LogRhythm SIEM Reviews

AI Engine

It's got intelligence. Does a lot of the heavy lifting, you can create custom AI rules. I'm looking forward to this CloudAI.

It definitely complements all of the other solutions we have. We can feed all the logs into our system, build dashboards that the products themselves cannot provide. For example, we have web filtering, their dashboards aren't so great for that product. But when we feed it into LogRhythm, we can build dashboards that really show us what we need to see.

Pretty scalable. We were on an HA setup. Got about 2000 messages per second. It's pretty scalable.

They're top-notch. Every time I call, there's somebody willing to pick up the phone, somebody willing to jump on a WebEx, so I have nothing but good things to say about LogRhythm. Compared to every other product we have, LogRhythm support is the best. Without a doubt.

I've used Symantec SIM, which wasn't so great. This is a real breath refresher, because it's more scalable, and I feel it's a better product overall.

The most important factor, for me, when selecting a solution is that it needs to be lightweight.

Advice I would give to a colleague at another company who is researching this sort of solution: Talk to me first.

Compliance. It's the main focus of the solution, and that is what we've been doing: logging, monitoring, and alerting.

We keep an eye on all the events which actually are configured as an alert. This keeps us on compliant for compliance purposes.

Our key challenge and goal is maintaining a secure infrastructure. We are a power electric company, so we are trying to be as secure as we can.

It is a very good solution. It is very robust. It is very extensive. We're trying to go into the minimum requirements for compliance purposes, but I would like to start implementing more for administration purposes and security.

• More seminars.
• Reporting: A reporting tool would be good for us, especially if we have better knowledge of them.

It is very stable once it is configured. We have not had any downtime.

The scalability is very powerful. Our network is not very big, but we can configure it so we can always be up and running with redundancy. It's a great solution.

It is a great experience all the time working with them. They are very useful, if they don't have the answer, they find the people that have the answer.

On the last upgrade, I was part of the group to implement it. We did have some challenges, because the previous deployment was not configured right, then we did the implementation and it was very straightforward.

Alert Logic, but the laws were going outside of the company, so we want to keep it inside for security purposes.

LogRhythm was the best solution that we could find.

We have LogRhythm in place and it's been working well for us.

It's a great solution but training will be a big key on the implementation. We can troubleshoot it and get the technical support, but it always being very good to have technical training on LogRhythm.

Being able to have all our logs all in one place, so we can easily correlate across the environment.

It has definitely matured our security posture. Before we started using it heavily, all our products were compartmentalized within the department that used it. Now that we have a central point, we have been having more integration with different departments.

The challenges are being spread out and using some of the technology that we do use, which are not easily integrated into the SIEM. We have a lot of custom parsers and just trying to get our custom products and applications to integrate into the SIEM, that was our biggest challenge.

As far as building custom parsers, it's very configurable. I've had some experience building parsers with it so far, and the ones that we have built have been working fine. Support has been pretty awesome with helping get those working well.

Adding more integration for security products would be an improvement.

I have not had to scale it out too much yet. The environment was already set up when I came in. As far as the ability to scale out, I know it's there. I haven't had to put it to use though.

I have used their support a lot. It is really good support. I don't think I've opened a case yet that I haven't got a solution on, and it is usually pretty fast It's easy to reach the right person.

We had a previous solution, but I don't know who they were. I don't know why we switched. Compliance was our biggest driving factor to why we purchased LogRhythm.

I would not know. This was done before I came onboard.

It is a really good product with good support.

If someone is reaching the solution, I would advise them to reach out to users and try to visit LogRhythm's online presence to see what they have. The LogRhythm community has been a pretty good resource.

Having a unified end-to-end platform is very important.

Most important criteria when selecting a vendor: support for the product.

It helps by collecting logs from a lot of different security items, like firewalls and IPSs. It helps to give us alerts to let us know if something is happening on our network. It has really good log collection and event and alerting capabilities, so we have used those alerts to help us mitigate issues more rapidly.

We have been able to stop ransomware by being alerted through LogRhythm. That was probably one of the biggest things. Also, malware events and things like that.

Using the web console to get a quick look at what's happening on the network, so the different dashboards that are available. Those are probably the things I look at first. Probably very useful at really analyzing what's going on.

We haven't seen issues with the product itself. There are updates which are now automatic through the knowledge-base. So, I'd say it's a stable product.

We have not had issues with scalability as far as LogRhythm's concerned. We're not big enough to have issues of scalability with it. It is a much bigger product than that. We're not a huge global organization, so it's more than enough for a company our size.

Our environment is about a 1000 users, about 900 workstations, and a couple 100 servers. It is a Windows and Cisco shop.

They are really good. Whenever I've needed their help, opened up a ticket, I haven't had any issues getting help from them. We have a guy right now who is really excellent, and will go out of his way to help us with making sure we are getting things setup properly, so that's really been a big help. They have really smart people there. When you work with them over the course of a number of years, you see how bright these guys are, so it's nice.

We're fairly close to Boulder, so buying something that was local, I like to do that, and it is a great product. We're happy with it. I think it is one of the best SIEM tools out there. So, no regrets about going local, and it's nice to have them down the road if we need to get to them.

It is a great product. We brought it in initially as a central event log for PCI compliance. It's been really good for PCI compliance, but then we leveraged it for security across the network, so it has been really good that way. It really requires somebody to be able to dedicate a lot of time to getting sources into it. It's hard if you're a partial user of it. It takes a lot longer to really understand the product, because it's big. There's a lot to it.

We used to use a third-party vendor. We migrated to an in-house security operation center, so it's been a big difference.

We're doing almost 10,000 EPS right now and we have anywhere between 5000 and 6000 servers, and a couple thousand network devices more or less.

Our goal is pretty much to gather all those logs. Keeping track of when new servers are deployed and new network equipment gets put out there and then have them report to LogRythm. That's mainly the biggest challenge so far.

Mostly for us the most valuable feature is its aggregation of all the logs into a single platform, and then doing the real-time monitoring based on that.

Also, the real-time monitoring piece of it, that's extremely valuable. Plus you can tweak a lot of their settings while other systems don't really let you.

Dashboards, reports. Right now I know there's a big issue with reporting. It's challenging, at least for us, to do some of the reporting within the system itself. Hopefully that's something that gets improved.

Also, when you're reaching out to any other solution out there, any third party, most of them have integrations with Splunk; that's something that it's lacking on the LogRythm side. They're lagging behind when it comes to integration to main platforms.

So hopefully, with the help of the entire community, we can build something a little bit more flexible when it comes to integrations.

We had some issues. Unfortunately, it was not sized properly from the beginning. But now with the additional boxes on everything, so far it's pretty solid.

They're pretty good. Sometimes I wish they would be a little bit quicker getting back to you, at least when you open a ticket, but apart from that they're pretty good. We usually do reach the right person within the SLAs they have.

We were using a third party, Dell SecureWorks. We wanted to go away from that and go into more of a centralized system in-house. We went through a bunch of factors and LogRhythm came out on the top.

It was good. We have a lot of collectors, we ended up having almost 50 collectors in total, so it was a little bit challenging, but it's not bad.

• Curator Security
• Splunk
• ArcSight

We took it as far as they were able to help us with very specific things we do as a company, and LogRhythm came out on top.

We're migrating to a dumb-terminal type of environment. That's the end goal that we have, because we have noticed that there's no way for us to secure everything. There's really no way. So having the users centralized into one location, it makes a big, big difference.

So far it's working fine. Like I said, we had some little things here and there but we've revised the architecture and now it's good.

For selecting a vendor we had a matrix. There were a bunch of points that we were trying to cover. How easy is it to use? For Roger's group, for example, to see how easy it was to adapt from the GUI base to the console.

In terms of a unified, end-to-end platform, I'd say we're not married to specific vendors or companies, that's the nature of our business, at least how we run. But it's good to have everything in one solution.

If I had a colleague at another company researching this and other SIEM security tools, I would give him my matrix.

• Investigation
• Advanced Intelligence Engine
• Alarming and Response

We have made this the foundation of our security intelligence within our organization. It has allows us to detect and remediate Advanced Persistent Threats.

I would like to the log management database perform more efficiently.

I've used it for five years.

Some minor bugs with the mediator. Those have been fixed in patch releases a long time ago.

9/10.

9/10.

Setup was fairly straightforward. We were up and running with coverage of most log sources within two days.

We implemented it in-house. Active Directory import makes initial configuration quick and easy.

We also evaluated Splunk, and we chose LogRhythm as the correlation rules performed it handled clients on DHCP better.

We recommend that people implementing it choose to log everything, including logs from desktops, laptops, servers, switches and routers.

We have about 170,000 employees worldwide. We have thousands of unique log sources we're ingesting. Right now, it's kind of information overload in what we're trying to create logs off of.

Our key challenges are staffing and, right now, we're just trying to get the best bang for the buck on what we can create for alarms, so that's what we're trying to get out of being at the LogRhythm User conference.

We're about to ingest pretty much all of our log sources and write alarms based off the log sources. That's what we're working towards right now, getting valuable alarms to trigger for our SOC to action.

LogRhythm meets our problem statement, as a solution.

The UI. We can give it down to our SOC and we can train them.

The CloudAI obviously, that's going to be big for us. Hopefully that matures. I saw the problem statement video they did today at this conference, which is great. But I haven't seen anything tangible out of that yet, so looking forward to that.

I wouldn't give them a 10 out of 10 because there is definitely some room for improvement as far as in the GUI. Some of the things don't make sense. I think they need to better understand how a SOC would use that platform.

I don't think they understand that every morning we do a case review and we need a quick dashboard to go review open cases for our SOC. And that's not built into the dashboard, so we have to create that. There are some use cases that I think they should sit down a little bit more with the customer and understand how we use it.

It's pretty stable.

It was scaled inappropriately when we got it, so we had to buy a bunch of hardware after that. But, it's working now.

I don't use it. My cohort, who is more of the SIEM admin, he uses it quite a bit. I think he's happy with it, as far as I know.

We used Q1 QRadar. After IBM bought it, it kind of died on a vine. They quit supporting it, so that was the main driver for getting off of that and going to LogRhythm.

Pretty straightforward.

We did a RFP for all the major vendors, ArcSight, all the big ones. LogRhythm came out as the best SIEM tool.

When selecting a vendor, for us, the platform has to be a unified, end-to-end solution. We've got so many unique platforms around our business that it has to be.

All SIEMs suck, but LogRhythm is the best.

The most valuable part of the solution is being to view all of the logs whenever you want. Any time an issue comes in or something that needs to be researched, I have the logs there. I can go in, run an investigation. It's pretty much at my hands. Information is available on demand. I feel like I'm in control of it, which gives me warm, fuzzy feeling.

Pro's and con's I would say. We are short staffed, like the majority of the people are here at the LogRhythm World conference. We have a lot of alarms that get overlooked, there's not a lot of prominence to them. So our SLAs are over extended. But other than that, we're getting alerted on things that we need to quickly look at, glance, and see what needs our attention right away.

Usually, anything that's really hot, urgent, rated 90 or above, we answer those right away, and get those tasks completed.

If they continue to do innovation, and listen to their customers, then they'll move forward, and I think that will be the best thing for all parties involved.

One thing that surprised me was how many logs were being generated by our environment and how many logs are just a waste of time, looking at them. They're just there. It's just logging information, and we were able to reduce.

Deployment, I believe, took about two weeks, and going from, let's say, a 100 logs, we were able to reduce to about half of those logs in terms of what we're reviewing.

Stability is perfect. We have had no issues whatsoever with the servers, or with the Web Console or anything else.

The scalability is awesome. Initially, when we first purchased LogRhythm, we purchased only about 20 lite agents. Then we realized, as we were looking for additional log sources, we needed more. Pretty much within a day, we were able to purchase additional licenses and get them rolled out to our organization.

Tech support is amazing. They always follow up with a document on how to do something and if you still need further assistance, they're willing to get on the phone with you, without any doubt.

We were using a different vendor and we decided to go against it. We wanted to bring this in, in-house. We were using Dell SecureWorks, and we were just not satisfied with their ability to give us reporting and information on a timely manner.

It was a little complex, I did not have training prior to, so it was more of a hands-on learning, which I appreciate. I prefer to do hands-on. It's easier for me to learn that way. It was complex but at the same time it was educational. It had benefits.

Being at this conference I learned a lot. For example, I haven't been using the Web Console to the extent that I should be using it, and I think going back I'll be using that a lot more.

It's extremely important for a solution to be a unified, end-to-end platform. In terms of criteria when selecting a vendor, we look at it as a relationship between our organization and LogRhythm. We want them to work with us and we're willing to work with them to fit what's best for our environment.

I gave it seven out of 10 because we've only used the product for about a year and a half and it's still a building process, and I think it will always be a building process. You're always tweaking things. I can't imagine the company being the best at one specific thing, and then if you're the best at it, then there's no room for improvement. But I know as an organization, we are extremely happy, with LogRhythm.

I would definitely tell colleagues to at least PoC LogRhythm, and see for themselves what their getting in their environment and what other vendors might be missing.