LogRhythm SIEM Reviews

Being able to centralize and have one view of all the threat events coming out of all my multiple security sensors.

It has been the easiest SIEM platform that I have worked with or seen in production.

It is an easy, centralized view of our environment.

Our key challenges and goals are maturing our security operations and security event management process.

• Better correlation of all events: We seem to get a lot of misinterpreted data coming from multiple sources. It would be nice to have an easier way to interpret the data and correlate it.
• The challenge of maintaining it: Maintaining compatibility with all of our log sources is still a challenge for us.

We have implemented it as a necessary feature, but we need to be able to mature that.

I was just involved in the decision-making process. However, I know that the deployment was straightforward.

It seems to be highly scalable and easy to scale.

I have not used LogRhythm technical support.

I was just involved in the decision-making process. However, I know that the setup was straightforward.

It is extremely important for our solution to be a unified internal platform.

I would recommend looking into it.

It has benefited the IT team's security functionality.

Our key challenge is HIPAA compliance. Then obviously, protection against malware, and particularly ransomware, is one vital threat to our organization.

As a healthcare company, what we use it for is compliance, then to protect our data from exaltation.

• The greater AI
• API support

Increased total costs of ownership (TCO): We have had to staff up our SOC. This has required analysts, which has required salary and staffing requirements.

In the next release, I would certainly like to see more HIPAA compliance. I would also like to see more integration with Palo Alto Networks, particularly their Traps, which is their endpoint solution.

In addition, I'd like to see more automation coming in. Whilst they have SmartResponse, it does not yet configure with OpenAPI support. That is something that I feel they need to look at in their next edition.

The scalability is very good. One of the reasons that we bought LogRhythm was because of its scalability. We intend to scale up as we increase our company size.

It is mostly good. We are not always able to reach the right person. We have had a couple of problems that were escalated all the way to Level 3, but they have always been solved.

We did not have a previous solution.

As a healthcare organization, we obviously have to have HIPAA compliance. This was the main driver for purchasing the solution.

I was involved in the setup. It was mostly straightforward.

Look at your staffing. Do you have highly technical people on your staff? If you do, then you obviously want to buy the product and look at your scalability options. If you don't have your staff, absolutely look into the co-pilot and factor that into your cost evaluation.

The SIEM tool list we considered from included Splunk and SolarWinds.

For LogRhythm against Splunk, it was their pricing model. For SolarWinds, LogRhythm's reputation and scalability.

It is highly important for our solution to be a unified end-to-end platform.

Most important criteria when selecting a vendor:

• Scalability
• The ability to have support.

LogRhythm has their co-pilot, which is absolutely essential, and whilst we do not use co-pilot in our organization, knowing it is there is certainly absolutely valuable.

Well our eCommerce site is very important to our business. So not only NetMon, but also just knowing the traffic that's coming in and out of there, and whether it's coming from bad sources. We have to protect our eCommerce site and it is helping us do that.

• We have been impressed with the data that we're getting back. 
• We have been impressed with the look and feel, ease of use, and things of that nature.

As a security organization, we are constantly attacked, either from disgruntled ex-distributors, as we're a distributor-based company, or just people that don't like distributor-based companies at all. Therefore, we are constantly attacked, and we are pretty confident LogRhythm will put us in a good way that we can deal with this. 

We have got a lot to learn. However, doing the research that we did, it looks like LogRhythm is going to be a great solution for us that we'll be able to monitor external and internal traffic with our SIEM, again with Netmon, and log the sources that we need. 

Better knowledge transfer during implementation.

We definitely thought it was complex when we initially set it up, but that is usually just a single pain problem. It could definitely be more straightforward.

We are a new customer.

We are around 3000 logs per second. We have datacenters in Amsterdam, one in Florida, and some in Salt Lake City. It's a global company, so we get traffic from all over the place.

I don't know that I have much to answer on this yet. We have only purchased a single appliance and the NetMon appliance. I think it will be interesting to see if we need to scale, depending on if we ramp up, how many logs we're actually processing. 

We have come from a separate SIEM, SolarWinds, and just purchased LogRhythm within the past couple of months. 

They switched because they flat out didn't like SolarWinds and their interface or anything like that.

We've had, in the past in our company, ransom attacks. Prior to me being, there there was one that they paid out, and obviously, that is a painful way to go about doing business. We want to secure our data. We want to make sure that does not happen again.

We have implemented the core implementation, but we haven't done any of the onboarding or anything like that yet, but I was there. 

We were overwhelmed at first, and now we're starting to figure out what the capabilities are.

7pace and Nagios.

We chose LogRhythm due to its better interface. We had demos and felt like LogRhythm was the better solution for us. 

Do your due diligence. For the most part, you're dealing with the same data depending on who your SIEM is. It is still the same data that's being returned or that you can pull. Definitely do your research because your SIEM itself may not get you what you need out of that data. 

A unified end-to-end platform is very important to us. We don't want to go to 12 different user portals. We want to know in a quick way what we're dealing with. We want to be able to see the data without having to jump all over the place to get it. 

Most important criteria when selecting a vendor: 

1. We are buying a product that is going to succeed for us.
2. We want to know that we are going to have good support and help when we need it as we won't know anything or everything for a long time. But we have experts that we can lean on, that's a definite benefit.

The advanced intelligence engine -- in fact, the whole suit -- is very powerful. It depends how you use it. Security management is what it's best at. As far I’m concerned, it’s one of the best.

This product is in general for medium-sized companies. For bigger companies with millions of logs coming in, it just cannot support them. The solution is not robust. It depends on the size of the companies and the size of the firewalls you have which will determine if it will work for you. Thus product is really good and easy to use for medium sized companies.

I've used it for three years.

Initially we had a lot of issues. Today it has improved dramatically, and it has no issues in deployment.

It is very stable, but we have to work with it and identify which logs we need. If we don’t, it doesn't handle the traffic well. 

Every tool is different, and you just have to work with it.

It’s one of the best customer services you could find. Everyone is very knowledgeable and helpful. You aren’t waiting around for tickets to be resolved. If they can’t resolve it, they escalate and resolve quickly.

Absolutely we have made a ROI. It resolves a lot of issues. It helps a lot of our infrastructure and everyone is benefiting. It’s absolutely worth the money spent.

They are very transparent about the licensing. They are upfront. They tell you what can handle what. They are honest people.

I have been invited to user group meetings and we have had good conversations. They have been very helpful and they understand my needs. They listen to our input and really take it seriously. They really work with us on different issues. 

Everything is fantastic.

My primary use case is threat detection.

LogRhythm SIEM has improved our organization by allowing us to bring in very widely diverse log sources, correlate them, and very easily create rules around alerting. We also use the case management features of the product to easily integrate both products into a single pane of glass for our analysts so they don't have to use two different products for alarming, as well as case management.

I would say we have seen a decrease in mean time to detect and respond over our previous SIEM. Basically, I think it can be attributed to the integrated case management. We are able to create cases, get eyes on those cases much more quickly than we were before.

The most valuable features are probably the AI Engine is very valuable, as well as Netmon.

We plan on using the playbooks, and the value I think we'll get is automating the or scripting their responses that our analysts use, rather than using our existing playbooks, which are somewhat incomplete. I think the playbooks will be a lot of out of the box pre-scripted playbooks that should be extremely helpful to us, as well as integrating some of the smart response capabilities into the playbooks.

Definitely expansion on log parsing. There are some obscure log sources that we don't currently have parses for. We needed a new solution when our previous solution, the licensing expired on it. Hardware was out of life, as well as it wasn't scaling very well. Didn't provide a lot of the features that we needed.

Stability has been pretty good. We've had some road blocks, or some, I'm sorry, some road bumps, in terms of A&E stability, as well as with some log parsing with some of our larger log sources.

Scalability seems great. We actually did an expansion recently, and so far, it seems to be scaled well.

Tech support has been extremely helpful. They are generally very quick to respond. If the first level is not able to resolve the issue, they generally escalate pretty quickly, gather logs. They seem to be hands-on. They generally will take over your session, actually do a WebEx, take over your WebEx section and actually do most of the driving, to make things run a little smoother, a little more, than, you know, directing you to where to find logs in Linux or things that can be kind of obscure. They generally will do everything for you, short of making, you know, impactful changes.

As far as for supportive log sources, we find it to be very good for very common log sources, Palo Alto firewalls, you know, Windows log sources. There have been a few security tools that we've found that weren't supported out of the box, so we've had to either use professional services, try to create those parsing rules ourselves, or opened cases with LogRhythm support to have those created.

The reason we switched to LogRhythm, one of the core reasons, was the case management, and, as well as the Netmon. We liked having the integrated Netmon, and the case management, again, gave us a single pane of glass for our analysts to view the data, import the relevant data into the cases without having to use separate systems.

LogRhythm is definitely influencing. Since investing in LogRhythm, we've seen a lot more visibility into our product, into LogRhythm. We have a lot of non-security operations teams that are using the SIEM tools, just to view logs, Windows logs, troubleshooting issues, troubleshooting security events, so we're getting a lot of by-in from other teams into the program, which has accelerated the maturity of our program.

I was involved in the initial setup, and it was fairly complex. We did use a professional services to do most of the work, but, yeah, it was somewhat complex compared to some other solutions I've used in the past. However, with the capabilities of the product, it wasn't surprising, because, you know, with the feature-rich product, you're gonna have some complexity with it, as well.

I would probably rate it as an eight or a nine, currently, mainly, probably due to the complexity of importing log sources that aren't natively supported.

The primary use case is compliance requirements. 

It is performing at the moment, but we are still in the process of implementing it.

We haven't fully integrated it or stood up the platform, so the benefits are realized yet.

The most valuable features would be the automation, reporting, and the support.

I do plan to use the full extent of the correlation and AI Engine to streamline our processes.

My big thing is the easability. I don't like to go to two different systems. The fat client that you have to install to configure it, then the web console which is just for reporting and analysis. These features need to collapse, and it needs to be in a single solution. Going through the web solution in the future is the way to do it, because right now, it is a bit cumbersome. 

If I remember correctly, there are some compatibility issues with different browsers. The user system work only on Chrome. In order to use something like this solution, we would have to have that extra browser. It would be nice if LogRhythm had a full support compatibility across all browsers, regardless of what platform they're using and whether they are on desktop or mobile devices.

I'm a little on the fence about stability, because the platform runs on Windows at the moment. There has been some finicky administration stuff, especially if we are going to try to integrate it with our own domain's policies which need to be correctly reflected. In the instance that we have, it is not necessarily a good idea to have an endpoint security, but when you have to meet compliance and follow rules, these are some of the exceptions. There needs to be a way to allow organizations to utilize these platforms and still be in compliant.

I don't what the demand is. I know the number of systems that we have. We try to forecast the demand ahead of time by coming up and listing the services that we need in the environment, but there are still things which are probably still yet to be seen.

As we run into systems which we were not aware of and need custom integration, I don't know what the pain points will look like or if things will be overlooked: Is the system scalable enough to where it will allow me to continue to log certain things without any restrictions? I don't know at this time, and I will find out once it happens.

So far, the technical support has been good.

I was hired in because I have the skill set to implement it. The original acquisition of the product was done by other people. Now, they have somebody who has the skill set and understands the technology deploying and configuring it, then going forward maintaining it.

For the development and maintenance, it will be just me. However, for the day-to-day log analysis, there will be a second person providing that function.

While we are aware of the playbooks, we still need to look into them.

We are close to a gig of messages a second, so quite a bit of data.

To capture your use cases, understand exactly what you are looking at ingesting. Do the research as far as what the company has done. For example:

• What have they provided at organizations of similar size?
• At peer organizations, how have they implemented the solution and what are some of their pain points?

Understand what everybody else has done previously with the solution.

We have a small population of users, but we are large physically and geographically spread out with a lot of devices on our network. We need all that login capability going into one spot where we can see it and correlate events across all our infrastructure with a small staff.

We're still struggling to get a real return on it and finding something that isn't false noise. 

There have been a few things, such as weird service accounts that have an encrypted password which are locking things out. However, we haven't had a big security event success with it as of yet. We could be missing things here, not seeing what is going on.

We do a lot of the alerting, as far as user accounts. We have NetFlow information going into it, so we can examine a lot of traffic patterns and anomalies, especially if something stands out and is not the baseline. This helps a lot.

We still have a lot of noise, so this is a problem. We are having a hard time visually sifting through it. We need help dialing it in. We don't have the in-house expertise. Do we hire someone just for this purpose and have them sit there all day, every day doing that? It is almost at that point. We are looking at Optiv as solution right now.

It is so robust. There are so many moving pieces that you can't dabble in them. This is the problem that we are struggling with. You have to have somebody who works with it, and that is their job. Maybe a bigger company could have a whole team which could do this, but we don't have the capability right now.

I would like to see the client and the web client merged, so all the administrative functions are in the same web interface. It is just clunky right now. If you leave it running, it slows down your machine. However, we are still on version 7.3.

It seems to be stable.

It should meet our needs going forward. It seems like it is a mature enough product. 

As far as what it takes, I don't know if it's worth the effort to get it on all the desktops, like every single user desktop and laptop reporting to it or if it is better just to target the main controllers, etc.

I haven't had to use them too much. We will find out after we go online with Optiv. 

I have my sales engineer with LogRhythm, who has been helpful. She reaches out to me every couple months just to see if we need anything and offers assistance, because we'd already used up our block of hours when we first provisioned this solution.

We probably will contact them, if we go with Optiv, then they can help us upgrade.

We did an on-premise solution. If I had to do it again, I would probably do a cloud-based solution. They basically shipped two boxes which were essentially ready to go. Then, I worked with an engineer who had a block of hours and he got the HA capability going. We got it dialed in and tied it up with the mainframe.

Our team is in the process this week of doing a health check and trying to get everything up to speed. We are doing an upgrade, because we are still on 7.3. We need to be upgraded to 7.4.

We have been using it for about a year. We are probably only about 75 percent there. We need help getting it dialed in, having some of the noise tuned out, and getting the alerts set up properly, so we can work off hours on different triggers. This is where we are struggling because we need to sleep, and we are blind during that time. So, we something to help us with that.

The installation wasn't too bad. LogRhythm did most of it. I just had to do the stuff that was specific for our environment.

We went back and forth between LogRhythm, Splunk, and AlienVault. 

I liked LogRhythm mostly for how it integrated with the network infrastructure. It was my decision, and I'm not 100% sure that I picked the right one.

LogRhythm works well with our network-centric environment. However, it may not be the best for other things.

I am rating the solution a six out of ten, because we have not gotten it to work yet. With all its components, there is such a learning curve. 

I haven't gotten far enough along in the process to know if the solution has a shortcoming or if it is our shortcoming with somehow getting it dialed in.

For me, one of the most valuable things about it is it helps me to produce evidence in my compliance role for NERC. It helps me to really bring all my logs together and easily translate that into evidence, to show I’m doing what I’m supposed to be doing.

In the canned reports, I would like to see, rather than a blank report come out, for it to say something like, "No logs found," or "No log sources available." I don’t like blank reports.

I’ve only been using it a couple of months. I started in about March, 2017.

I think it’s wonderful. I use a high-availability version that fails over for me if needed. I’ve got one in one datacenter and one in another. It seems to function properly.

I have not had any issues. Mine is a very small deployment.

The LogRhythm support system is phenomenal. I can’t give those guys enough praise. If I have a problem or a question even, they’re quick to answer or connect me with an engineer to resolve the problem. The support system is really the selling point of this product.

My deployment is very new so we are still implementing it. There’s a little bit of work left to be done to get it to full capacity. I would say that it’s been relatively painless.

I gave it an eight out of 10 because of the ease of use, and the support really deserves high marks.

I would definitely tell colleagues to look into it. Again, the support that they provide, they’re there to hold your hand if you need it, or just give you guidance and let you go. They really do take care of their customers.