LogRhythm SIEM Reviews

For me, one of the most valuable things about it is it helps me to produce evidence in my compliance role for NERC. It helps me to really bring all my logs together and easily translate that into evidence, to show I’m doing what I’m supposed to be doing.

In the canned reports, I would like to see, rather than a blank report come out, for it to say something like, "No logs found," or "No log sources available." I don’t like blank reports.

I’ve only been using it a couple of months. I started in about March, 2017.

I think it’s wonderful. I use a high-availability version that fails over for me if needed. I’ve got one in one datacenter and one in another. It seems to function properly.

I have not had any issues. Mine is a very small deployment.

The LogRhythm support system is phenomenal. I can’t give those guys enough praise. If I have a problem or a question even, they’re quick to answer or connect me with an engineer to resolve the problem. The support system is really the selling point of this product.

My deployment is very new so we are still implementing it. There’s a little bit of work left to be done to get it to full capacity. I would say that it’s been relatively painless.

I gave it an eight out of 10 because of the ease of use, and the support really deserves high marks.

I would definitely tell colleagues to look into it. Again, the support that they provide, they’re there to hold your hand if you need it, or just give you guidance and let you go. They really do take care of their customers.

• SmartResponse flexibility
• Ease of use
• Ease of administration

Overall, versus competitors, it is a lot easier to use, a lot more user friendly, but it still gives you a lot of flexibility to do whatever you want. The limit is your imagination, for SmartResponses at least.

We've actually been able to use it to show that we need more people, because we're going to be doing more. It's the center of our SOC, but we are starting to use it for operational things as well, not just security.

I would like to be able to use the Web Console, but because of our volume I can't.

Also, it needs to stay healthy. A lot of the problems seem to pop up out of nowhere, and a lot of them seem to be somewhat debilitating. We were fine for a long time, and then eventually one day our processing just dropped. I ended up talking to support for something like a month, and eventually I got to someone who said, "You should check the BIOS settings on your data processors and your indexers." Turned out there was some read-head caching setting that wasn't enabled by Dell. We were fine for over a year, and then all of a sudden, problems.

It's a great tool, just random dragons seem to cause problems.

Hit or miss, it depends. A month or two will go by and everything will be fine, and all of a sudden, something breaks. Then it's in the air for a little while, and then I manage to figure out what is causing the problem, fix that, and then everything is fine for a couple months. Then something else happens.

It's different every time. One specific example, I think it was related to a KB-update that basically broke a log source type, that was doing tens of millions of logs per day. And that just trashed our data processors. It put everything behind, we went down to single-digit processing, blocks-per-second processing, for a period a few weeks. I had to rebuild all the MPE rules into a new log source policy, and then everything was fine.

For a few months everything was working and then all of a sudden one day it just goes into the toilet. We didn't do any upgrades, nothing like that, so that is why I'm thinking KB-update, but I haven't pushed it.

It's pretty good, it's easy to add parts, it's pretty easy to do that. It's just expensive sometimes.

When we started, we had one platform manager, and two DPXs. And then we added this second organization, network domain, etc. Then we realized that we didn't have the infrastructure we needed to support everything. We were able to buy five DPXs, etc.

On a scale of one to 10 , it's a seven to eight.

Once you have escalate and validate, it's pretty easy to get to someone who knows what they're doing, and has a lot of the expertise in that specific area.

I know that it came down to LogRhythm, Splunk and ArcSight. They ideally wanted one person to administrate and run the whole system, which is why the other two got the boot and LogRhythm was chosen. That was the most important criterion in selecting a vendor.

It's not perfect, but no solution is going to be perfect. If you have one person that you can dedicate forty hours a week to the SIEM it will be fine.

We have about 170,000 employees worldwide. We have thousands of unique log sources we're ingesting. Right now, it's kind of information overload in what we're trying to create logs off of.

Our key challenges are staffing and, right now, we're just trying to get the best bang for the buck on what we can create for alarms, so that's what we're trying to get out of being at the LogRhythm User conference.

We're about to ingest pretty much all of our log sources and write alarms based off the log sources. That's what we're working towards right now, getting valuable alarms to trigger for our SOC to action.

LogRhythm meets our problem statement, as a solution.

The UI. We can give it down to our SOC and we can train them.

The CloudAI obviously, that's going to be big for us. Hopefully that matures. I saw the problem statement video they did today at this conference, which is great. But I haven't seen anything tangible out of that yet, so looking forward to that.

I wouldn't give them a 10 out of 10 because there is definitely some room for improvement as far as in the GUI. Some of the things don't make sense. I think they need to better understand how a SOC would use that platform.

I don't think they understand that every morning we do a case review and we need a quick dashboard to go review open cases for our SOC. And that's not built into the dashboard, so we have to create that. There are some use cases that I think they should sit down a little bit more with the customer and understand how we use it.

It's pretty stable.

It was scaled inappropriately when we got it, so we had to buy a bunch of hardware after that. But, it's working now.

I don't use it. My cohort, who is more of the SIEM admin, he uses it quite a bit. I think he's happy with it, as far as I know.

We used Q1 QRadar. After IBM bought it, it kind of died on a vine. They quit supporting it, so that was the main driver for getting off of that and going to LogRhythm.

Pretty straightforward.

We did a RFP for all the major vendors, ArcSight, all the big ones. LogRhythm came out as the best SIEM tool.

When selecting a vendor, for us, the platform has to be a unified, end-to-end solution. We've got so many unique platforms around our business that it has to be.

All SIEMs suck, but LogRhythm is the best.

The most valuable part of the solution is being to view all of the logs whenever you want. Any time an issue comes in or something that needs to be researched, I have the logs there. I can go in, run an investigation. It's pretty much at my hands. Information is available on demand. I feel like I'm in control of it, which gives me warm, fuzzy feeling.

Pro's and con's I would say. We are short staffed, like the majority of the people are here at the LogRhythm World conference. We have a lot of alarms that get overlooked, there's not a lot of prominence to them. So our SLAs are over extended. But other than that, we're getting alerted on things that we need to quickly look at, glance, and see what needs our attention right away.

Usually, anything that's really hot, urgent, rated 90 or above, we answer those right away, and get those tasks completed.

If they continue to do innovation, and listen to their customers, then they'll move forward, and I think that will be the best thing for all parties involved.

One thing that surprised me was how many logs were being generated by our environment and how many logs are just a waste of time, looking at them. They're just there. It's just logging information, and we were able to reduce.

Deployment, I believe, took about two weeks, and going from, let's say, a 100 logs, we were able to reduce to about half of those logs in terms of what we're reviewing.

Stability is perfect. We have had no issues whatsoever with the servers, or with the Web Console or anything else.

The scalability is awesome. Initially, when we first purchased LogRhythm, we purchased only about 20 lite agents. Then we realized, as we were looking for additional log sources, we needed more. Pretty much within a day, we were able to purchase additional licenses and get them rolled out to our organization.

Tech support is amazing. They always follow up with a document on how to do something and if you still need further assistance, they're willing to get on the phone with you, without any doubt.

We were using a different vendor and we decided to go against it. We wanted to bring this in, in-house. We were using Dell SecureWorks, and we were just not satisfied with their ability to give us reporting and information on a timely manner.

It was a little complex, I did not have training prior to, so it was more of a hands-on learning, which I appreciate. I prefer to do hands-on. It's easier for me to learn that way. It was complex but at the same time it was educational. It had benefits.

Being at this conference I learned a lot. For example, I haven't been using the Web Console to the extent that I should be using it, and I think going back I'll be using that a lot more.

It's extremely important for a solution to be a unified, end-to-end platform. In terms of criteria when selecting a vendor, we look at it as a relationship between our organization and LogRhythm. We want them to work with us and we're willing to work with them to fit what's best for our environment.

I gave it seven out of 10 because we've only used the product for about a year and a half and it's still a building process, and I think it will always be a building process. You're always tweaking things. I can't imagine the company being the best at one specific thing, and then if you're the best at it, then there's no room for improvement. But I know as an organization, we are extremely happy, with LogRhythm.

I would definitely tell colleagues to at least PoC LogRhythm, and see for themselves what their getting in their environment and what other vendors might be missing.

The Web Console, and digging in through the logs.

We use a single appliance, around 5,000 MPS. We're a Windows shop, so mostly Windows servers, desktops, workstations, etc. Somewhat distributed as well, we have three main sites and 20 or so distributed sites as well.

Our key challenges are, mostly people, getting more resources, and the goal is just get better. Are we better today than we were yesterday?

I think it has helped immensely. I think the ability to quickly receive an alert and investigate that alert is pretty beneficial. I think it is pretty effective.

Also, the ability to remediate alerts with partial scripts is pretty good.

I would definitely like to see more things in the Web Console, in terms of the ability to run reports and generate reports out of it, and schedule those. Instead of having to go to the FAT client, you would just do it out of the Web Console.

Right now there are two brains, there are the Web Console and the FAT console so that hinders a little bit of flexibility or innovation that they can do. It is a tough spot to be in, but otherwise it is a pretty good product.

In terms of just stability of the product, sometimes we have run into some issues there.

In our environment, we have X number of clients, so that's not extremely scalable, but I know that the solution is pretty scalable.

Support has been really good.

We were using Splunk prior to this but it was too expensive and we needed a true SIEM solution.

A little complex, but usually any SIEM is; just all the components that are in that one appliance.

I am pretty impressed with it. I have seen a it grow, just in the short time that we have had it.

It is very important for us that a solution be a unified, end-to-end platform. That is one of the biggest driving factors, having a single place that I can do network monitoring if we wanted to. We could do log correlation out of different security tools that we have.

Make sure you give it enough resources in terms of users. Somebody to manage it, whether that be a MSSP or in-house resource.

I like the usability of it. I like the web console and the ability to pivot through all the data in real-time.

We have a pretty varied environment. We have all kinds of compliance. We have PCI, HIPAA, FISMA and the like. We are also a large development shop. It's not as strict as we would like it to be.

As a security organization, our key challenges/goals are just staying on top of everything. The environment changes rapidly, especially with a big dev environment.

Regarding meeting those goals, In the last two months that we've had LogRhythm it's been very good. We ripped out an old SIEM that wasn't quite as easy to use. That has been nice.

The benefits are that it gives us a central pane of view for all of our logs and all the events. Where it's really helped us is that it requires less time to remediate and detect any issues.

It's hard to say what should be improved because we're still trying to get an understanding of what the tool does.

I think in all the sessions we have at the LogRhythm User Conference, we'll find out more what the tool does. Then, from there, we'll probably decide if we really wish it would do this or that.

Two months.

I have not personally used it, but a co-worker has. So far, we're very happy with it.

We did have a previous SIEM solution, which was IBM QRadar. One of the biggest reasons we decided to move on from that was cost. The renewal costs from IBM were extraordinarily high. We had already talked to LogRhythm for a different use case, with compliance. We already knew what LogRhythm had to offer.

It was a little bit of both straightforward and complex. There were certain parts of it that were very straightforward. There were other pieces where we just had to get a grip on which log sources we were going to send where, and how to manage it all.

When selecting a vendor, one of the biggest things for us is ease of use. The second is how are they going to be a partner with us?

In terms of advice to someone who is looking into this kind of solution, I would say to look at the long-term costs of any solution that you're looking at.

• Lower personnel requirements
• Improved vendor support services
• Ease of use

Key challenges are lack of personnel to manage LogRhythm. We are a small shop and we don't have a dedicated person to really manage LogRhythm, so our goal is for us to go to a level where we are doing a lot of automation.

• The SmartResponse piece of it.
• It supports most standard log sources.

We were having some challenges initially, especially ingesting those standard log sources. We ran into issues where it was not parsing correctly. That wasn't our expectation, because we considered them standard log sources, but there was some issue with parsing our logs.

As far as adding log sources, it is not as straightforward. At the same time, granting access we have noticed it's not using AD groups. It's more of the organizational unit in AD.

It will definitely help if the parsing side would be much easier, meaning it would be better if we could easily make adjustments on the parser, both on standard and non-standard log sources. The way it works right now, it looks like we have to engage LogRhythm in order for us to make adjustments on the parser.

In a two month period, we had one hardware issue, which might not be LogRhythm-related. It might be on the hardware side. It's fairly new, so we were expecting that to happen, the actually failure on the platform manager (PM) side.

I think it's scalable. So far, we haven't really reached the point where we can say, "Yeah, we can definitely expand the use of it."

They're pretty good. I'm impressed with their support. It has been easy to reach the right person.

We are migrating from a different product (Curator) to this product, and we think LogRhythm is better than the older product that we were using. We were looking for a solution with scalability and ease of management. Also, Curator is more expensive.

I was involved in the initial deployment and setup. I have used another SIEM solution. It's not easy, but it's not also that really complicated to setup.

Look for whatever will give you the most value. That's the main point. It is not one size fits all.

Splunk. Cost is the main reason LogRhythm stood out.

It is important solution be a unified end-to-end platform, especially because we are a small security group. If we can have it in one place, that would be a big plus for us.

Most important criteria when selecting a vendor: support.

The most valuable feature is the AI engine, as well as the usual SIEM product stuff. The ability to have all of our logs in one place is a big thing for me.

It’s brought all of our devices into one area, so I am able to understand and manage all of our devices and understand what is going on with an individual device.

The reporting aspect is difficult to use and very difficult to get your own reports. So far this is it; they have a web UI and we had a recent update which fixed a lot of bugs and added a lot of great features. But the reporting is lackluster.

I've used it for 10 months.

We've had no issues with deployment.

Since we purchased one of their boxes, we've had 99% uptime. The only downtime has been for updates and upgrades. So we've had no issues with instability.

We foresee that it's scalable for our future developments. At the moment, we are using half of what it’s able to do.

I've been happy with the support in the initial setup. The support in our environment was well done. For any issues, we have had someone on the phone on that day, so there have been no downtime issue. They are super nice.

We didn’t have a solution before. It's usable out-of-the-box and it covers a lot of holes. It's done its job.

We looked at AlienVault and Qradar.

Definitely do a test run, a proof of concept, so it’s understood how it’s going to work in your environment. Also, take the training that they provide; i t's super valuable.