LogRhythm SIEM Reviews

This solution's use case is abnormal administrative lockouts, most of the time.

I'm happy with their AI in general. 

We're able to make useful dashboards. 

The initial setup is now complex if you have a bit of knowledge going in. 

The solution is stable. 

We'd like to receive alerts for zero-day attacks in the future. We'd like alerts that offer us better security. For example, if there are abnormal occurrences, we'd like to know right away. 

We've had issues with scaling and local support.

We've been using the solution for two years. 

It is stable. There are no bugs or glitches and it doesn't crash or freeze. It's reliable and the performance is good. 

We have seven people, admins, who are working directly with the solution. 

It's not easy to scale. Sometimes we have difficulties. For example, when doing updates, we cannot depend on our local support. In some cases that we have found, they don't have much knowledge. We have to work on separate tickets for the kinds of issues we have.

We have local support. If they cannot assist us, they do offer in-house support we can use. The first step in terms of getting help would be our local partner. 

The issue is that local support sometimes isn't as knowledgeable as they need to be. The solution should work to do more training in order to improve local support.

Neutral

We were working on RSA. We switched due to the cost and the lack of local support. The RSA cost is a little bit too high.

The solution offers a pretty straightforward and simple setup. That said, you need some knowledge going into the process. 

The deployment itself took about 90 days. 

I'd rate it a three out of five in terms of the general ease of deployment as there is some complexity and a learning curve. 

There's not much maintenance. We do have to do the updates of the servers and if there is a new release and update, we work on those. For the day-to-day, we try to focus on more log-related tasks.

I can't speak to the exact cost of licensing the product. My understanding is that it is less expensive than RSA. 

We are an integrator and service provider. 

We are not currently using the latest update.

I'm not sure if I would recommend the solution to others as they still need to improve a few things. For example, support, at least on the local level, is lacking. 

I'd rate the solution five out of ten.

LogRhythm NextGen SIEM is customizable, simple to manage, and there are many features. The solution does not require an expert to be able to use it, anyone can use it.

LogRhythm NextGen SIEM could improve by adding more applications for the banking sector. There are not any custom applications at this time.

I used LogRhythm NextGen SIEM within the last 12 months.

The stability of LogRhythm NextGen SIEM is good.

LogRhythm NextGen SIEM is scalable.

The solution has good technical support. 

I would rate the technical support from LogRhythm NextGen SIEM a four out of five.

I have used previously ELK Logstash. In my country, LogRhythm NextGen SIEM is used more than ELK Logstash.

The installation is straightforward.

I rate the installation of LogRhythm NextGen SIEM a four out of five.

The support which allows more customized to the environment when we are deploying new systems is called Professional Service and is very expensive. The technical annual support and there is an annual fee.

The price of LogRhythm NextGen SIEM engineers is expensive, but when comparing them to ELK, ELK engineers are more expensive.

My advice to others is for the initial deployment it should be done by certified engineers or the authorized vendor.

I rate LogRhythm NextGen SIEM a nine out of ten.

Our primary use case for using the LogRhythm SIEM product is reviewing alarms, events, and managing our cases for forensic investigation.

The LogRhythm platform has helped my organization by being able to have 24 analyses on logs and events from all the various systems that feed into the LogRhythm platform. It gives our analysts the capability to assess rapidly and be able to respond to events in almost real time.

We currently have over 500 log sources inside the platform. Managing those is relatively easy. The main feature that we do take advantage of with our log sources is setting up silent log source alarms, so that way we can identify if a log source is not feeding logs as it should be.

Currently, our messages processing rate is around 2,000 messages per second.

Our mean time to detect threats has been going down, which is a good thing. Lately, our main focus has been on handling and reducing the mean time to resolve phishing incidences within the company.

Our security maturity program has been overall positively influenced, mainly in the HIPAA healthcare spectrum, by meeting third-party auditing requirements and having those tested, too, and confirmed by our third-party auditors.

The capabilities that we mostly take advantage of in the LogRhythm platform is the wide array of log formats that we can bring in from various systems, and the capability to create custom role processing capabilities for log sources that may not already be a part of the platform.

Currently, LogRhythm, the playbook's functionality is not in my version, so we're looking forward to utilizing playbooks. That's part of the main draw for me to come here, was to learn more about the playbook functionality and how we can incorporate that into our platform. But right now, the functionality is not there.

The largest room for improvement would be inside the web platform, being able to have a longer log live time. Currently, we manage about five days of live log data inside the web console. Ideally, that should be 30 days-plus.

Stability is very good, so stability for the LogRhythm platform has been very positive. We do have pain points around upgrades, but we have been able to engage with support and get rapid response to how those issues resolved.

Scalability for the LogRhythm platform for my company has been very positive. We've been able to ingest logs from very high-traffic log sources without any type of issue, congestion, so very positive.

I was not initially involved in the setup. I came in to manage the SIEM solution three years after its deployment.

I would rate LogRhythm a nine out of 10, primarily because of the current functionality within the system and the direction that the company is going. I feel it's appropriately aligned with security today and being prepared for tomorrow.

It's visibility. Frequently our network team - while our network security is paramount from a security perspective - our network team is really focused on keeping the network up. They're not concerned about intrusions, and potential malicious activity. They're making sure that users can get data from point A to point B successfully without any downtime. With LogRhythm, our SIEM solution offers more of a rounded perspective, especially from security, making sure they are not only operational, but they're operational in a security conscious manner. That's really helped. 

I specifically keyed on the network, but it's really where we're able to add additional visibility across all groups, from a security perspective, that they might not be aware of. Usually a business owner is just focused on, "Is my application up, is it running? Yes." They're happy. We come in and bolt on security, and we're changing the mindset of our company one group at a time.

Most valuable feature is really providing us visibility into our infrastructure. Frequently, I'm reaching out to our partners in the business, and I'm asking them how I can assist them, and how I can improve their visibility from a security perspective. 

Often times, like many of the users I've met this week here at the LogRhythm User conference, we've encountered that the business owners, they're not familiar with their logs. Some of them haven't even really looked at them. But when I delve into the logs with them, and identify some things we can trigger on and alert on, and really help them improve the efficacy of their tool, it's really been a big benefit to have that visibility. Not only from the security perspective, but an operational perspective. It's really helped to build a relationship between us and the business.

There is, of course, always, improved automation. Because, as we are continually needing more and more people from an analyst perspective, the more we can automate, the fewer people we need. If we can automate some of the lower-level things, that can allow our SOC to be trained on the higher-level more technical things that really give the true value. I don't want my analyst to be stuck underneath sending emails, and "alert fatigue" is the buzz word. 

But, on top of that, there has been a market that has grown from SIEM for security orchestration, where it's another tool you have to bolt on top of SIEM to make SIEM as effective as it should be from day one.

I was in a session earlier today here at the LogRhythm User conference where they're mentioning that the web UI, and through the case management, they're actually getting an incident playbook that you can utilize. That's a big step that I'm intrigued by. Hopefully it goes the way that it's planned because that is one that saves me from having to go out and purchase a separate security orchestration tool, which is just another screen I need to look at.

That feature is one that I'm very excited about, and hopefully it follows the roadmap according to what LogRhythm is projecting. That's definitely a feature that I and my managers have identified as a need. I was excited to hear about that at this conference. 

That's probably the only feature request that would be of drastic improvement to our SOC.

We've been on LogRhythm since version 6. We've dealt with some bumps and bruises here and there. However, LogRhythm has clearly been dedicated to improving stability at every turn and every hotfix and every new agent release. It's gotten better and better.

With 7.2.2 we went to High Availability mode. We were having some issues, our deployment is global, we're in multiple datacenters across the world. Having HA has really helped us because if our platform manager went down, we could just failover perfectly to our second one, and not get called at midnight. So that's been great.

However, past 7.2.2, HA has almost become unnecessary because its stability has improved to such a level that HA is now just a bonus feature. It's a security blanket versus a necessity.

Currently, we're running one AI Engine in our local datacenter where we're based out of, in Texas. We have two platform managers like I mentioned, they're both in HA mode. We have a en-clustered DX cluster in that datacenter. We've got at least one data processor, if not multiple, in every other datacenter with its own corresponding indexer as well. 

We treat as many LogRhythm environments across all data centers that funnel up to our main one in Dallas.

The Professional Services as well as the general support has been phenomenal. They're very attentive to our needs. When we submit a ticket we get a pretty quick response back. If they don't know the answer, they're either immediately going over to their buddies down the row, and seeing if they can get help and, if not, they escalate it as quickly as possible. 

Any upgrade of an application this size, you're going to hit some snags and hurdles, but LogRhythm as a SIEM tool company, from a support perspective, has really allowed us to overcome those and we haven't really had any downtime as a result of upgrades.

They go pretty well. Of course there are bumps and bruises, especially with LogRhythm being such a massive application. If it was to go 100% well, I would honestly think that it didn't go that well, and I just don't know about it.

I don't think any application can truly be a 10 out of 10, especially one of LogRhythm's size; that would be very difficult to achieve. But an eight, in my mind, is perfect. That means there is room for improvement, there is room for me to work with the vendor, and talk back and forth about what my needs are specifically so they can work that into a feature request down the line.

The consistency of its interface, whether you go to a dashboard, a search, an alarm - everything comes back consistently. There isn't a different interface for every function that you do, so it makes it very usable.

The benefit is really getting insight into the security posture of my organization. Proof in the pudding was that we had a penetration test over the summer and we caught the penetration testers five times because of various LogRhythm alerts.

The biggest thing I want is, right now you have thick console and the web console. Most of the reporting has to be done in the thick console. I'd love more reporting in the web console. A lot of our users don't have access to the thick console, only administrators do, so a lot of users can't run their own reports.

I think part of the thing that LogRhythm has always done with the deployment is a lot of hand-holding by Professional Services. I would tell everybody that was going to do this to pay the money and get Professional Services. Don't try to do it by yourself.

Awesome. In fact, I just went through a scaling exercise where we outgrew our initial implementation and we were able to double, very easily, our capacity through an upgrade process.

They're awesome. We use them all the time. I tell my staff that whenever you have an issue, the first thing you do is you open a ticket with tech support, then you start playing with it. If you have solved it by the time tech support gets back to you, cancel the ticket.

We were previously using SolarWinds and we outgrew it. It wasn't scalable. We needed to find a solution that would scale as we grew it.

It was straightforward.

We're a big university. We're the 26th largest university. I've got 45,000 students, 10,000 researchers and faculty members, plus staff. Main campus is in Philadelphia, Pennsylvania. A mile down the road we have a Health Science campus that has a medical school, a dental school, a pharmacy school, and it's kind of attached to the hospital, which is separate from us. We also have campuses in Harrisburg and Center City that are small adjunct campuses. We also have a campus in Japan and a campus in Rome. We have a big international presence, that's the size and the scope.

Our key challenge is that the drivers of the university have been notoriously open, but with the threat landscape of today we have to be mindful that the openness that the faculty wants has to be balanced with the needs of protecting all of the data information that we have, like any business has.

When it comes to the most important criteria when selecting a vendor, a unified, end-to-end platform is really important, but it's one of the key features. We look at the overall value that a platform has. Cost comes in, but also leadership in the field, manageability, how many FTEs it's going to take to run this solution. All of those things are factors.

I've been around this field for 25 years. I've used many solutions. LogRhythm is scalable, it's robust, they're constantly growing it, their tech support is good, their Professional Services are good. We just went through a massive upgrade to double our capacity. They give us training credits on our old solution. They want customer happiness and customer success.

Definitely do your homework. Understand what logs are important to you and really evaluate what scope you need to do, and take your time. This is a big project, you can't do it all at once. You really have got to do it in phases.

• AI Engine
• Alarm rules correlation
• Web interface
• The amount of information it has throughout the web interface
• The drill-down

We've been able to go ahead and find more with less effort, just on the web interface itself.

Functionality, ease of use.

There are a few "gotchas" in the applications. One of the issues that we're having right now is on the AI Engine, when you do the drill-down. There are no events that are being populated for the drill-down. The recent upgrade and release fixed some of that.

And some of the other parsing rules. Parsing isn't done correctly.

We've only been a customer for maybe about five months.

It seems to be fairly scalable.

We have used LogRhythm technical support. The response is really good.

We were using McAfee Nitro. The administration of the application was very cumbersome, and trying to get reports, customizing the analytics on there, is a bit difficult. We looked at LogRhythm, and LogRhythm seemed to have a lot of the stuff built in, canned already.

It was pretty straightforward. There were some things that were a little bit complex after the setup, and trying to troubleshoot some things. For example, log indexer was indexing most things, but not everything. It got backed up, so we had to go in and troubleshoot some of the processes.

It was pretty significant for our solution to be a unified end-to-end platform because we did have a wide range of systems out there; trying to make sure that it was able to bring in the sources and correlate the events.

The only thing that surprised me was the logs filling up for some of the indexing jobs. Other than that, there was nothing that support wasn't able to go ahead and help us with and get resolved.

My advice to a colleague at another company who is researching a similar solution would be: Make sure you do your research. Understand what it is you're looking for in a SIEM. Have a plan of attack on what it is that you're looking for, and what do you want to get out of the tool.

• Ability to collect logs
• File integrity monitoring

It has helped. We are still not very mature in our use of the product, but we are trying to get there. We are pretty small on the security side, but it has helped to give us visibility into our point of sale applications.

Just maturing is one of our biggest challenges, and really leveraging all the tools that LogRhythm provides. Just keeping up with it.

Just integration into our ticketing system, which we're using service now. Just being able to integrate LogRhythm with that so we can track incidents.

Continued support to help us understand the solution better.

It is very scalable, though we have not scaled it yet.

It is very good. LogRhythm has also contributed some sales engineers to help us, We have also participated in a weekly call, and we did an evaluation of that for 90 days. This has also been very helpful.

We were using another product called AlienVault. The main driving factor behind looking for this solution was our PCI compliance requirement. We switched from AlienVault due to a lack of parsing rules providing by them, and LogRhythm provided those parsing rules for various devices we were collecting information from.

I was involved in the initial setup. It was very straightforward. I had used a different product previous to LogRhythm, so I had a basis of what I wanted to compare to. I was able to take that little bit of experience and bring it to LogRhythm, and ask them how do I accomplish these goals, and it was very straightforward. They helped through that process.

I can't remember anymore.

Though LogRhythm's involvement in providing quick answers to some of the criteria that we wanted to accomplish (5-10 things), and they were able to come up with those answers very quickly.

Make sure that what data you are collecting is usable. That is probably the biggest advice. Because the first product we used, we had problems just understanding the data presented in the SIEM console.

It's nice if the solution is a unified end-to-end platform, but it is not a deal breaker.

Most important criteria when selecting a vendor: Support after implementation is probably the biggest.

We use the product for server and event management for the financial sector.

The product's stability needs improvement.

We have been using LogRhythm SIEM since last year.

We encountered some system downtime issues.

The product is scalable. Its scalability is based on specific licensing plans. It is suitable for enterprises. It has a lot of advantageous features for SIEM.

The technical support services are good.

Positive

We used SolarWinds before. We switched to LogRhythm because of specific requirements regarding log information and SOC activities, particularly for government contracts. In comparison to products like IBM and HP, LogRhythm is a cost-effective alternative.

The initial setup process is very user-friendly. It takes 15 days to complete.

Compared to other products,  LogRhythm SIEM generates a return on investment in terms of ease of use.

The product is inexpensive than other tools like IBM, QRadar, etc.

We evaluated six products as per our client’s requirements. They decided to go for LogRhythm, which solves business purposes and has economical pricing.

I rate LogRhythm SIEM an eight out of ten. In comparison, IBM has more features that are essential at the moment. However, it costs three times more than LogRhythm SIEM.