Coming October 25: PeerSpot Awards will be announced! Learn more

RSA NetWitness Logs and Packets (RSA SIEM) OverviewUNIXBusinessApplication

RSA NetWitness Logs and Packets (RSA SIEM) is #7 ranked solution in top ATP (Advanced Threat Protection) tools and #11 ranked solution in top Security Information and Event Management (SIEM) tools. PeerSpot users give RSA NetWitness Logs and Packets (RSA SIEM) an average rating of 7.4 out of 10. RSA NetWitness Logs and Packets (RSA SIEM) is most commonly compared to Splunk: RSA NetWitness Logs and Packets (RSA SIEM) vs Splunk. RSA NetWitness Logs and Packets (RSA SIEM) is popular among the large enterprise segment, accounting for 63% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 19% of all views.
RSA NetWitness Logs and Packets (RSA SIEM) Buyer's Guide

Download the RSA NetWitness Logs and Packets (RSA SIEM) Buyer's Guide including reviews and more. Updated: September 2022

What is RSA NetWitness Logs and Packets (RSA SIEM)?

If you’re relying on log data to detect and prevent cyber threats, you’re in trouble. Attackers increasingly evade detection of log-centric security and network monitoring tools. But logs combined with full packet, endpoint NetFlow data are proven to provide the essential details for early threat detection. Here’s a closer look at our solution.

RSA NetWitness Logs and Packets (RSA SIEM) was previously known as RSA Security Analytics.

RSA NetWitness Logs and Packets (RSA SIEM) Customers

Los Angeles World Airports, Reply

RSA NetWitness Logs and Packets (RSA SIEM) Video

RSA NetWitness Logs and Packets (RSA SIEM) Pricing Advice

What users are saying about RSA NetWitness Logs and Packets (RSA SIEM) pricing:
  • "We have yearly licensing costs. The license fee can be based on the volume of EPS. Some organizations may have, as a gentlemanly gesture, 10,000 EPS and get a 3,000 EPS license but actually use 5,000 EPS."
  • "There is a licensing fee and the customer can choose whether he wishes this to be subscription-based or perpetual."
  • "Compared to the competition, the is price is not that high."
  • "RSA NetWitness Logs and Packets do not have a subscription model, it's a one-time purchase. There is only a perpetual license."
  • "We are on an annual license for the use of the solution."
  • RSA NetWitness Logs and Packets (RSA SIEM) Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Mahesh Suryawanshi - PeerSpot reviewer
    Program Manager at EGYANAM TECH
    Real User
    Top 20
    Economical with good technical support and is easily scalable
    Pros and Cons
    • "It's quite economical compared to other solutions in the market."
    • "The initial setup is complex. There are other solutions that are easier to implement."

    What is our primary use case?

    I'm primarily using the solution on my client's site. 

    This is a log event management tool. We are integrating this solution for the clients where it is required. Mostly we work with OEMs such as IBM, RSA, Splunk, and Micro Focus. 

    With the help of these tools, you can identify any attacks or phishing activity in your network. Most of the time you are able to identify these types of attacks or activity on your firewall. When the firewall will notify the SIEM tools, it will identify which needs to be acted on immediately - unlike when you are using automation tools. With the help of automated tools, you can block those suspicious IPS or you can hand it over back to your security analyst or analyst team to take action ASAP. 

    What is most valuable?

    We have not evaluated this tool. It is evaluated by the client's company directly. That said, I have found it has good threat intel insights, comparatively speaking. 

    From the client-side, there are economical kinds of features.  It's quite economical compared to other solutions in the market. 

    The solution is scalable. 

    The technical support is very good.

    What needs improvement?

    We are designing reports and automated rules and processes. We are defining them in relation to this product. With the help of automated rules and processes, this product will help the team when they go to production to do operations smoothly, as, most of the time, what happens when you put manual interference into such systems, it may be delayed. This can lead to vulnerabilities. Sometimes, if a hacker enters the system, he might only have a limited time where there is a window of access, however, in that time, he'll take what he can, and even if the vulnerability only lasted for a few minutes, in that time, items can get stolen. 

    Therefore, there needs to be more proactively to avoid any downtime. We're adding automating tools to help RSA Netwitness so that if anything happens, RSA can immediately shut anything down. We're in the process of configuring them and adding them in.

    The initial setup is complex. There are solutions that are easier to implement.

    For how long have I used the solution?

    I've been using the solution for two and a half years.

    Buyer's Guide
    RSA NetWitness Logs and Packets (RSA SIEM)
    September 2022
    Learn what your peers think about RSA NetWitness Logs and Packets (RSA SIEM). Get advice and tips from experienced pros sharing their opinions. Updated: September 2022.
    635,987 professionals have used our research since 2012.

    What do I think about the stability of the solution?

    The solution is reliable. I won't say great, due to the fact that, naturally, if you compare it to other products it is not that great. That said, for the operations, it is good as long as you do not violate your license. The moment you violate your license, this will cause a quite delayed reaction, at least, that is what I've seen compared to Splunk and QRadar.

    What do I think about the scalability of the solution?

    While the solution isn't necessarily for small organizations, it is good for medium and large organizations.

    The solution scales easily.

    How are customer service and support?

    Technical support is very good. They try to resolve issues with the proper SLAs which are defined by them and they understand the client's requirements as well as the client's infrastructure in a better manner. I'm happy with the support.

    How was the initial setup?

    The solution is pretty complex to set up. Comparatively, I have worked on IBM QRadar and Splunk. They are much easier to set up. It also depends on the client's infrastructure. It just needs some time and understanding to be deployed. 

    Once it is deployed it requires maintenance. Whenever you work on such products, if you do not take the support or support services, it might take some time to work through some things. For some things, the documentation is not the best. Support is always recommended. If you do not buy support, it can be a disaster. 

    What's my experience with pricing, setup cost, and licensing?

    It's my understanding that the pricing of the product is pretty good. Compared to other options on the market, it's reasonable. 

    I would say it's economical, as the licensing part is always a different ball game in the SIEM tools business, as everyone is running their business in a different manner. If you go to IBM, they will charge you in a different way, for example. RSA will charge you in a different way as well, and Splunk has its own unique licensing policies. I would say it's economical. I won't say it's cheap. It is in between.

    Currently, there is only one license. There aren't different licensing models. Hardware is included in the price.

    What other advice do I have?

    I'm on the latest version of the solution. I tend to work on updated versions.

    We are systems integrators. We have a partnership with RSA.

    If a company decides to try out this product, they need to do the homework properly due to the fact that sometimes on the hardware side or on the software side, you may face some issues. It is better to study thoroughly the troubleshooting part and prepare properly. Only then you can go for implementation.

    I'd rate the solution at an eight out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    PeerSpot user
    Senior Assistant Vice President at a financial services firm with 1,001-5,000 employees
    Real User
    Can find out if there is lateral movement, but integration and workflow need improvement
    Pros and Cons
    • "I can have enterprise security, email security, next generation firewall security log, HIDS and NIDS logs, etc. all on the same dashboard. It makes it easy to pinpoint or correlate our server to this. I can find out if there is lateral movement. This is the biggest advantage of this solution."
    • "Sometimes, it gives me static when integrating Windows-based systems. It should produce a precise log of sorts as to where the problem is. For example, a few days ago because of the McAfee application firewall, I couldn't get access to the particular Windows machine. So, my team and I had to figure out by ourselves that there was a virus responsible for the obstacle. This solution should trigger a meaningful log or message indicating the reason the user or implementer can't get into the machine."

    What is most valuable?

    Overall, it is easy to implement.

    I can have enterprise security, email security, next generation firewall security logs, HIDS and NIDS logs, etc. all on the same dashboard. It makes it easy to pinpoint or correlate our server to this. I can find out if there is lateral movement. This is the biggest advantage of this solution.

    What needs improvement?

    Sometimes, it gives me static when integrating Windows-based systems. It should produce a precise log of sorts as to where the problem is. For example, a few days ago because of the McAfee application firewall, I couldn't get access to the particular Windows machine.
    So, my team and I had to figure out by ourselves that there was a virus responsible for the obstacle. This solution should trigger a meaningful log or message indicating the reason the user or implementer can't get into the machine.
    The workflow is not smart enough. For example, if I'm monitoring or analyzing log events and alerts from the SIEM system, it has to be reviewed by the person responsible for this in the organization. So, the review should be automated and should be signed off per the FR-ISO 27001 control requirement. This is lacking in RSA NetWitness Logs and Packets (RSA SIEM). This is also the case with PCI-DSS compliance because we are in the banking industry.

    The most iconic disadvantage of the solution is that I cannot tag my asset by my name. There should be a portal or a photo where I could check the applicant name. Whatever asset it discovers, it takes only the IP address. If it gets it from Active Directory, then it gets only the host name, which is not actually meaningful to an analyst. There should be a way to tag a name manually so that it can be mapped later to the actual machine, besides the machine I'm investigating on.

    RSA NetWitness Logs and Packets (RSA SIEM) does not have SOAR, and we have to do it manually. SOAR is a new concept that is still in development.

    For how long have I used the solution?

    I've been using this solution for less than a year.

    What do I think about the stability of the solution?

    There are a few issues with stability when integrating with Windows-based systems.

    What do I think about the scalability of the solution?

    It is scalable if the developer wants to scale the solution.

    How are customer service and support?

    They're prompt enough, but I have seen better technical support. We are still under our local partner. I would give them a rating of six out of ten.

    How would you rate customer service and support?

    Neutral

    How was the initial setup?

    Overall, it is easy to implement.

    What's my experience with pricing, setup cost, and licensing?

    We have yearly licensing costs. The license fee can be based on the volume of EPS. Some organizations may have, as a gentlemanly gesture, 10,000 EPS and get a 3,000 EPS license but actually use 5,000 EPS.

    Which other solutions did I evaluate?

    We had LogRhythm in a POC environment. I did not like it because I experienced a lot of issues with it, and so, I chose RSA NetWitness instead.

    What other advice do I have?

    There are lots of opportunities to expand this functionality, and it is a wonderful solution. It can compete with Splunk and LogRhythm.

    I would recommend RSA NetWitness and rate it at five on a scale from one to ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    RSA NetWitness Logs and Packets (RSA SIEM)
    September 2022
    Learn what your peers think about RSA NetWitness Logs and Packets (RSA SIEM). Get advice and tips from experienced pros sharing their opinions. Updated: September 2022.
    635,987 professionals have used our research since 2012.
    Solution Specialist- Data Protection at a tech services company with 11-50 employees
    Reseller
    Top 20
    Provides a comprehensive trace investigation with the packet capture feature
    Pros and Cons
    • "The packet capture aspect of it is a valuable feature because it is quite different from a traditional SIEM solution that only carries out investigations based on captured logs."
    • "There are instances where you try to run the reports and then it does not give you the desired outcome."

    What is our primary use case?

    The customer that we work with uses it to gather logs from all the devices in their enterprise so that they have that single point of visibility into trace information in the environment.

    What is most valuable?

    The packet capture aspect of it is a valuable feature because it is quite different from a traditional SIEM solution that only carries out investigations based on captured logs. So, the capture packet also gives you specific insight into what's going on in the network, and it makes your trace investigation much more comprehensive.

    The user interface is fine.

    What needs improvement?

    The reporting aspect could be improved. There are instances where you try to run the reports and then it does not give you the desired outcome. At times, it appears as if the reporting feature might be buggy.

    You want to actually follow the trends and see how technology is advancing. I think they've done that with regard to security orchestration, automation, and response. However, I think that they could do better with the automation and response.

    For how long have I used the solution?

    We have been selling RSA NetWitness Logs and Packets (RSA SIEM) for 18 months now.

    What do I think about the stability of the solution?

    It is stable.

    What do I think about the scalability of the solution?

    This solution is scalable.

    How are customer service and technical support?

    Technical support has been quite a challenge. There are instances where you reach out to support, and the initial response is fast. When they get to experience what the problem is, we would expect them to be able to fix it on time, but then, we'd notice that there could be quite a lot of back and forth with customers in trying to get an issue resolved.

    This is a situation where you have other solutions plugging into this one, so there are times when the issue being experienced has to do with another solution. So there are problems with accepting responsibility.

    In general, I would rate them at 70% on technical support.

    How was the initial setup?

    I've not been involved in initial setup, but I've seen upgrades. I think it's quite straightforward.

    What's my experience with pricing, setup cost, and licensing?

    From a pricing perspective, I wouldn't say it's too expensive because recently, they came up with a good plan that would also work for small enterprises.

    At the early stage, it was quite appliance-based, but now you have virtual machines that take away the appliance cost for customers. So, price wise, it is fair compared to the cost of other SIEM solutions.

    What other advice do I have?

    It's a comprehensive SIEM solution. The packet capture feature is one thing that will be very beneficial for all accounts because it gives you that general visibility into what's going on even on your network. It's a great product, and I would rate it at eight on a scale from one to ten. It's way ahead of the others. 

    Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
    PeerSpot user
    MdZaman - PeerSpot reviewer
    Deputy Manager at JTI (Japan Tobacco International)
    Real User
    Top 5Leaderboard
    Really scalable for enterprise customers
    Pros and Cons
    • "The solution is really scalable for the high-end power, enterprise customer."
    • "The solution should have more integration capabilities with different platforms."

    What is our primary use case?

    Generally, we use the solution for network forensics. It allows us to do visual data detection and prevention. 

    What needs improvement?

    The solution should have more integration capabilities with different platforms. The API is nearly open and scalable, so the solution can integrate with many platforms. The solution has more than 200 log sources in the scalability to support, but this is its limit. 

    Installation is pretty easy. However, there are a couple of modules involved, so it is not as easy as it could be. We are talking about a distributed module, not a single-module type. This is what makes things a bit complex, instead of easier. I rate it as a seven out of ten on its installation and configuration capabilities.

    For how long have I used the solution?

    I have been using RSA NetWitness Logs and Packets (RSA SIEM) for two years.

    What do I think about the scalability of the solution?

    The solution is really scalable for the high-end power, enterprise customer, but not for the small one.

    How are customer service and support?

    Mostly, the support is provided remotely and has proven to be good. It was good at the time when we made use of it. I have no idea whether they improved their support over the course of the last year. Previously, our country did not have certified resources, although the first-level of support was available through their local partners, as well as paying-level support, which was handled remotely through India or Singapore. 

    How was the initial setup?

    Installation is pretty easy. However, there are a couple of modules involved, so it is not as easy as it could be. We are talking about a distributed module, not a single-module type. This is what makes things a bit complex, instead of easier. I rate it as a seven out of ten on its installation and configuration capabilities. 

    If one goes the intelligent route, installation should take at least four to five hours. 

    What about the implementation team?

    There were at least two people involved in the deployment and maintenance. From an operational perspective, there is a need for at least three people, since type one, two and three analysts are involved. Two people are sufficient for the installation, though. 

    What's my experience with pricing, setup cost, and licensing?

    There is a licensing fee and the customer can choose whether he wishes this to be subscription-based or perpetual. 

    Which other solutions did I evaluate?

    Integration is exceedingly minimal, since its project development is much easier than that of LogRythm or IBM. This means that the solution is significantly more flexible for the customer and requires less training.

    What other advice do I have?

    I would definitely recommend this solution to others, but not to small-sized customers. The solution is one of the best for enterprise customers exceeding 10,000 or 2,000 EPS. 

    I rate RSA NetWitness Logs and Packets (RSA SIEM) as a nine out of ten. 

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    PeerSpot user
    Senior consultant Cybersecurity
    Real User
    Top 10
    Use case development is user friendly but threat detection and alert capabilities need improvement
    Pros and Cons
    • "The development of use cases on the SSA console is quite user friendly. This means that the security analyst or the researcher does not have to learn another language."
    • "The threat detection capability and centralizing and upgrading capability need to be improved. The threat alert capability needs to be improved as well because there is some lag time at present. They need to work on their database search too."

    What is our primary use case?

    It's a log management solution where we have logs from different sources, like network devices, firewalls, load balancers, IT, application servers, and database servers. We also use it for compliance and governance. Our cyber security team uses it to monitor malicious activity across our IT infrastructure.

    What is most valuable?

    The development of use cases on the SSA console is quite user friendly. This means that the security analyst or the researcher does not have to learn another language.

    What needs improvement?

    The threat detection capability and centralizing and upgrading capability need to be improved. The threat alert capability needs to be improved as well because there is some lag time at present. They need to work on their database search too.

    I would like to see log storage and threat intelligence features be included in the next release. I would like to see them automate the security incident response.

    For how long have I used the solution?

    I've been using it for the past five years.

    What do I think about the stability of the solution?

    Overall, RSA NetWitness Logs and Packets (RSA SIEM) is a stable product, but it is very unstable when you have do updates and upgrades.

    What do I think about the scalability of the solution?

    It is a scalable solution. Our cyber security team of 15 people uses this solution.

    How are customer service and support?

    Technical support staff were responsive, but they were not always knowledgeable about the project. They didn't have the expertise. They need to be more knowledgeable about their products. Because of this, I would rate technical support at six on a scale from one to ten.

    How would you rate customer service and support?

    Neutral

    How was the initial setup?

    Implementation is quite easy, and it takes about a week to deploy the solution. On a scale from one to five, with one being the worst and five being the best, I would give the setup process a four.

    What's my experience with pricing, setup cost, and licensing?

    Compared to the competition, the is price is not that high.

    What other advice do I have?

    I've been using Sentinel and IBM QRadar. They are far better than RSA SIEM from a graphic user point of view and in terms of log integration. Everything is enhanced in these solutions compared to that in RSA.

    RSA NetWitness Logs and Packets is far behind the competition. Initially, RSA was the only company focusing on decentralization and automation, but now, Microsoft and Google are also in the picture and are investing a lot of money to make their product user friendly and good for the customers from a cybersecurity point of view.

    Overall, I would rate RSA NetWitness Logs and Packets (RSA SIEM) at six on a scale from one to ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Manager at a comms service provider with 10,001+ employees
    Real User
    Useful correlations tools, simple initial setup, and helpful support
    Pros and Cons
    • "The most valuable feature of RSA NetWitness Logs and Packets are the alerts and correlations tools."
    • "RSA NetWitness Logs and Packets can improve the threat level aspect, it is lacking compared to other solutions. Whenever any hacking activity or any other threat factor occurred they used to provide the coverages very fast when comparing RSA NetWitness Logs and Packets. I heard the other three solutions, from a discussion with my team members who had experience in other solutions, they used to say that. Whenever any issues happened across the globe RSA NetWitness Logs and Packets are a little bit slow improving those detection mechanisms."

    What is our primary use case?

    RSA NetWitness Logs and Packets are used exclusively for monitoring scenarios, insider threat analysis, and log retention.

    What is most valuable?

    The most valuable feature of RSA NetWitness Logs and Packets are the alerts and correlations tools.

    What needs improvement?

    RSA NetWitness Logs and Packets can improve the threat level aspect, it is lacking compared to other solutions. Whenever any hacking activity or any other threat factor occurred they used to provide the coverages very fast when comparing RSA NetWitness Logs and Packets. I heard the other three solutions, from a discussion with my team members who had experience in other solutions, they used to say that. Whenever any issues happened across the globe RSA NetWitness Logs and Packets are a little bit slow improving those detection mechanisms.

    For how long have I used the solution?

    I have been using RSA NetWitness Logs and Packets for six years.

    What do I think about the stability of the solution?

    Some of the RSA NetWitness Logs and Packets versions are not stable. Whenever they are releasing upgrades we were facing some issues.

    What do I think about the scalability of the solution?

    The scalability could improve. RSA NetWitness Logs and Packets have some limitations in the on-premise sizing. It requires more workers to procure the hardware. It is time-consuming.

    The solution is only being used by our security operations team of approximately 10 to 15 people.

    How are customer service and support?

    When we have any critical issues we escalate them to the support of RSA NetWitness Logs and Packets.

    I rate the support from RSA NetWitness Logs and Packets a four out of five.

    Which solution did I use previously and why did I switch?

    We were using RSA Ticket Analytics and now we are using RSA NetWitness Logs and Packets.

    How was the initial setup?

    The initial setup of RSA NetWitness Logs and Packets is not complicated, it is easy for us. However, there are some sizing limitations.

    What about the implementation team?

    We did the implementation of RSA NetWitness Logs and Packets in-house. We have not had any issues with maintenance. 

    What's my experience with pricing, setup cost, and licensing?

    RSA NetWitness Logs and Packets do not have a subscription model, it's a one-time purchase. There is only a perpetual license.

    What other advice do I have?

    When comparing the cloud security solutions, RSA feels outdated. I would advise others before choosing RSA NetWitness Logs and Packets, to do a POC process and later they can do the purchase if it fits their needs.

    I rate RSA NetWitness Logs and Packets an eight out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Seakr Dg - PeerSpot reviewer
    Security Operations Manager at a computer software company with 1,001-5,000 employees
    Real User
    Reliable, straightforward installation, but lacking multi-tenant capabilities
    Pros and Cons
    • "The newer 11.5 version that my team is using has found it to have good mapping."
    • "The multi-tenant capabilities are lagging compared to IBM QRadar."

    What is our primary use case?

    We have two customers using this solution and one of them is a banking business. We are collecting some of the security log sources. In the main use case, we are correlating rules and we are using the endpoint detection capabilities. We are utilizing RSA NetWitness Logs and Packets, to have more insights on an endpoint level.

    What is most valuable?

    The newer 11.5 version that my team is using has found it to have good mapping.

    What needs improvement?

    The multi-tenant capabilities are lagging compared to IBM QRadar.

    We want the OEM to support us when we add a partner. They have to come forward and be ready to give a POC to the customer. For example, if we are identifying any customer, and the customer wants to see the POC but at that time we do not have that resource to showcase the POC or the environment. At this time the OEM should come forward and showcase the POC to the customer. Once the customer is satisfied, we will be gaining the business, as a win-win situation.

    For how long have I used the solution?

    I have been using RSA NetWitness Logs and Packets (RSA SIEM) for approximately two years.

    What do I think about the stability of the solution?

    The solution is reliable.

    What do I think about the scalability of the solution?

    I have not tried to expand the solution.

    How are customer service and support?

    The technical support is responsive. Professional service when it is required is expensive. I wasn't able to compare with other professional services, because we have only one tool we are using at the moment. I am not able to tell you how much other OEM professional services cost. We have heard from the support that it is expensive.

    Which solution did I use previously and why did I switch?

    I have previously used IBM QRadar.

    How was the initial setup?

    The installation is somewhat straightforward. For example, if they want a UBA or SOAR type of platform, then I don't have experience in integrating or installing the SOAR or UPA. If that kind of opportunity comes or a customer requests it, then we have to see. As it is now, RSA NetWitness Logs and Packets (RSA SIEM) installation is straightforward.

    What's my experience with pricing, setup cost, and licensing?

    We are on an annual license for the use of the solution.

    What other advice do I have?

    I would recommend version 11.5, it looks good. However, we are looking for an alternative solution.

    I rate RSA NetWitness Logs and Packets (RSA SIEM) version 11.4 a seven out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    PeerSpot user
    Sandeep Sehrawat - PeerSpot reviewer
    Information Technology Security Consultant at Sify Technologies
    Real User
    Top 5
    The setup is straightforward and there are multiple connectors to help you integrate

    What is our primary use case?

    We provide NetWitness along with Archer, and multiple sites. We are managing their security operations using this other station and Archer. A collector can work in two different ways. It can collect the logs, and it can aggregate the traffic tools from different net flow logs. When I saying "logs," I mean a log collector and when I say "packet," that means the packet or log connector. 

    What do I think about the stability of the solution?

    The stability all depends upon how well the site is set up. All these solutions are good, but the CPU and OS are the major portion of undoing the correlations. If you have a poor correlation, then you need to have less than 70 percent utilization. Then that may not be good performance. 

    What do I think about the scalability of the solution?

    NetWitness is scalable. You can scale, but you cannot assume that if you are deploying it today, you could use the same hardware setup as before. You only have two or three connectors. It is not at all possible. However, 20 percent scalability is always there with Odyssey.

    How are customer service and support?

    Nowadays, their support is a little subpar compared to other solutions. I rate RSA support six out of 10. 

    How was the initial setup?

    Setting up NetWitness is straightforward. There are multiple connectors, including standard and specialized connectors. One purpose of the connectors is the enhanced capability integrate the custom applications. NetWitness comes with E6 appliances and application images that we use for the initial configurations and for the OS stack information. From there, you can consider the correlation rules, integrate the different log sources, and easily create correlation rules and backlog reports.

    The complexity of the deployment depends on the amount and type of log sources. Are there any custom home-grown log sources for which you need to create the custom parsers? How many different logs or log lines in a home grown application? These factors might make your parser development a bit cumbersome.

    What's my experience with pricing, setup cost, and licensing?

    The licenses are based on the ETS.

    What other advice do I have?

    I rate RSA NetWitness Logs and Packets eight out of 10. Aside from ETS, it is the second-most important solution for maintaining compliance and how much data you need in the online logs or the offline archival logs.

    Disclosure: My company has a business relationship with this vendor other than being a customer: Integrator
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Download our free RSA NetWitness Logs and Packets (RSA SIEM) Report and get advice and tips from experienced pros sharing their opinions.
    Updated: September 2022
    Buyer's Guide
    Download our free RSA NetWitness Logs and Packets (RSA SIEM) Report and get advice and tips from experienced pros sharing their opinions.