The tool helps us to collect, correlate and publish logs on our site.
General Manager at VIC IT
A stable and scalable SIEM solution that helps us to collect, correlate and publish logs
Pros and Cons
- "I am impressed with the product's ability to pick up logs. It also has UEBA which has reduced the time to take charge of the events."
- "The product's connectors should work better and the user manuals need an update."
What is our primary use case?
What is most valuable?
I am impressed with the product's ability to pick up logs. It also has UEBA which has reduced the time to take charge of the events.
What needs improvement?
The product's connectors should work better and the user manuals need an update.
For how long have I used the solution?
I have been working with the product for three years.
Buyer's Guide
ArcSight Logger
November 2024
Learn what your peers think about ArcSight Logger. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,636 professionals have used our research since 2012.
What do I think about the stability of the solution?
I would rate the tool's stability a nine out of ten.
What do I think about the scalability of the solution?
I would rate the product's scalability a ten out of ten.
How are customer service and support?
The level 3 engineers do not work in our time zone. Hence, we need to wait until late at night for support. You may get an answer not today but only tomorrow or the day after.
How would you rate customer service and support?
Neutral
How was the initial setup?
The tool's setup is neither simple nor difficult.
What's my experience with pricing, setup cost, and licensing?
I would rate the product a seven out of ten since it's an enterprise product.
What other advice do I have?
I would rate the tool a seven out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
Senior Security and Compliance Engineer at a retailer with 501-1,000 employees
It has excellent query syntax and response.
What is most valuable?
It has excellent query syntax and response. Complex queries of large volumes of data generally take seconds if not minutes.
How has it helped my organization?
ArcSight has improved incident response from days to minutes. It also offered ancillary non-security troubleshooting features, which were surprise benefits to teams such as network and operations.
What needs improvement?
I'd like to see more pre-built smart connector supported applications, although the list today is voluminous.
For how long have I used the solution?
We've been using it for two years.
What was my experience with deployment of the solution?
We had no issues with the deployment.
What do I think about the stability of the solution?
We have had no stability issues.
What do I think about the scalability of the solution?
The original Connector Appliance peaked its events-per-second limit much sooner than anticipated and required us to purchase another, and significantly larger, appliance. The issue was self-inflicted as we discovered more use cases when adding new logs and log types.
How are customer service and technical support?
Technical support is excellent. In fact, that was one of the best "features" of the implementation. I never had to wait to reach specialist help, and all engineers that I spoke with were highly technical and were pleasant.
Which solution did I use previously and why did I switch?
I previously used a significant RSA Envision installation that had extremely poor performance with complex queries. It was routine to wait an hour or more for a more complex query. HP ArcSight was introduced by a CISO with previous experience at a previous employer and the improvement was immediately obvious. It was a wise decision that I took with me to my next organization.
What about the implementation team?
It can be difficult to set up connectors to ingest and normalize different log types initially.
What was our ROI?
I would recommend HP professional services for starting up. I used that approach and was able to glean enough through knowledge transfer to hit the ground running from day one in production.
What's my experience with pricing, setup cost, and licensing?
Security makes it difficult to quantify ROI, but I can say that we were able to complete incident response in minutes where the same had taken hours or days.
Which other solutions did I evaluate?
In terms of pricing, size appropriately, and realistically up front. That said, the product architecture is scalable as needs grow.
What other advice do I have?
ArcSight has a Google-like query syntax with boolean-style operands. That said, there is also a GUI to craft queries. I'd recommend learning the GUI as this is the same GUI used in HP's ESM product, the engine that can correlate disparate log events and turn incident response from reactive to proactive alerting. Getting a head start on learning that syntax would help ease into the highly-recommended ESM or ESM Express products.
Disclosure: My company has a business relationship with this vendor other than being a customer: At the time, I formed a strategic partnership with HP Enterprise Security and co-presented their products at a business vertical relevant technology conference, served as a customer reference and referenced HP ArcSight in a case study about my complementary HP (now TrendMicro) TippingPoint Intrusion Prevention System implementation.
Buyer's Guide
ArcSight Logger
November 2024
Learn what your peers think about ArcSight Logger. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,636 professionals have used our research since 2012.
Security Architecture Senior Specialist at a comms service provider with 1,001-5,000 employees
We like the compression rates and scalability of the smart connectors.
What is most valuable?
- Scalability of the smart connectors
- Ease of storing billions of events without special storage needs
- Great compression rates
How has it helped my organization?
First of all, the collection of a mass of events is a challenge for enterprise companies. You need a great deal of storage and how you collect them is an issue. The smart connectors and great compression rates of ArcSight helped us a lot.
The other thing is to be able to be competitive as you need to show that you need a logging system that complies to the laws in your country and company policy so that you can continue to do your business. With ArcSight, we easily pass the requirements of the external audits our clients require.
What needs improvement?
I would say that the consolidation should be done only by using ArcSight. We need to use the ESM module to create complex rules and reports as we can only do limited reports with ArcSight.
For how long have I used the solution?
We've used it for about two years.
What was my experience with deployment of the solution?
The main problem is how to collect logs from various resources.
What do I think about the stability of the solution?
The smart connectors are very stable.
What do I think about the scalability of the solution?
We've had no issues scaling it for our needs.
How are customer service and technical support?
Since we work with partners, I can't say too much. However, for every company on this planet there is always room for improvement in the level of support.
Which solution did I use previously and why did I switch?
This was the first solution we've used, and I believe it will be the last solution we need.
How was the initial setup?
We used an appliance, so the setup was very easy. But I must say that even if you use an open server, it is not complex to deploy this product.
What about the implementation team?
We worked with a partner for the implementation.
What was our ROI?
It is really hard to measure ROI financially, but there are some important things to say. First of all, since it's easy to use, our operational time has decreased so that we as technical staff have much more time to spend on other issues. Since we collect all of the logs, we can investigate fraud and find their sources. We can also find the causes of system outages.
What other advice do I have?
It works fast and you can collect just about everything. The only drawback is that without ESM, you are limited. The most important thing is the scalability of the product and its ease of use. Companies like us need some specific connectors, and smart connectors give us a very scalable solution. Also, even though we have billions of events, it is really fast in finding the logs we need. That makes this solution amazing.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Security Engineer at a tech services company with 1,001-5,000 employees
High performance, easy query creation, and straightforward documents
Pros and Cons
- "Some of the most valuable features I really appreciate are the performance, how quick the solution is, and how easy it is to create a query."
- "The solution could be improved in maintenance settings."
What is most valuable?
Some of the most valuable features I really appreciate are the performance, how quick the solution is, and how easy it is to create a query. Additionally, it is user friendly and the automatic graph creation feature is beneficial.
What needs improvement?
The solution could be improved in maintenance settings.
Some of the additional features I would like to see in the next release is an automated dashboard of the logs that has information that is more detailed.
For how long have I used the solution?
I have used this solution for one and a half years.
What do I think about the stability of the solution?
It is a stable solution.
What do I think about the scalability of the solution?
It is a scalable solution.
How are customer service and technical support?
The technical support is very good providing accurate answers and I have never experienced problems with them.
How was the initial setup?
The initial setup to be straightforward, you just have to stick to the documents and it is really easy.
What about the implementation team?
My current deployment was not a complex environment. It was very easy to deploy and connect with the different connectors. I had deployed the solution approximately three times in my career.
With a complex environment, the deployment was approximately two days whereas with a really complex environment the setup would require around 15-20 connectors.
What other advice do I have?
I would recommend it to others because the performance of the solution is overall great. One of the significant features are its high search capacity and if you know the query language you will be more comfortable.
I rate ArcSight Logger a nine out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
QA Consultant / Security Testing Professional at a tech company with 501-1,000 employees
Its automated functions made it easier so we could concentrate more on real issues instead of standard log collecting and alerting issues.
What is most valuable?
- Log collecting
- Big Data analytics
- Security analytics
How has it helped my organization?
This product was used to help us get PCI compliant. Its automated functions made it easier so we could concentrate more on real issues instead of standard log collecting and alerting issues.
What needs improvement?
With the connectors, there were some legacy devices that had some problems since support was dropped for those.
For how long have I used the solution?
We've been using it for four years alongside ArcSight Express.
What was my experience with deployment of the solution?
We had no issues with the deployment.
What do I think about the stability of the solution?
The stability of the system was good except when we had a DDoS attack, when we lost some functions for a short time.
What do I think about the scalability of the solution?
Scalability is good if your need is high enough, but for smaller cases it isn't so good.
How are customer service and technical support?
Customer Service:
Customer service was very helpful.
Technical Support:Technical support is at a good level.
Which solution did I use previously and why did I switch?
We used an older version that was going to be replaced.
How was the initial setup?
The initial setup was complex, but that was mainly because of customer security reasons.
What about the implementation team?
We used a subcontractor for the first part of the installation, and finished it off in-house.
What's my experience with pricing, setup cost, and licensing?
We had some big licensing issues when there was a DDoS attack. The attack caused a huge amount of extra activity, so it would be nice to have an "emergency level" of licenses when there are these kinds of issues.
I would recommend, from a security point of view, calculating licensing limits according to what incidents could happen and then get 5-10% more licences on top of that.
Which other solutions did I evaluate?
We did an evaluation of major vendors and HP was fastest for us to get in and use.
What other advice do I have?
Overall, it is a good system for what we use it for, but some licensing parts are really annoying.
As always, a pre-calculation and pre-planning will help a lot, and compare it to three to four other vendors. Changes on the system that is running are a bit harder to do., in our case this, of course, might be an issue of our customers strict security requirements.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
IT Security, Associate Consultant - On-location at a tech company with 501-1,000 employees
It integrates with ArcSight SIEM as it uses the same connectors.
Valuable Features
Several features are valuable to us, including --
- Log management in general
- Security options
- Integration with ArcSight SIEM as it uses the same connectors
- Simple GUI
- Powerful searching and reporting tools
Improvements to My Organization
Although I unfortunately can't comment on specific usage within my company, we have seen improvements from the use of ArcSight Logger and the many features that are valuable to us.
Room for Improvement
SmartConnector vendor support will always be a battle, but most major vendors and products seem to be supported.
Clicking on a log source on the main page should not pull all stored logs as this is too slow and way excessive. It should default to a recent and smaller sample.
Deployment Issues
My deployment is on Red Hat though which seems pretty speedy, so I am unsure for more Windows-based deploys.
Stability Issues
We have had no issues with stability.
Scalability Issues
From what I can see, it scales well. It does require a pretty hefty baseline, but the more system resources you give it, the better it seems to perform.
Customer Service and Technical Support
HP support has been fairly impressive. Shifting personnel causes a bit of disruption in deployment tasks, but they seem to compensate for shifts pretty well.
Initial Setup
For main components, HP SE’s seem eager to help. The way documentation is organized on their site could definitely use some work though. Documentation exists, and it’s generally pretty solid, but most times, asking an HP SE directly to email it to you tends to be much easier than searching for it yourself.
Implementation Team
Implementation of anything this size and scope in a large company requires a lot of work. So getting outside assistance or additional staffing for deployment and support is recommended.
Other Solutions Considered
Splunk is definitely a direct competitor and equally powerful. Logger seems to have a better interface in my opinion. Also, if your company is already using ArcSight, it makes sense to go with Logger as it utilizes the same SmartConnectors for log parsing/forwarding.
I think where Logger shines is usability. Splunk is a beast unto itself and people build careers on it. Not to knock it too much, as it is a very powerful product. But the appeal of Logger is it makes log management accessible and usable to any IT/systems/networking employee or user to be able to make sense and use it while not having to become a guru of a specific log management system to use it to it’s fullest extent.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Security Professional at a tech services company with 501-1,000 employees
Has very fast search operations but is not easy to implement and maintain
Pros and Cons
- "It's a brilliant log collection tool, and it can handle hundreds of thousands of servers in a single shot to ingest the data."
- "It's not a new product and is a bit complex. So, it requires a person dedicated to working on it and to know about it in and out. It is a huge product, and the search operation is a bit complicated for a new user or someone who has not used it for long. So for that person, it becomes a bit difficult."
What is our primary use case?
Our primary use case was to catch malicious activity happening inside our organization.
What is most valuable?
As the name suggests, it's a brilliant log collection tool, and it can handle hundreds of thousands of servers in a single shot to ingest the data.
The search operations are very fast, and you can get reports very easily for a huge number of events. You can export the search operations.
It's very easy when you want to further forward the logs as well. For example, from the end device if I'm receiving logs in an outside logger and I want to forward those to some other product, which will do something for me, I can easily do it. That's one thing that I like about it.
What needs improvement?
It's not a new product and is a bit complex. So, it requires a person dedicated to working on it and to know about it in and out. It is a huge product, and the search operation is a bit complicated for a new user or someone who has not used it for long. So for that person, it becomes a bit difficult.
There is a storage problem, and some improvement can be made at the search mechanism.
If you want to do a search, then you have to obtain a couple of criteria to get the exact amount of data. Let's say you have hundreds and thousands of servers in your environment, which will ultimately populate billions of events in a single day, especially the network devices. In this case, if you want to search a specific event, you have to be very, very specific with that query. That's something that can be generalized a bit.
Apart from that, it's a very complex tool and is not easy to implement and maintain. It requires a dedicated team.
Another thing that I think can be improved is the performance issue. When you are ingesting data in ArcSight and also you are forwarding the data from ArcSight to some other products, I have seen some performance issues.
ArcSight, does not perform well in this case. It takes time to process the data. The load is too much. At times, the logger crashes.
The UI can be improved as well.
For how long have I used the solution?
I used it for close to two years.
What do I think about the stability of the solution?
The overall stability is good, and I'd rate it as fine.
What do I think about the scalability of the solution?
To scale it, it again comes down to how are you using it. You need to identify the areas which are taking too much load or requiring too many resources from the logger. Area identification needs to be there. Once you do that, then it is easier to scale.
If you are not looking at the right place, then it would be difficult to scale because the bigger the organization, the bigger is the architecture of ArcSight Logger. This is because you need to have multiple loggers so that ArcSight Logger can withhold all the data that I want to feed into it.
We had 20 to 30 users who used ArcSight Logger logger on a daily basis.
How are customer service and technical support?
Technical support is good. Depending on the agreement with the vendor, such as gold support, platinum support, etc., the support can differ. However, overall, it is good.
How was the initial setup?
The initial setup is complex.
What about the implementation team?
We got help from the vendor during implementation. Without the vendor's help, I would say it's very, very difficult to implement ArcSight Logger and maintain. It's a very complex tool, so we need to have vendor support for implementation.
What's my experience with pricing, setup cost, and licensing?
It's not cheap at all as it's a big product and has been in the market for quite some time now.
What other advice do I have?
I would recommend ArcSight Logger and rate it at seven on a scale from one to ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Technical Consultant at a tech services company with 11-50 employees
User behavior analytics for investigating
Pros and Cons
- "In our country we are a little bit private in terms of solutions, so we are just starting to use the basic data capture. Now some users can start to use additional features that come with Micro Focus ArcSight like user behavior analytics for investigating."
- "I think the ArcSight team should try to simplify legacy products for the customers, because that product is not easy to use or to work with. It needs more more competency or appeal to use. We hope Micro Focus is trying to resolve this."
What is our primary use case?
We use the on-premise version of ArcSight Logger.
What is most valuable?
In our country we are a little bit private in terms of solutions, so we are just starting to use the basic data capture. Now some users can start to use additional features that come with Micro Focus ArcSight like user behavior analytics for investigating.
What needs improvement?
I think the ArcSight team should try to simplify legacy products for the customers, because that product is not easy to use or to work with. It needs more more competency or appeal to use. We hope Micro Focus is trying to resolve this.
A lot of people that compare this solution with QRadar or McAfee say that the other products in the market are more easier to use than ArcSight. After customers do the training to see how they can use it, they change their minds a little bit, but it still seems that Micro Focus should take some time to reduce the complexity in using Arcsight.
ArcSight should give each customer more visibility or a more useful presentation on the web product. There are a lot of customers that want to use the product in the web, especially to use the dashboard, but the dashboard is not so beautiful.
For how long have I used the solution?
We've been using this solution for five years.
What do I think about the stability of the solution?
It has worked fine until now for whatever I needed. Sometimes an issue can occur when a client wants to upgrade the software to a major version. For the most part though, it is very stable.
What do I think about the scalability of the solution?
Well before the last version I think it was a little bit difficult, but now with the new version that is integrated with the ESM it's little bit more efficient.
How are customer service and technical support?
That is one of the bad things with Micro Focus. They are not so reactive and sometimes it takes more time to address the issue. There are many tickets that have not been resolved yet. We hope that Mirco Focus will be more reactive than they are at the moment.
How was the initial setup?
The deployment doesn't take much time for the standard setup, but it can take more time when we need to integrate the device with the system. Sometimes we have found that we are not supported naturally and must do some tuning to integrate it. That can take some more time, but setup of the initial system does not taking more time. It's easy for me now to do this setup. I remember during my first year it took a little bit more time, but that's normal. It's easier to deploy the product in the basic standard, but in the complex module, it takes a little bit more time.
What's my experience with pricing, setup cost, and licensing?
ArcSight Logger is very expensive compared to their competitors, but when we talk to the customer and explain what the features are and how we can scale, they understand. Still, ArcSight is more expensive than the competition.
What other advice do I have?
I would rate this solution as ten out of ten.
Whenever I talk about the product I tell the user to start easy, not to take the whole package and to try to use it quickly. Start with the basics, then you can ramp up fluidly. Sometimes the client or customer wants to take it urgently so at that moment it will be more difficult to use. I prefer to take the product step by step.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free ArcSight Logger Report and get advice and tips from experienced pros
sharing their opinions.
Updated: November 2024
Product Categories
Log ManagementPopular Comparisons
Splunk Enterprise Security
Dynatrace
IBM Security QRadar
Elastic Security
Graylog
LogRhythm SIEM
Grafana Loki
Fortinet FortiAnalyzer
syslog-ng
SolarWinds Kiwi Syslog Server
VMware Aria Operations for Logs
Check Point Security Management
LogLogic
Buyer's Guide
Download our free ArcSight Logger Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- When evaluating Log Management tools and software, what aspect do you think is the most important to look for?
- Datadog vs ELK: which one is good in terms of performance, cost and efficiency?
- Which Windows event log monitoring tool do you recommend?
- What is the difference between log management and SIEM?
- Splunk vs. Elastic Stack
- How can Cloudtrail logs be used effectively to improve log monitoring?
- Why hot data and cold data differences in SIEM solutions are not discussed sufficiently?
- When evaluating Log Management solutions, what aspect do you think is the most important to look for?
- When evaluating Log Management solutions, what aspects do you think are the most important to look for?
- Why are Log Management tools important for companies?
Thank you for your honest feedback and the 5 star score. I will ensure that your comments related to support, complexity, and pricing are passed to the Product Manager.