LogRhythm SIEM Reviews

Our primary use case is for looking at daily logs, drawing conclusions, and making relationships and correlations to investigate particular event IDs, investigate particular alarms that we have, and just viewing normal data use. I'm new to the system so I'm still getting used to it. 

From a security standpoint, it's the solution to have, in regards to LogRhythm. Just having a SIEM solution in your environment is definitely key. It's a very highly rated solution, but we may be moving away from it in the future. We're looking to see what else is out there. 

The ability to investigate a particular period of time where you can analyze logs is its most valuable feature. 

I would like to see more integration with more products that are out there within the same security field.

There has to be some improvement with SecondLook Wizard. It's one of the functionalities on LogRhythm where you can restore inactive logs. For instance, it's a forensic analysis point of view if something happened around a year ago that you have to look into. I wish there was a smoother, more seamless feature.

We have a lot of issues with stability. Sometimes it crashes and we have to rerun a scan. It also freezes. It hasn't been the best.

Scalability is fine. 

We've submitted some tickets with their technical support. My manager has had some poor experiences with them in the past. 

Quality, support, preciseness, and accuracy are the criteria we consider when we evaluate solutions to proceed with. 

I would rate it a six and a half out of ten. Sometimes I have to rerun scans and look into why the scan didn't complete and why it crashed. All of that stuff has to do with the initial set up. For the most part, it does what we want, but there can definitely be improvement. 

I would advise someone considering this solution to look beyond LogRhythm. LogRhythm is one of the top solutions. I would say Splunk is overrated. Look into IBM QRadar and then McAfee as well.

I'm an admin and analyst, so use cases cover a lot of log sources for applications, mostly.

Being able to see when one of our assets is down and being able to restart it really quickly has been a definite benefit. It has been really helpful in the general maintenance of our whole environment.

We're able to look at our environment and see how it's being affected, according to the log sources. We can immediately see how the system responds to things that our development team does.

The Web Console is my favorite. It enables me, at a glance, to see the health of the environments. That is really important to me and to us.

I would like to see more widgets. I just love the widgets on the Web Console, I love to play with them, so more would be better.

The stability has been great since the upgrade.

We just upgraded to 7.35 and, although I wasn't involved in that, it seems like since then everything has been working really well. It scaled really well and we are taking in new network monitors. That has been really easy.

We usually do end up having to remind technical support about our issues, get back in touch with them to see what the status is on our tickets. That has been frustrating in the past, but they do find solutions. Sometimes it takes a while. And sometimes that communication gets lost. Some of our tickets had to be escalated to engineers. They get a little bit lost, at times, when that happens to a ticket.

Overall, I would rate tech support at three out of five.

I would definitely recommend LogRhythm. Work with the LogRhythm team to help learn how your environment works. Use as much help as LogRhythm can provide in your initial setup, so you can understand your environment best.

We have more than 20 log sources. We average around 3,000 messages per second. We have hit 8,000 in the past, but not since the new upgrade in which we got more room. In terms of staff for deployment and maintenance, there are just two of us who share it. But when we're on-call, all of us use it. There are nine of us who use it every day when on-call.

I rate the solution at seven out of ten. I'm very happy with it. I love how powerful it is. However, the customer service is where the points come off. I know they're working on it.

We have a small population of users, but we are large physically and geographically spread out with a lot of devices on our network. We need all that login capability going into one spot where we can see it and correlate events across all our infrastructure with a small staff.

We're still struggling to get a real return on it and finding something that isn't false noise. 

There have been a few things, such as weird service accounts that have an encrypted password which are locking things out. However, we haven't had a big security event success with it as of yet. We could be missing things here, not seeing what is going on.

We do a lot of the alerting, as far as user accounts. We have NetFlow information going into it, so we can examine a lot of traffic patterns and anomalies, especially if something stands out and is not the baseline. This helps a lot.

We still have a lot of noise, so this is a problem. We are having a hard time visually sifting through it. We need help dialing it in. We don't have the in-house expertise. Do we hire someone just for this purpose and have them sit there all day, every day doing that? It is almost at that point. We are looking at Optiv as solution right now.

It is so robust. There are so many moving pieces that you can't dabble in them. This is the problem that we are struggling with. You have to have somebody who works with it, and that is their job. Maybe a bigger company could have a whole team which could do this, but we don't have the capability right now.

I would like to see the client and the web client merged, so all the administrative functions are in the same web interface. It is just clunky right now. If you leave it running, it slows down your machine. However, we are still on version 7.3.

It seems to be stable.

It should meet our needs going forward. It seems like it is a mature enough product. 

As far as what it takes, I don't know if it's worth the effort to get it on all the desktops, like every single user desktop and laptop reporting to it or if it is better just to target the main controllers, etc.

I haven't had to use them too much. We will find out after we go online with Optiv. 

I have my sales engineer with LogRhythm, who has been helpful. She reaches out to me every couple months just to see if we need anything and offers assistance, because we'd already used up our block of hours when we first provisioned this solution.

We probably will contact them, if we go with Optiv, then they can help us upgrade.

We did an on-premise solution. If I had to do it again, I would probably do a cloud-based solution. They basically shipped two boxes which were essentially ready to go. Then, I worked with an engineer who had a block of hours and he got the HA capability going. We got it dialed in and tied it up with the mainframe.

Our team is in the process this week of doing a health check and trying to get everything up to speed. We are doing an upgrade, because we are still on 7.3. We need to be upgraded to 7.4.

We have been using it for about a year. We are probably only about 75 percent there. We need help getting it dialed in, having some of the noise tuned out, and getting the alerts set up properly, so we can work off hours on different triggers. This is where we are struggling because we need to sleep, and we are blind during that time. So, we something to help us with that.

The installation wasn't too bad. LogRhythm did most of it. I just had to do the stuff that was specific for our environment.

We went back and forth between LogRhythm, Splunk, and AlienVault. 

I liked LogRhythm mostly for how it integrated with the network infrastructure. It was my decision, and I'm not 100% sure that I picked the right one.

LogRhythm works well with our network-centric environment. However, it may not be the best for other things.

I am rating the solution a six out of ten, because we have not gotten it to work yet. With all its components, there is such a learning curve. 

I haven't gotten far enough along in the process to know if the solution has a shortcoming or if it is our shortcoming with somehow getting it dialed in.

Ease of use.

We're pretty new to it, but so far it's uncovered quite a bit of information. Just having everything in a single space has been very helpful.

As a security organization, our challenges are discovering where our data is at, most times, and protecting it. As I said, we're fairly young in LogRhythm, but so far it's done a very good job.

CloudAI is amazing from what I've heard about it so far, and I'm looking forward to it.

There is always room for improvement. Everybody continues to integrate. They've been a great company to work with so far. I'm one of those who is optimistic, there's always room for improvements.

Rock solid so far.

Scalability is incredible. There are no two ways about that, we're not even scratching the surface, and we're a pretty large company.

We've used tech support a couple of times, and they've been very responsive and very knowledgeable.

This is our first SIEM. My biggest driving factor was something that we could run with a small team. Like most, we have a very limited set of people to do this.

It was fairly complex, but that's just because we did the little things that aren't normal in our environment, but other than that fairly straightforward.

We did it in a little bit of a different fashion than most would. We deployed it in Azure, in a cloud environment. That was a little different, but still pretty straightforward.

The unified, end-to-end solution is very key here. We have a lot of various tools, and trying to get them all into one is very key.

Be sure to size it properly. Don't try to boil the ocean. Get your key log sources and let it start paying for itself immediately; it will.

Our key challenges in security include

• standardizing our policies
• having the end user population be aware on the security side of things.

And the solution, LogRhythm, is helping us today to enforce it. We see now what it is that we're trying to propagate into the environment, based on the policies that we're monitoring today. The goal is to 100% enforce our policies.

It has improved things tremendously. Going from a third-party vendor to an in-house solution, such as the LogRhythm solution, has given us visibility into the entire organization, compared to the limitations, based on budget and whatnot, from a third-party vendor. Absolutely, we have a lot more visibility now.

I can tell you that having the ability to monitor the semi-subsidiaries that are a part of our organization, is huge in that sense.

We have 10,000 EPS, as it is. And we have between about 500 and 1500 incidents daily.

One of the most valuable features is the investigation tab. It allows us to dig in deeper into the alerts that we receive today, based on the policies, that get triggered by our end-user population.

I think a must-have feature would be better reporting. Today, as you can imagine, the organization would like to see what is happening in our environment, and the reporting feature within LogRhythm, I would say, is very limited.

The reports do not provide information such as, who are your top ten end users generating the most activity within the environment, or appliances, per se, so that's very limited.

So far, from my end, I haven't experienced any challenges. We are able to integrate all of the solutions that we have out there: our antiviruses, our data-loss prevention tools, and even our web browsing filtering.

At this point, I really don't have any challenges. Maybe the architectural team has different ones for integrations, but no issues on my end.

I have not used technical support, as I do not troubleshoot the application itself. We are technically just administrators of it, monitoring.

Because the organization wanted to have an in-house solution, when we looked at what was out there, we thought that LogRhythm, based on the user interface that was somewhat easier to follow compared to the competition, was a must for our security analysts.

And the additional features within the investigation side of it, to dig deeper into what's going on out there. Those were two big selling factors for us.

• Curator
• Splunk
• Dell SecureWorks

We chose LogRhythm because, as I said before, the user interface was really a plus for us. It was easier to understand, compared to the competition. And the ability to dig in deeper in the investigation tab, those were the two major selling points.

The most important criterion, when selecting a vendor, is how easy it is to adapt to the solutions we have in house. Every organization, I understand, is different, but based on what we required, for the most part I'd say about 85% of our needs were met with LogRhythm, compared to all other competitors.

It's very important for our solution to be a unified, end-to-end platform because the organization might adapt new technologies. Our security architect needs to have the ability to integrate them. If it's a challenge then, definitely, that's going to be a downside for us.

If a colleague at another company was doing a SIEM solution comparison with this and similar solutions, I would say to give LogRhythm a shot and, if the possibilities are there, to implement a PoC to understand how the solution can help them.

• Advanced Intelligence Engine (AIE) for threat intelligence, 9/10
• LRM for logging and compliance, 8/10

Custom rules/alerts in LRM and AIE provide insight into network for internal users as well as InfoSec. Proactive account lockout alerts for SecAdmin, alerts to DBAs on domain admin access to SQL servers, PCI and GLBA compliance alerts/reports for InfoSec and Audit.

Adding an entity (should be able to create a template and/or eliminate locations) could be much faster/streamlined. The wizard could be improved to specify OU/Groups to search for new entities.

• LRM – four years
• AIE – three years

No issues encountered.

There have been issues with the hardware which has resulted in the LRM going down a few times.

No issues encountered.

It's the best there is.

It's the best there is.

We had Tripwire, but we needed logging and SIEM, not just logging.

It was straightforward as the training provided all the tools. Also, the UI has gotten better with time.

We had a mix of an in-house team with one from LogRhythm.

Literally impossible to quantify. We haven’t had any events or deficiencies in audits, which is invaluable.

Pricing (especially considering feature sets) is best in the market, though HA/DR is tough to justify for a SMB. Even with two outages due to hardware we haven’t invested in a backup.

• QRadar
• RSA
• Tripwire

Implementation time, hygene/maintenance time, functionality, and cost make it the clear choice in a competitive market.

We use it to alarm our help desk. 

We staring to use it for SMART Response. We have been using SMART Response for about a year. Now, we are starting to push that towards the help desk, so the junior analysts can do more.

It allows us to automate a lot of things with a smaller team.

• AI
• SMART Response
• Looking forward to using the playbooks

• Move it to Linux. I would like to see it get off the SQL Server.
• I would like it to be containerized. 

Our appliance is a little older, so we need to upgrade it. We are going to probably move to the software-only version. However, the issues that we have are our own fault because we didn't buy the right-size appliance.

We are not that big of a company. We are only at about 800 events per second.

We have had a couple of custom logs built, but we don't call in that much.

The initial setup is easy with the physical appliance.

We have two people who are setting it up and doing the admin side.

Make sure you size the appliance correctly.

We use Ansible and Terraform for infrastructure, so the same concept as the playbooks. We are looking to use the playbooks going forward.

We have about 1500 log sources. We do about a 25 million logs a day. Obviously, they're not all events.