Change-control became a much stricter event. We missed the window to be able to push this out quickly, but it's nice to be commercial.

In terms of our deployment strategy, we had built a timeline or a set of change-controls that went through those several months to start rolling out. At the time we were doing this, we were getting to roll out Windows 10. So one of the first things we did was to build the logging into the core golden image. As Windows 10 boxes rolled out, they automatically started logging. We rolled out doing upgrades from Windows 2008 Servers. We did the same thing and put that into the image. On Active Directory it was pretty straightforward. The servers that were part of production, as far as manufacturing goes, those had to go in very specific windows based on production protocols. 

Overall, we built a project plan out such that every week and every month, from a production perspective, we would have windows where we could start to deploy. That's why it took so long.

What about the implementation team?

We did it internally. It's very simple. There was no need for a third-party or assistance. It was a really easy deploy.

What was our ROI?

The value of a SIEM comes when you are able to detect something and avoid a problem. It is part of that larger "insurance policy"-type function. You never see a return on investment on an insurance policy until it comes time to use it. But we get value from it every day. Do I think that the investment in the product is giving us value for the dollars we're spending? Absolutely.

I look at it this way: If I need a truck to do my job every day, and my job is to haul two-by-fours back and forth between two job sites, do I need the Cadillac pickup truck or do I need the truck with the roll-up windows? They both do the job and they both do it really well, but the value is in the one that has the roll-up windows. It's doing what it's supposed to do. It's doing it well and it lets me retain dollars for other purposes. EventTracker is exactly that. It's giving me all of the features and functions that we need to do our jobs, and at a price point that's incredibly attractive. It allows me to save money and put money into other services to help reduce risk.

What other advice do I have?

It's a simple product. It's a lot easier to implement and deploy than the other SIEMs I've used throughout my career. The advice would be that using it is a good decision. There's no reason to shy away from the product.

From an event-alert perspective, we haven't used them for that purpose yet. That's largely because the current security services we have in place from our vendors, CrowdStrike in particular, provide us a managed event system from the AV side. They proactively manage our antivirus that's on all of our machines and they also proactively remediate the machines. So we haven't felt the need, yet, to take part in EventTracker's alerting of detected cross-events. That will come in this upcoming calendar year. Our program here is only two years old. The security program itself was only in existence for about nine months before we started to engage with EventTracker, and deployment was earlier this year. We're still really in deployment mode.

We haven't integrated EventTracker with any other solutions. We use ServiceNow but we have not made any effort to integrate it. Our roadmap for ServiceNow is to do exactly that and take advantage of that integration capability and have it issue either alert tickets or work requests into ServiceNow for us, so that we don't have to do those manual steps. We are probably a year away from that.

There are two others besides me using it in our organization. They're both security analysts. There really isn't any maintenance. We've occasionally had servers that stopped talking for whatever reason but a reboot took care of that. Generally, what we're finding is it's due to an application memory leak on that server. But it's just working. There is no effort there.

I would rate it a 10 out of 10. The ease of deployment, the support that we receive from them, the dashboard console which I find to be very helpful, are all part of that rating. I would like to see some more assistance in the way that searches are built, but as I've learned how to search, it's getting easier and easier. Overall, it's a well-priced and functionally appropriate SIEM.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Buyer's Guide
Security Information and Event Management (SIEM)
September 2022
Find out what your peers are saying about Netsurion, Splunk, IBM and others in Security Information and Event Management (SIEM). Updated: September 2022.
633,184 professionals have used our research since 2012.
Sr. Information Technology Security Engineer at a university with 1,001-5,000 employees
Real User
Provides a good structure to review logs and is easy to use. However, unless you are using SSDs, the Elasticsearch does not work well.
Pros and Cons
  • "If I were to look at logs manually, there's no way I could do that. As an example, they are 48 million logs processed a day. There is no way I could look at all 48 million of those. So, it gives me a good structure to be able to look at the different incidents which are created and do different searches."
  • "The solution's dashboard is okay. The one thing that we ran into are issues when we upgraded to the newer version. It uses Elasticsearch for the different dashboard entries. So, we were running on spinning disks, and Elasticsearch didn't work that well. A number of the different dashboards, like my dashboard or different things like that, pull from Elasticsearch. Since Elasticsearch really wasn't working, we were having some issues with that, but we just migrated."

What is our primary use case?

We are using it to centralize all of our logs and have alerting on security issues. 

We primarily import Windows systems and Windows Server logs (2012 and 2016). We also import Cisco ASA logs, then Cisco router and switch logs. The import works well. 

How has it helped my organization?

We send the Snort IDS alerts to EventTracker, e.g., high level ones like Ransomware and data leak type alerts, we are sending the Snort alerts to EventTracker. For things like ransomware, data leaks, and data exfiltration, we have higher incident reports created, so then it also gets sent to our email and phone. As an example, this Saturday night around four o'clock, we were alerted to an incident from EventTracker. They got a Snort alert about a data leakage or data exfiltration. It was a false positive, and that is good. But, this is just one way we use EventTracker.

What is most valuable?

It is fairly easy to use. I am mainly just a one man shop. I look at EventTracker about once a day as far as different incidents and stuff goes. I don't have enough time to be tweaking all types of different things. It is a fairly easy to use as far as the UI goes.

If I were to look at logs manually, there's no way I could do that. As an example, they are 48 million logs processed a day. There is no way I could look at all 48 million of those. So, it gives me a good structure to be able to look at the different incidents which are created and do different searches.

What needs improvement?

The solution's dashboard is okay. The one thing that we ran into are issues when we upgraded to the newer version. It uses Elasticsearch for the different dashboard entries. So, we were running on spinning disks, and Elasticsearch didn't work that well. A number of the different dashboards, like my dashboard or different things like that, pull from Elasticsearch. Since Elasticsearch really wasn't working, we were having some issues with that, but we just migrated. We just got a new fan, which is all-flash. Last week, the server was migrated from spinning disks to the new flash. Now, we have moved from hard drives to SSDs, and Elasticsearch is working a lot faster.

EventTracker's UI is okay. There are some issues that I have ran into. Some stuff doesn't display on different browsers, which you think would. You think you are missing something, and you actually are. If you use a different browser at work, it works differently. That is sort of frustrating. The big thing is they have a newer version or something out other than a new update to version 9. I don't know if they're on version 9.1 or 10 (or whatever). We weren't going to update until we could try to get the Elasticsearch capability (which we now have) and migrate over to the new SAN thing. 

There are a couple things that we had to tweak. One of the other things is we are getting DNS and DHCP logs from servers, which we thought required a different Microsoft hotfix, but it didn't. EventTracker's documentation wasn't current. So, it took a little while to get the DNS and DHCP logging figured out. Once we finally got it figured out, we got those set.

The searching capability has room for improvement. I know they are working on it. They have Microsoft SQL, then Elasticsearch, and it's hard to determine when I am searching what exactly it's searching through, as there is the Elasticsearch archive thing, RAID and the Microsoft SQL searching, and some like cache search things. So, there are about three different searches, and sometimes it takes a bit of trial and error to figure out what information I am actually getting.

Users need to be on SSDs in order for Elasticsearch to work well.

For how long have I used the solution?

We have been using EventTracker for about five or six years now.

I use it on a desktop machine with a wide screen, like 20-inch monitor.

What do I think about the stability of the solution?

It's okay for what it does. They're trying to add more different capabilities. One thing that I will be interested in, when and if we upgrade to a new version, would be the different types of alerts offered. They do have some different type of prebuilt alerts. The big thing is it's hard to know what things EventTracker may not be alerting on. They do have the behavior correlation part, but when I looked at that, it was using Elasticsearch. Since our Elasticsearch wasn't working that well, this was sort of problematic as there are a bunch of different false positives and stuff.

We sort of knew there would be issues when we did the upgrade because of Elasticsearch and our spinning disks. The searching isn't as easy as it could be, as far as the three different search things that you can do. 

This is same with the different dashboards, as related to Elasticsearch. If we were to implement a brand new version and didn't have the hardware already, we would say, "Okay, we'll wait until we get the SSDs." But, we sort of earmarked a server. The hardware was on the old EventTracker. So, when we did the upgrade, we knew it was going to be an issue, but we didn't know how big of an issue it was going to be.

What do I think about the scalability of the solution?

I know it's been working well for all the different log sources and stuff that we've been throwing at it. The big thing is we just have it on one big virtualized box. So, we haven't really had any instance or need to scale it beyond that.

I'm mainly the only user. My boss will occasionally use it when I'm out of the office, or something like that, but it's either going to be him or me.

We have it pretty much on all of our servers, firewalls, and routers. The big thing is we have a 500 license count. So, we have a number of different other switches and stuff which would be nice to be able to get logs and stuff from. At the same time, we are getting close to hitting up our 500 license count. Therefore, we're trying to figure out where we need to go as far as what systems are a must-have and what systems are a nice-to-have type of thing.

How are customer service and technical support?

I find EventTracker support to be quite helpful. They have been quite responsive whenever I've had any issues. For the most part, they have been good to work with. There have been a couple times where there have been some issues that have taken a bit of time to try to get resolved and figured out. However, that is sort of par for the course for different products.

Which solution did I use previously and why did I switch?

Before EventTracker, we did use another solution. I think it was a Symantec SIEM, but they discontinued it. So, we were looking for a different solution. 

How was the initial setup?

The initial setup was several years ago, so I don't remember too much about it. The one thing that I do remember is there was like a database account that needed to be created, and there was some back and forth on that aspect. So, it took a little while to set up and get going.

Initially, we got it up and running, then we were going to deploy the agents on some noncritical servers to make sure that the EventTracker agent on the servers worked properly with collecting logs. 

What was our ROI?

In the security space, it's hard to quantify your return on investment. So, I don't. We spend about $40,000 a year and so. It's hard to say if the SIEM saved that much money.

What's my experience with pricing, setup cost, and licensing?

When we first got the EventTracker product, we were using SIEM Simplified. At the time they didn't call it that, but it was more of a service thing. So, there was a bit more hand-holding and getting stuff set up, along with failure reports, that they did during the first one to two years. Then, we decided that the the additional money to have someone do these daily reports wasn't terribly useful, so we discontinued that service.

Licensing is interesting. By doing it by device, in some aspects, that can work to your advantage, and in some aspects, it can't. 

There are different licensing models. Back in the day, it used to be events per second and trying to figure out the number of events per second during the year that all of your devices are generating. If you didn't necessarily have a solution in place to begin with, this was a little frustrating. You might add another device and all of a sudden your events per second shoot up quite a bit. With a number of system-based licenses, it's been good. The big thing is is when you get up on that license account, do you continue to add additional licenses or start removing some systems that may be not as critical as others? Like, do we need to be getting logs from different Windows test servers out there? Ideally, yes. But it all depends on the pricing.

EventTracker's subscription-based model is interesting as far as yearly license type stuff. It's nice because you know what it's going to be next year. We haven't really looked at any other solutions. The pricing at the time compared to the other solutions was a lot less. A couple of years ago, we actually looked at Splunk. The amount in Splunk's licensing model is based on 20 gigs a day, or something like that. Based on our number of logs and stuff that we were already generating, the costs would be substantially more for the amount of logs that we would be getting.

Which other solutions did I evaluate?

We looked at a handful of different solutions out there. When we were looking at SIEM solutions out there, we were looking to replace Symantec. We were looking at Arctic Wolf, EiQ Networks, Secureworks, and Trustwave.

The primary reason we went with EventTracker and the SIEM Simplified service was the CIO wanted something that was a 24/7 monitoring type of thing. That's why we went with that service. But, when we found out at the time it really wasn't 24/7, and we wanted 24/7 monitoring from more of a SOC/NOC type of thing. The EventTracker support said, "We do have that." However, that wasn't necessarily the case. It was primarily an eight to five type of thing. Supposedly, in the last couple of years, they have changed it, and it is more of a SOC/NOC type of thing. 

This was one of the reasons: We were looking for a hybrid approach. Basically a SIEM that we could have on-premise where we could have someone else monitor when I was not in the office. EventTracker was able to create the different alerts and stuff like that. So, when I'm not in the office, I get alerts generated. However, we wanted some more active monitoring type stuff.

What other advice do I have?

I would rate the product as a seven (out of 10). 

We don't use the dashboard widgets, but we are planning on it.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Network Manager at a energy/utilities company with 51-200 employees
Real User
I no longer have to constantly monitor equipment or logs; I get heads-up notifications immediately
Pros and Cons
  • "I really appreciate the fact that the dashboard breaks everything down into a pretty easy view for me... It shows what changes are happening to privileged user accounts, access and identity, what's cropping up. It shows application activity and whether we've got system resources that aren't online and being found anymore. It's a pretty simple, easy, quick hit and there are the supporting logs behind it. If I need to drill down further, I can do that quickly. It's very effective."
  • "Probably the biggest thing is just: Can I search for this and what's the best way to do it? If I'm looking for two events versus a singular event, I just throw it back at them. They're the experts on it."

What is our primary use case?

We were struggling at the event level, like a lot of people do, in terms of centralized event management and notifications. We just did not have a single pane of glass where we could see events, potential issues, all on a fine thread of a timeline to compare across our enterprise. We needed to know: Is there anything else going on at the same time?

We use it extensively. Every product that we have on our network is tied into it. That's been huge for us. The thought process was, "If we're going to put it in place, we want every end-point out there to be cycling through logs or have syslogs pulled into EventTracker. Otherwise, it just didn't make sense. We wanted to have eyes on every device out there.

How has it helped my organization?

It's come in tremendously handy. We've had small incidents crop up that we've been able to isolate immediately or dig further into because of this. Without that "full-glass" look at everything we've got going on in our environment at a particular time, we would be chasing our tail a little bit: "What's happening here? Do I need to go look here? Do I need to go look there?" The ability to pull those logs in from not only all of our desktops, all of our servers, all of our appliances, but from anything else that could be logging an event, has been tremendous for us.

It has limited the time that I've had to spend combing through any device and syslogs. For example, firewalls: I'd be looking through events to try to find out if anything looks abnormal. EventTracker not only does centralized tracking, but it does a fair amount of behavioral analysis as well. It tells us: "Hey, here are events we haven't seen before." It even calls to my attention processes that are new, including unsigned processes that we need to be aware of in our environment. We also utilize their Snort plugin on the front-end. It indicates traffic that's coming in that we might want to be aware of.

We tend to start blacklisting and block-listing a tremendous amount of external IPs based upon things that the solution sees on the outside. Those could just be events hitting our firewall, but unless I'm sitting there watching my firewall on a continuous basis, I'm probably going to miss a lot of them. EventTracker is collecting that and pulling it all into a quick and easy notification. On a daily basis, I get that report to rehash: "Did you see these things? Are these acceptable? Here's behavior that we haven't seen before from this particular user." It makes me aware of things so that I can validate. It gives me a good check and balance on what we have going on in the environment and what they're seeing through a collection of event logs.

Because we've been using it for so long in our environment, I've pushed my daily duties onto other things. I've moved into other areas since I don't have to constantly monitor this equipment or the logs or check back on things. It's probably cut down 50 percent of my workload, in terms of tracking and watching and trying to play a little bit of triage after the fact. It's giving me heads-up notifications immediately. Then, as we hash back through things, either on a daily or monthly basis, we're looking at what it's finding and what we are missing. Are there things that are still cropping up that haven't been taken care of that maybe slipped through the cracks? It's not only cut down a ton of my time but even our staff time which used to be spent watching and maintaining logs on various products.

What is most valuable?

The solution is on-prem and we also utilize them for fairly full, managed services. They do tend to babysit it quite a bit. We get daily reports that they piece together for us which walk through everything that they're finding and seeing. And we sit together in a monthly service call to walk through what they found over the course of the month, just to compare notes. We backtrack and check to make sure that nothing stood out and that we didn't miss anything or to hear if they've got any concerns or questions. They're putting in the time on a daily basis for us on that. 

Another valuable feature is that we've tied it into pretty much everything that we have. We've got it tied into our Office 365 and it's helping us monitor even the spam garbage there, the consistencies or the abnormalities on the spam. We've got it tied into our firewalls and into just about every appliance we have as a front-line or an in-between, including VPN and the authentication that is coming through there. It's also tied into anything that's cloud-based. We might tie into IIS logs, our antivirus logs. It's huge that it gives us that single dashboard overview of events happening, all at one time. It's been, tremendous for us.

I really appreciate the fact that the dashboard breaks everything down into a pretty easy view for me. I can pass it along, not only my boss, but to senior management, if needed. I can show them what activity is being monitored, what types of incidents there are and the type of risk, if there is one. It shows what changes are happening to privileged user accounts, access and identity, what's cropping up. It shows application activity and whether we've got system resources that aren't online and being found anymore. It's a pretty simple, easy, quick hit and there are the supporting logs behind it. If I need to drill down further, I can do that quickly. It's very effective.

I just want to know what's going on on the end-points. If anything gets flagged, if anything's out of order, chances are pretty good we're going to get it flagged on a couple of systems, whether it's a desktop for a firewall or an outbound request. It might get flagged on our AV, but at least I'm seeing it across all of those systems at a given time. So I really appreciate having that single location to look for any event that might be something which warrants a little bit more work.

I don't play around too much with the dashboard widgets, the stuff that's built-in. I get a daily report and, based on that, if I need to, I'll dig into it. So I don't customize things too much. I go back through things on a monthly basis as well. The dashboard is an easy enough layout and I've gotten used to using it or digging down deeper so I don't really change much in there.

In terms of log importing, I've never really had any problems with it. Everything that's a syslog is a pretty easy tie-in and pull-through. Anything else that's agent-based, like a desktop, we've had very few problems with. Microsoft's Direct Access, their direct-access, always-on VPN product was a little bit of a tough one that we had to work through to get those to pull across. But overall, the agents seem to be pretty stable, pretty efficient. They're pulling through everything that we need at this point. Anytime we've pulled in, whether it's an antivirus product - we've gone through a couple of them - various appliances, even Office 365, it has been very well-versed on all the major brands out there. If we want to pull those in or pull in the syslogs or pull in those events, we've never had an issue.

What needs improvement?

They haven't had to fixed much, but we have come back to them with requests for very specialized reporting. Something that's not canned. We might be looking at a particular functional area where we want to track specific data or specific login times. If I were to put in the time it be easy to do or it might take me a little while. But these guys can roll it back to me so quickly that I don't think twice about throwing them at them and asking for a report or a particular search. Probably the biggest thing is just: Can I search for this and what's the best way to do it? If I'm looking for two events versus a singular event, I just throw it back at them. They're the experts on it.

Right now I simply can't think of anything that we're lacking. I don't have much to throw back at them at this point. 

That could change as everybody's continuing to move towards a cloud product or with the cloud products themselves, all the services which we're slowly moving toward on the cloud. We're an Office 365 tenant right now, but I can see that over the next three to five years that's going to continue to increase. I'm excited to see how they can continue to structure their product to help us take advantage of the viewing, the monitoring, and the tracking of those products. Until we get to that point, I just don't know whether they've got everything we need, or if there will be things we will need to ask for that we simply didn't require in the past.

For how long have I used the solution?

We have had EventTracker in-house now for a good five years.

What do I think about the stability of the solution?

The stability has been very good. 

The only time we might have had downtime was based on our requirements where we were moving to new hardware. That doesn't happen much now because we're virtualized. But we tend to archive a lot of the data so we've moved that backend data store a couple of times. They'll either walk us through it, or they'll just take care of it if we don't have time for it.

In fact, later this afternoon we're doing exactly that. We're moving off of an older SAN to a newer SAN. We'll disconnect the old SAN, validate that all the data is flowing the way it should be in the searches and that the search capability against the archive database is still valid. Overall, it's really pretty simple.

What do I think about the scalability of the solution?

We're small. I'm assuming that the scalability would be no problem given all the other feature sets. When we've brought things on board, we've never had an issue. I don't know how large this scales or of any limitations to it. The backend data might be just what you have available. I've never been too concerned with it because we don't scale up really large. We're pretty stable as far as the number of devices goes, internally for us. I don't see that really changing much.

Most of the devices or products that we've talked to folks out there about have syslogs of some sort that we can point back. That's what we plan to do. I don't even know where that's going to go at this point, but I know that as we move into the cloud space, but I want to continue to tie that into EventTracker. I want to make sure I've got eyes on everything that we're communicating with.

How are customer service and technical support?

The support group is tremendous about asking me if there is anything else I want, is there anything more they can do and, and I'm left a little bit speechless. I've asked for various reports or can we have something else tracked individually. That's usually a pretty quick turnaround. Their support has been very good. We've got a great relationship. They do a great job of checking back to make sure there's nothing we're missing.

I'll email their main group. I have some individual contacts and I'll reach out to them occasionally, if I need to. Typically, I try and go through their main security operations center. I get the daily email from them, and that's who I would reply back to.

If I've got a request, for example, if we're shuffling around some backend databases, something we've got to move off of a backend SAN to a new SAN, I'll just reach out to them. "Hey, we're looking to do this." Response time from them is pretty quick. We have had emails back and forth within 15 to 20 minutes.

They're very easy to get ahold of. Their security center might be maybe in a different time zone, but I've never had a problem, here in the Central Standard Time zone. Anytime I've reached out to them, I've always gotten a response pretty quickly.

Which solution did I use previously and why did I switch?

We did not have a previous SIEM. That was a very big push for us. We realized how little we had in the way of eyes on all of our products, unless we did a manual, individual triage. And even then, it was pretty limited. We knew we had a huge blind spot by not putting in a SIEM. It's been phenomenal for some of the small incidents that we've had crop up. It's been fantastic.

How was the initial setup?

The setup was actually quite easy as are the upgrades and the patches that we go through. The initial setup was a pretty simple walkthrough on their part. We bundled that in as part of the product when we purchased it. The agreement was that they'd do the setup themselves but we wanted a walkthrough as well so that we had some knowledge here. We didn't want them to just set it up and do a hand-over-the-keys deal. So we stepped through it together, which really means I did a lot of watching as they were doing a lot of the setup. 

We walked through it through a WebEx. I had the server side set up on our side. At that point it was just a matter of them leading: "We're going to go here. Where's your data storage? Tie that in, install." 

Out-of-the-box it was pretty straightforward and easy to use. We started pulling in all the clients as we pushed out the agents to the desktops; that was pretty easy. It was non-intrusive to our users, which is a big deal. We didn't want it to intrude on anybody. In fact, when we push out agent updates to desktops - it doesn't happen that often, maybe once or twice a year - those agent updates are seamless. Nobody's aware that that has even taken place. 

If you want to do it, they'll certainly help you through it. If you want them to do it, they'll allow you to just watch what their process is in case you want to do it the next time.

Our company has about 225 end-users. We obviously have more devices than that, but not more than about double that. In terms of deployment, it was just me involved from our side. 

We had things up and running within half a day, when we started doing a little bit of discovery and collecting. After a couple of days of letting it run through the system and doing discovery we found, "Those are the pieces that we've missed. Yeah, we're going to add this or that in." Now, we tend to roll through one-third or one-fourth of our desktops on an annual basis. We'll do the discovery - the agent installs pull those in. It requires very limited staff time on our part. Our helpdesk now installs the agent as they roll out a desktop, which is pretty easy. We pull it in, I validate. There's not a lot to it.

What was our ROI?

It has its value, especially when I can say that it's taken over what I was spending about 50 percent of my time on. Not only has it eliminated the need for me to spend time there, but I can put that time to use elsewhere. It's absolutely well worth it.

I'm not really the money guy or the budget guy, so I couldn't tell you from a dollars and cents standpoint, but return on investment just for my time alone over the last five years has been tremendous. I no longer spend that daily time - I don't want to say "wasted time" - but it used to take me a tremendous amount of time to sit there and try and play catch up on logs, looking for events and trying to track things on my own. That's been massive. That's been tremendous, not only for me but for the company. It's been well worth the money so I can put my time somewhere else.

What's my experience with pricing, setup cost, and licensing?

I don't know if the pricing is by the seat but we're paying about $20,000 to 25,000 a year. On top of that, we pay for the managed support services. That runs us about another $35,000 or $40,000 a year.

Which other solutions did I evaluate?

At the time, EventTracker was one of the few that did a bit of that behavioral analysis. There was another one, the name escapes me right now. But it was the only other product that I felt was in the same quadrant, as far as feature sets and the behavioral analysis go. We did not evaluate very many.

What other advice do I have?

They are a fantastic team. I would stack them up against anybody. If anybody asks us what we're using for a SIEM, I'd say that this is what we're using. I highly recommend them.

Stack it up against some of the other products out there. At the very least, know what you're looking for. Or, if you don't, throw it back at EventTracker and say, "We're looking to do this, can your product do it?" Let them know what you're looking to gain from this.

We started out in the same boat: "Well, why would we use you guys versus somebody else?" We had a defined requirement, that we wanted to have centralized event and incident management, and that's exactly what we got.

You need to find out if it's going to match all of the various appliances and the OS you have. Is it going to be able to pull in the syslogs? What type of products do you have in your environment? Are you pulling in Cisco devices? Whatever your firewalls are, make sure that they're matching up. I had no doubt in my mind that they were going to match up to everything in our environment, right upfront, as we gave them the list and we did that self-discovery. I think that's part of it was the workbook process. What are your devices? How many are there? What are you using for mail? What are you using for backend storage? What do you have for databases? What are the products on your network? Make sure it matches up.

I have no doubt that they'll match up well with everything out there but make sure that whatever is on your network that you want to monitor, that those specific vendors and those devices match what they can track and log events against.

Every month, when we do an assessment they ask what more they can do. Until something crops up that leaves us a little bit blind or unsure, I really don't know what they're not giving us at this point. We haven't started looking at any other products to fill any gap. I don't have a laundry list of anything I'm waiting for them to come back with, whether it's a fix or a feature.

I'll do a lot of event searches myself, more out of curiosity than anything. I might chase something down if we get a flag or notification and look for what else is taking place around that event, to get a clear picture of why it was flagged. Was this something that we brought into the environment? Were we installing something at the same time that something was flagged? What was going on? So I tend to go into the event searches a lot and the managed devices, looking for non-reportings. Those are probably my two biggest hits.

When it went from version 8 to 9, the UI changed up a little bit, so it took a little bit of getting used to. They did provide not only some on-call support to walk through things as I was asking them questions: "Nope, that's here," or, "Give this a try." They also had some pretty easy tutorials to walk through. I've done that a couple of times just to refresh myself as far as where things are. But, like I said, because we tend to lean on them for a lot of the managed side, I don't dig into it as much as I used to when we first got started with it. It's been huge just to have them a phone call away or at arm's length to say, "Can you guys take a look at this, or do this, or verify this for me?"

Typically it's just on my desktop at work. If I'm taking a look at the dashboard, I might pull up user devices - what's not reporting in. That's a biggie for us, especially as we roll out new devices and we're getting agents out on those devices. I want to make sure that they're being pulled in correctly and that I'm seeing logs. I may take a look through some of the threats, but again, their support does such a great job of combing through all the threats and kicking out any notifications to me that I don't spend a lot of time in there.

In terms of integrating it, we haven't tied EventTracker back into anybody else. At this stage, we're tying everybody into EventTracker. As we start to move into more of the cloud space, there may be some of those cloud-authority services that this may tie into. We haven't gotten to that point yet.

The biggest lesson I've learned from using it is that I think we'd take a huge step backward if we ended up losing EventTracker; whether it's EventTracker or a SIEM product of that caliber. We're part of critical infrastructure and the threats against that infrastructure have increased a tremendous amount over the last five to seven years, whether it's on the network side or the OT side.

Having the eyes and ears to be able to manage and monitor those types of events against us, in our industry, is massive. Being under a constant threat, like everybody else out there, we want to know what we have, what's in our system; we want to know where the abnormalities are. We want to see the events on a daily basis. You have to track them. You have to be proactive. You have to take some action on those things on a daily basis. Having this in place gives us the ability to see what's going on, on a daily basis, on all of our systems across the enterprise. That's massive to me.

I would absolutely rate EventTracker a ten out of ten. I love it.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Assistant LAN Administrator at a non-profit with 10,001+ employees
Real User
Notifies us about disk space as well as event log errors we need to look at
Pros and Cons
  • "The most valuable feature is that we get the events: the alerts about disk space and the security reports that we get once a day, including user lockouts and the like."
  • "I would like to see the dashboard come up more quickly."

What is our primary use case?

We use it for Windows event logs, disk space, and other alerts.

How has it helped my organization?

It gives us a heads-up about the disk space and any errors in any event logs that we have to look at. There are times where that saves us time.

What is most valuable?

The most valuable feature is that we get the events: the alerts about disk space and the security reports that we get once a day, including user lockouts and the like. The reports are fine the way they are.

The dashboard is also fine. We haven't configured the dashboard widgets; we just basically go with the default that was there. The dashboard helps by organizing things for us.

Overall, the UI is very helpful. It's user-friendly and relatively intuitive.

What needs improvement?

I would like to see the dashboard come up more quickly.

For how long have I used the solution?

I've been using EventTracker ( /products/eventtracker-reviews ) for about ten years.

How was the initial setup?

The initial setup was straightforward.

What other advice do I have?

Overall, it's very straightforward.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Consulting Engineer at a tech vendor with 10,001+ employees
Real User
We can search all event logs and domain controller security events
Pros and Cons
  • "The product satisfies our compliance, and thus, all of our auditors. All of the data that we use and store for all security events is required by our auditors to be kept in a central storage location."
  • "If we need to do a search for user lockouts, we can go, search, and find locations where they have been locked out, then keep track of those events, historically."
  • "The biggest problem is that we have too many domain controllers. So, we have to keep all the clients and main system updated with the latest versions along with making sure all the firewalls are open."

What is our primary use case?

We are using it for audit compliance. Because when we have audits, we are required have a central event log storage location. If we need to do a search for user lockouts, we can go, search, and find locations where they have been locked out, then keep track of those events, historically.

How has it helped my organization?

It was purchased so we would be in compliance. That is our main reason, and it works very well.

The product satisfies our compliance, and thus, all of our auditors. All of the data that we use and store for all security events is required by our auditors to be kept in a central storage location.

EventTracker provides a great place to do our searches for certain types of events. We can go there, run the search engine, and it runs extremely fast, especially compared to the version that we previously used. E.g., instead of connecting to each individual domain controller to search events, we can go to one location.

What is most valuable?

We can search all event logs and domain controller security events.

The dashboard is laid out very well. I handle all the group policy compliance settings, and I get to play the bad guy who locks everybody down.

The UI is fairly good. I have a laptop that I use to connect remotely. I use the simple console, which is sitting at work, and connect to it directly.

What needs improvement?

The biggest problem is that we have too many domain controllers. So, we have to keep all the clients and main system updated with the latest versions along with making sure all the firewalls are open.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

It is very stable. The product has been very smooth to work with recently. I am extremely happy with the way that it is right now.

We have had issues with it in the older versions (7.2). Because of our number of events that we generate, it used to stall and take a long time to do searches. Once we upgraded to 8.2, it pretty much resolved those issues. It was around 2015 when we upgraded.

What do I think about the scalability of the solution?

I have not seen any issues with it scaling. 

We have close to 40 users in our organization: security administration, help desk, and sysadmins.

How are customer service and technical support?

Usually whenever we call the technical support, it's a big issue. I've not had any problems with them. They have been very responsive.

Which solution did I use previously and why did I switch?

For the compliance, this is probably one of the first product that we got for our Windows side.

What was our ROI?

EventTracker has increased the productivity in our organization.

What's my experience with pricing, setup cost, and licensing?

The upfront costs have increased, and we have been locked into this contract. The cost of changing over from it is way too high.

Going forward, we have to get more licenses for our domain controllers.

Which other solutions did I evaluate?

We are always evaluating new tools. We decided on Netsurion because of its UI and ease of use. My team agrees that the solution is reliable and easy to use.

What other advice do I have?

Get the preferred support. This is for the guy who uses and maintains the back-end of the system. Because if you don't have your firewall configurations configured correctly, you will need to have that support.

All of our domain controller event logs are consolidated and stored on the server. Right now, we are sitting at 101 domain controllers, which is way too many. However, this was one of the main reasons why we purchased it, and it is performing well. The product version that we are on right now is much faster than the version that we were previously on.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Geremy Farmer - PeerSpot reviewer
Information Technology Coordinator at Magnolia Bank, Incorporated
Real User
Gives us a picture of our network environment, including VPN access and real-time alerts
Pros and Cons
  • "The network alert is the most valuable feature. That way, we in the IT department are aware of user lockout and invalid password attempts way before a user ever even calls in."
  • "There are some issues with searches taking a long period of time, but they assured me that they have implemented a new search function that's available in version 9, but which requires a solid-state hard drive... Depending on how many logs you have it could take a long time to return the results if you're looking back prior to the last 30 days."

What is our primary use case?

We use it to monitor our firewall logs for all of our locations, all of our network logs, and alerts. We also monitor any new users added to the network or who are locked out, any new installs or uninstalls of applications on servers. And we have reports generated for any types of processes or hashes that have been run on computers or servers.

How has it helped my organization?

It gives us a real idea of our network environment, VPN access, alerts and more. We are able to identify where we're getting scanned externally from potentially malicious IP addresses. We can react to those a lot quicker than we could previously.

EventTracker has increased productivity and saved us time, absolutely. We would have to hire a full-time person to review logs if we didn't have EventTracker. I get daily and weekly reports that I review within an hour or two, each day, versus having to go look at logs on each machine. It would take me three or four times as long to review all those logs if they weren't all in the same dashboard report or alert.

What is most valuable?

The network alert is the most valuable feature. That way, we in the IT department are aware of user lockout and invalid password attempts way before a user ever even calls in. We can resolve the issue a whole lot quicker than waiting for the user to call us and figure out that they're locked out of the network or need some assistance with their password or the like.

The system's UI is pretty good, intuitive, and user-friendly.

EventTracker SIEMphonic has been a good add-on piece because doing all the logs can be time-consuming. Having a nice, weekly summary report, and the supplemental logs with them, in the event that you need to dive in any further, is helpful. Having somebody else reviewing those logs as well, on their team, is very helpful and beneficial to us.

What needs improvement?

There are some issues with searches taking a long period of time, but they assured me that they have implemented a new search function that's available in version 9, but which requires a solid-state hard drive. So we have upgraded to the solid state hard drive, but we are waiting for them to migrate over to the new drive, and then we'll see if our search results improve. Depending on how many logs you have it could take a long time to return the results if you're looking back prior to the last 30 days for, say, auditing purposes.

In other areas, it meets or exceeds our expectations.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

It's really stable. It's pretty low-maintenance, once you get it set up, as long as the server that it's hosted on is up. We haven't really had any issues with a system problem with EventTracker since we implemented it.

What do I think about the scalability of the solution?

It's definitely scalable. You can get all the way down to endpoints. They support multiple devices, applications, different firewalls, desktop, laptop. You have the ability to add in those logs. We have chosen not to do that at this time because we're mainly concerned about our servers and our domain, and it captures a lot of those logs. We have some offices that don't have a domain. For them, we just get their firewall logs because we are not too concerned about their individual workstation logs.

How are customer service and technical support?

They are very responsive. They're monitoring stuff as well, with that SIEMphonic piece. They're monitoring your logs and if there's anything you have deemed critical, they're making you aware of it, to make sure that you're aware of it. They do a really good job of following up and trying to do as much as they can to assist you in any way possible.

Which solution did I use previously and why did I switch?

We did not have a previous solution. They had already purchased this product before I came into the organization. There are a couple systems out there where people have reached out to me throughout the years and said, "Will you do a demo or evaluate our system?" But in my opinion, there's nothing that really stands out that would make me want to leave EventTracker. 

Even cost-wise, if somebody is cheaper - and I don't believe that they are - it's not significant enough to make that change and go through that whole design and implementation process again, just to save a little bit of money. We are familiar with EventTracker and we're getting the good service that we expect. We really don't have any desire to go with any other vendor at this time.

How was the initial setup?

The initial setup is complex. It really depends on what alerts and reports you're looking at and what you want to filter it down to. It really depends on how much data you're looking at capturing and how to get that configured, working with their team on getting that configured for you. It was a long process from start to finish.

Now that it's in place, there are hardly ever any issues or any hiccups with it. But the initial setup can be a little time-consuming. You have to make sure you have adequate time if you're going to implement SIEM or an event-log correlation system.

Our deployment took a good 60 to 90 days from start to finish, working through all the reports and filtering it down to what we wanted. That included our firewall logs and deploying it on all the machines.

We really didn't have an implementation strategy at that point. We were just trying to get it implemented as quickly as possible on our domain server. Then we expanded it to all of our servers inside our network and then all of our firewalls.

What about the implementation team?

They provided assistance and they do with that SIEMphonic piece. We purchased training from them and then worked with them directly on what we wanted configured and how to configure it. They did most of the heavy lifting of actually configuring the reports and all the alerts. If you want filtering you can ask them, or you have the ability to go in there yourself. I personally don't have a lot of time and resources to do that, so using their staff and the resources has been very beneficial.

Overall, they are very professional and good to work with. Some of their trainers were difficult to understand, as there was a language barrier. Some other staff from outside of the US, some of their training people, the technicians who provided training, were very difficult to understand. Others were not hard to understand. It was a case-by-case issue. But we did have some issues with trying to understand them during the training. We expressed our concerns and, of course, they addressed that. It was a process we worked through.

What was our ROI?

We have absolutely seen a return on our investment in EventTracker.

What's my experience with pricing, setup cost, and licensing?

The solution is fairly expensive, but in my experience, all of the SIEM applications that I've evaluated or looked at cost about the same. It's just what a system like that costs.

Which other solutions did I evaluate?

I've looked at AlienVault. That's the only one that I can recall looking at extensively. But cost-wise it really wasn't worth it to us to switch to that system. It might have had a few more features, but EventTracker has done really well on constantly adding features and changing their UI and adding dashboards and getting more data on there that you want. I have no reason to make a switch.

What other advice do I have?

If it's your first SIEM event-correlation system, be prepared for a long process. That's not just because it's EventTracker. That seems like that's what that process takes. Again, it really depends on what data you want to capture and how much data you want to capture and how you want to review that data. That configuration process can be very time-consuming.

We're on EventTracker 8, but we're getting ready to upgrade to the most recent version of nine, but we have not upgraded yet.

I don't typically use the dashboard widgets. I have everything configured in daily, weekly, and monthly reports. We have real-time alerts configured as well. So I'm not really utilizing the dashboard widgets. I know it has a lot of features and options but I manage the system from the reports and real-time alerts. In terms of the screens we use to view the solution, we mostly use the Excel reports that are generated daily and weekly. I access them, as well as the real-time alerts, from all devices. You can view them and see the details from any type of device. But I'm looking at the alerts through my email client on whatever device I'm on.

We have logs coming from our firewall configured to auto import log data, but we are not manually importing any log data.

Currently there are only two users in EventTracker: myself, as the information security officer and another gentleman here at the bank who is the backup information security officer. He functions more as a backup, but he's never had to step into that role and use the system. He received the training, but I handle the whole system. I'm the only one deploying and maintaining the system.

We have internal staff resources for internal incident management but we do not use the EventTracker SOC team. We handle the incidents internally, leveraging the reports and alerts.

We don't have any plans to increase usage, unless we add one or two offices as we do naturally in our mortgage division.

The difficulty with the language barrier at times with their training and technical support staff is a problem. That's why I'd rate it an eight out of ten.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Sean Sheil - PeerSpot reviewer
Information Technology - Business Process Analyst at a financial services firm with 51-200 employees
Real User
Enables us to track account creation and deletion and the number of errors in a given system
Pros and Cons
  • "The most important feature is keeping track of when accounts are created and deleted, when permission groups are changed, and memberships are changed in groups; and overall, how many errors are occurring on the various systems that we're monitoring."
  • "I'd like to see improvement in the ease of generating reports. It seems fairly cumbersome whenever you decide to start tracking new categories of events. It seems a little kludgy when trying to generate those reports."

What is our primary use case?

We're getting some daily reports out of it for different systems regarding passwords expiring, accounts locked out, and a number of events in different categories. We're probably not using it to its fullest potential.

We import log data into the solution from Windows Servers and switch-logs from the Cisco switches. Those are the main things that we feed into the system. We don't have any Linux or any other external systems that we feed into it.

How has it helped my organization?

We use those standard reports every day and monitor them. It does save us some time from having to go out manually and pull that information together. With the daily reports that we get, we can easily scan through them and find any anomalies that are occurring. If a system suddenly starts getting thousands of more errors than it did previously, we know we need to look at something on that system.

The solution has also saved us time due to the fact that it's doing the consolidation of the log files for us. It probably saves us three hours a day.

What is most valuable?

The most important feature is keeping track of when accounts are created and deleted, when permission groups are changed, and memberships are changed in groups; and overall, how many errors are occurring on the various systems that we're monitoring.

The ability to import log data into the solution is very good. It consolidates that information and stores it in a compact manner. It doesn't use a huge amount of disk space to store the history of the logs but still gives us the ability to pull various reports as we need them.

What needs improvement?

I'd like to see improvement in the ease of generating reports. It seems fairly cumbersome whenever you decide to start tracking new categories of events. It seems a little kludgy when trying to generate those reports. Other than that it's fine.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

It's very stable. We put it in place and have ignored it except, for pulling the reports.

What do I think about the scalability of the solution?

In our environment, it works perfectly fine.

How are customer service and technical support?

I've used the technical support a couple times. I've had very good results. In generating those reports, they were able to provide the methods in order to collect the information we needed to collect.

What was our ROI?

I don't know exact numbers on ROI, but in my mind it saves us a lot of time. I have six or seven reports that I can peruse through each day, quickly and efficiently, instead of having to go out and collect that data manually.

What's my experience with pricing, setup cost, and licensing?

Licensing is very easy. Our CIO takes care of the billing, but in terms of price point, he hasn't complained, so it must be good.

What other advice do I have?

Go through some training to know the ins and outs of the application. It has changed quite a bit in the seven years I've worked with it, and it would be a good idea to do some more training to learn all the new features and to make sure you can utilize all the capabilities.

The UI is okay. As I said, we're probably underutilizing the product compared to what we should be using it for. We don't view the information from it on screens. We more go off of the reports that we get daily out of the system.

In our company there are only three people using the system. We're all IT managers. We're only monitoring about 30 systems and we don't have plans to increase usage. Total time for deployment and maintenance would be a part-time IT manager, ten hours a year. In terms of internal staff resources for internal incident management, it's the same three IT specialists.

 I would give the solution an eight out of ten. I'm not giving it a ten because of a lack of understanding of the system and some of the kludginess in the generating of reports.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Bryan Caporlette - PeerSpot reviewer
Chief Technology Officer at G&G Outfitters Inc
Real User
Identifies potential threats and the remediation that I should take to be able to quell those threats
Pros and Cons
  • "The SIEMs and managed service are its most valuable features. We get a weekly report from them which provides a culmination of them combing through millions of events which are triggered across our network every day and minute. Their information security experts basically boil that down to a report which I get emailed once a week. It identifies potential threats and the remediation that I should take to be able to quell those threats."
  • "The deployment of the agents could be a bit easier. We always seem to have a bit of a challenge with that. A lot of times the agents either don't deploy or they quit responding, then we have to go and redeploy them."

What is our primary use case?

The primary use case is SIEM vulnerability and IDS.

How has it helped my organization?

It is protecting us from cyber threats.

We get a lot of information security audits from our larger clients. I wanted to be able to have intrusion detection and prevention, vulnerability scanning, and SIEM because those are always the questions, "Do you maintain your logs? Do you look at them? How do you take proactive action?" EventTracker managed service gives me the right answers for all those questions and has saved me time when answering these questions.

What is most valuable?

The SIEMs and managed service are its most valuable features. We get a weekly report from them which provides a culmination of them combing through millions of events which are triggered across our network every day and minute. Their information security experts basically boil that down to a report which I get emailed once a week. It identifies potential threats and the remediation that I should take to be able to quell those threats.

I don't have a CISO and don't have the budget to bring a CISO in. Therefore, it basically allows me to outsource the information security officer to EventTracker and have them perform that role for the company.

With the dashboards, I can very quickly see if there are any pending threats or anything that I should take action against. It has a very easy to use interface. Instead of having to go run reports and digging through millions of entries of data, I can have a couple of key metrics brought right up to me through the dashboard and be able to review that information, then either send it on to my networking team to address something or have comfort that we're in a good footing security-wise.

The solution's UI is very good now. It went through a transition phase from four years ago to today. With each iteration, we started on version 6 or 7, then we went to 8, and now we're on 9. Each one has been a large improvement for user usability and the user interface. It is more modern and easier to use. We usually view it on Internet Explorer or Chrome. I use my laptop to view it and find it a comfortable view.

I rely on them to tell me what features should be rolled out and come out. They are always introducing me to new threats and other thing that we need to be looking out for. They say, "By the way, we're looking for these now on the weekly report for you." They are the ones that I just outsourced this to.

What needs improvement?

The deployment of the agents could be a bit easier. We always seem to have a bit of a challenge with that. A lot of times the agents either don't deploy or they quit responding, then we have to go and redeploy them. That gets frustrating.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

It has been very stable for me. I can't say that I have ever known it to be down in the last four years unless we were rebooting it ourselves to do maintenance, like caching on the server.

Version 9 was a tremendous upgrade for the dashboard. The performance of the new version with the Elasticsearch edition is a real improvement. Previously, running reports would take a long time, and now reports are very easy to slice and dice, then look through the data and dashboards. The dashboards are very helpful if I want to add a new widget. I can email the control center, then they will just add it to my dashboard for me.

What do I think about the scalability of the solution?

It has accomplished what I wanted it to accomplish. If anything, I'm downsizing servers by moving it to the cloud. So, I'm not really adding more to what it needs to manage.

A network engineer and I are the two users for this solution. It is currently deployed across all of our desktops, servers, and VMs. I don't have any expectations to expand it, except for if I hire a new employee and put a new desktop in, but I doubt we are going to be putting new servers in.

We are getting on average 1.6 to 1.7 millions events a day.

How are customer service and technical support?

The technical support is very good and responsive. If I send an email to them, I always get a response within an hour. I don't generally have any emergencies happen. When we've had an emergency situation, they've also been really good to jump on and help remediate the situation. For example, we had a virus that was detected, and they were the ones that identified it early on during their review of the SIEM. They were there to help us through the remediation, getting it blocked, and blocking any exfiltration that the virus was trying to do. Afterwards, during the post-mortem and giving me documentation on what they had seen, how we'd reacted to it so that I can put together a post-mortem for the executive team, they participated in that. Overall, they have a really strong support team.

Which solution did I use previously and why did I switch?

We did not use another solution prior to EventTracker.

How was the initial setup?

The initial setup was straightforward because they did it. We just had to give them a virtual machine that met their specs, then they installed the software and got it all configured for us. So, it was pretty easy and only took a network engineer from our company.

It did not take more than a couple days to get everything installed, running, tuned, etc. We installed the software first, then we installed the agents second.

We have a network engineer doing the maintenance for it.

What about the implementation team?

Netsurion did the installation. We did not work with a third-party consultant.

What was our ROI?

I haven't measured the ROI. We don't do normal budgets, as we are not that big of a company. We are mid-sized.

What's my experience with pricing, setup cost, and licensing?

The pricing and licensing seem very reasonable. The managed service part of it feels like it gives me the equivalent of a full-time engineer for a lot less money. So, I feel it's a good value.

Which other solutions did I evaluate?

I was doing a cursory review of different things by doing a web search, like a Google search, and looking at different options. I came across Netsurion, who are local to us, and I knew the VP of Sales, and I always like to work with people who I have a relationship with.

What other advice do I have?

The solution has been everything that I've asked for from a service standpoint, software standpoint, and support. I have no complaints.

My advice would be to engage them to do the installation. The managed service is great value which saves you a full-time employee on your staff by being able to outsource it to EventTracker to review all the logs and cull through the data to make recommendations and identify threats, then how to remediate them. They provide it to you in your weekly or daily report, depending on how frequently you want to have them do it, which is based on your compliance. If you have compliance requirements for HIPAA, PCI, etc., it is a great benefit to help an organization meet their compliance requirements.

We have internal staff resources for internal incident management. We leverage the EventTracker SOC team. When we detected the virus, we kept in contact with the EventTracker SOC team and sent them emails, and they would call me and say that they see it on this server or that desktop, and we'd go and take it off of the network and clean it. Then, we would put it back on and they'd watch to see if they saw any traffic that was not supposed to be coming from that server. For the whole remediation process, they were sort of part of the team.

Data is all configured to automatically go in. We deployed their agents, and those agents just send the log data directly to the SIEM. We don't manually upload anything.

We did not integrate it with any other solutions.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Buyer's Guide
Download our free Security Information and Event Management (SIEM) Report and find out what your peers are saying about Netsurion, Splunk, IBM, and more!
Updated: September 2022
Buyer's Guide
Download our free Security Information and Event Management (SIEM) Report and find out what your peers are saying about Netsurion, Splunk, IBM, and more!