LogRhythm SIEM Reviews

The fact that I can quickly determine if there is a threat actor from internal to external. That's our primary goal. We have a lot of traders and a lot of developers, internal, so that's generally where our presence is. We don't have a whole lot of online presence. We're not so much worried about external actors.

Being able to determine what a user is doing is really helpful for us.

We've got two facilities. We pretty much have one setup, the DX. We don't have any failover, just because it doesn't work for us.

Our key challenge is weeding out who is actually trying to be a threat. Now, LogRhythm certainly helps us, but it's still very difficult because we've got not a super high turnover, but high enough that you're constantly going through them looking at stuff.

Being able to actually track somebody down and figure out what they're doing. Before, we didn't really have these insights, we were going by the the seat of our pants and trying to pull whatever logs we could, whatever Unix logs we could find, and it wasn't really helpful that way. Now it pulls it all into one spot and we're actually able to correlate data and say, "Hey look, this person's really actually being shady," and go from there.

We've been able to identify certain individuals and not have issues past that.

There is a Group-By field that they're breaking out, which stopped me from being able to have certain events. They're breaking it out in 7.3, so they've already got it. That was the one thing that bothered me, so I'm happy about that.

Stability is not great but I think that's our issue. Qualys seems to blow it up all the time, but that's more on us to stop Qualys from scanning LogRhythm.

Scalability is pretty good. We rolled it out at our primary company and then rolled it out past, to our sister company, which went really, really well.

It's awesome.

It's fairly important that a solution be end-to-end unified. The fact that LogRhythm is, is working out very well for us.

I gave it eight out of 10 because of some of the issues we've had with the system actually going down but, again, that might be entirely on us. We're still in the defining phase of that.

One thing that surprised me over the course of our deployment is the amount of logs that I didn't realize we had, different log sources that we're seeing pop up, pending, being brought into the system and we haven't even seen them before. People are standing them up left and right and I'm thinking, "Guys, stop it."

Make sure that your operations guys, your network guys can actively search through it well. Get them training. Don't do half a job with it.

Visibility, obviously. Seeing all the logs from all the various log sources, be it perimeter, internal, overall security controls; getting it in one pane of glass. And alerting, obviously.

I started here two years ago, no SIEM. Now we have visibility into any type of external attacks, perimiter attacks. We've found operational problems, misconfigurations, things like that.

Logging improvements. I think that the template to reporting is just difficult, it's hard to go back. You can't modify the templates. So more customization. That would be key.

We could also use more information on how to integrate with specific vendors.

Threat intelligence is a big thing. LogRhythm actually has a pretty good threat intelligence deal, but we happen to use a vendor that is not built-in. It'd be great if LogRhythm could expand more on the user forum on how to integrate more with the more non-mainstream vendors.

It's good. We have all-in-one, an XM unit, because we're a smaller shop. It's been a great, a single unit. As we've needed to expand, I've put out more collector systems feeding back into the XM unit, so it's good.

We've used them many times. I'd say overall good. I was actually an ArcSight user at a previous company, I'd rank LogRhythm higher than those guys.

As I said, it was ArcSight at my previous company. I was lucky enough to try to build the security practice where I'm at now. LogRhythm was one of three that we evaluated.

I'd say straightforward. We did have PS as well, so it was very helpful.

QRadar and Splunk. And, for whatever reason - it is not really a truly a SIEM player - Tripwire. Management wanted us to evaluate Tripwire.

We're about 1200 seats, 10 locations roughly, totally a Cisco shop, from perimeter ASAs to IDS, Sourcefire, to web filtering, it's a big Cisco shop that I stepped into.

Our key security goals revolve around maturation and pulling more information into the SIEM. We started off with the low hanging fruit, the Active Directory, the SOCKS servers, things like that. But now we need to get more - all our security controls as well - security systems. We need more from executive PCs, from application servers, we need more visibility I think.

In terms of meeting these goals, this solution, on a scale of one to 10, is an eight, at least in terms of how we've been able to adopt it.

The most important criterion when selecting a vendor interoperability, the ability to pull logs, and the ease of customizing parsing logs. By far.

In terms of advice to a colleague, if they're looking at this and similar solutions: I've dealt with ArcSight before, they're a magnitude higher in terms of operationally managing the software. I haven't used QRadar, but from the surface, looking at it form 10,000 feet, I would say and Logarithm and it are probably much easier to mange, much easier to use.

LogRhythm has been really a good partner, they've reached out, they're always wanting information, "How we can improve? How can we do this or that?" Our SE and sales guy are really great. Keep in touch, so I feel like there's someone I can always reach out to if there's a problem.

The visibility that it gives us into all of our data at once.

It would take me a thousand hours a day to go through all that data, so, like I said, it lets me see everything in one place, and I'm able to see where the problems are.

A cleaner interface. I keep getting confused and forgetting where everything is. A more intuitive interface would be helpful.

It does seem to be good at gathering data. Like I said, it's hard for me to get that data. I would just like it to be more intuitive. When I go to look for stuff I frequently can't find it. Either it's not there or I just don't know the program.

It scales enough for us. We haven't had any issues, no complaints about it.

I've used their training. I have not used their tech support. Again, we have an administrator, he's been there. He probably knows more about this than I do.

In terms of a solution being a unified, end-to-end platform, that would be nice. It's not something that I think about. I just use what's there.

I would tell a colleague at another company who is researching this or a similar solution to try it out. That's the only way you're going to know whether you like it. Don't trust the marketing materials. Ever.

I like the direction they're going with the AICloud stuff. They're talking about the playbooks. LogRhythm seems to be on top of things and always looking to improve, I like that.

• Reporting - we need to do a lot of security monitoring
• It doesn't have a lot of forensics, but we appreciate fact that it has the capability
• The ability to collect a lot of information, as we have 200 users and a lot of log sources

The fact we're able to create customized monitoring reports that extract info from event logs, helps us a lot. We used to have ad hoc reports created by IT department, which meant they could manipualte content. if they ever wanted to tamper with output. Now, there's no risk for us to worry about.

Lots of concern these days regarding vulnerability, and being able to interface with other tuypes of applications when creating event log. We have lots of other applications to monitor. Logrhythm can extract that info, but some require converting before LogRythem. Windows logs don't need converting, but SQL, & XML do require conversion and monitoring.

You should consult with LogRhythm experts because there are lots of features and customizations, and you need to figure out what's needed for your specific environment, for example, regulatory compliance issues. They do great job of making clear what's needed.

I use LogRhythm for PCI DSS compliance. All of our devices are sending logs to LogRhythm. I have set up Silent Integrity Monitoring, Data Loss Prevention, Registry Integrity Monitoring, and other alarms for detection, and we do investigations.

I don't have metrics, but it has really improved the monitoring and alarming for us. 

File Integrity Monitoring is really valuable because we have it set up on our core assets. This is one of the key features that I utilize. We also use it quite a lot for event management to do reporting.

It should have some more message monitoring features. It can also have some free message monitoring tools.

I have been using this solution for about two years.

It has been very stable. There are no major issues. It has been exactly doing what I expected it to do.

It has been very scalable in terms of adding new systems and stuff like that. It has been quite good.

We have plans to increase the usage of LogRhythm. We have some new solutions and new networks coming up. We might be looking to expand within the next two years to onboard new systems.

Technical support has been excellent so far. I never had any issues with technical support. Their support has been excellent.

I didn't use any other solution previously.

It was pretty straightforward. The actual deployment of it took about two days, but the implementation strategy took longer. It took a couple of months for meetings and planning with different experts, project managers, and engineers. They looked at our business requirements and other things.

We have two administrators and two analysts. Four of us are managing the system.

It costs a great amount, but its pricing is competitive with some of the other vendors. For licensing and support, we pay about 20,000. There are no additional costs or anything like that. 

When I was looking for a solution, I looked at Splunk and LogRhythm. There was one from SolarWinds as well. Cost-wise, LogRhythm was the one that impressed me the most. Splunk was really good as well, but it was a little too costly.

I would definitely recommend this solution for compliance requirements, such as PCI DSS compliance. It does cost a great amount, but its pricing is competitive with some of the other vendors. If it is a necessity to have a SIEM solution, I would definitely recommend LogRhythm.

I would rate LogRhythm NextGen SIEM a nine out of ten. It has been really good. So far, my experience has been seamless. They should keep doing what they're doing.

I believe the most valuable feature for us has been that we have all the logs together. We can query them, we can find all kinds of different situations that are going on in our network that we wouldn't have knowledge of without searching many different servers and logs.

Quicker ability to troubleshoot the problem, find the problem, get it fixed, and get the customers back up and using our system. 

I'm sure there are always areas, in stability and scaling, that need improvement. I don't have anything right off that I can say I know needs improvement right at this point.

We installed in 2009, and the stability has improved over the years. I consider it to be quite a stable product now. It seems to work day after day, week after week.

With version 7, we feel the scaling improved a lot. We are a large health system and we are quite often adding new businesses, new healthcare offices, new hospitals to our system. We we are able to add those extra logs into our system without causing any issues.

Tech support has always been good from the very first. In most cases the first response is a good one. It does the job, and if not, then you get back to them and they stay with you until they get it fixed.

We thought the setup was very quick and easy, of course we didn't try to boil the ocean all at once. We've been, over the years, adding more and more phases to our system, completed it in phases.

Really figure out what you want it to do for you, because it is very flexible and can be used for many different purposes. Determine what you want to use it for, and then get the assistance from LogRhythm to help implement it in that way. Then you can always expand it and take in other areas. But your primary goals need to be met right up front.

We are very happy with it.

It has helped tremendously when following up on investigations and logs. We often get bogged down with many tasks during the day. We can actually come back to a particular scenario that we are looking into, so it has been very beneficial for that.

Key challenges are our users and network. In our network, we get logs from a particular product called a NetScaler, which hides our source IPs, so that makes it a little challenging. Our goals are to tune LogRhythm further and utilize all the different modules that they do offer us. It is a challenge to get it all done.

• The web console
• The case management

I did hear about the new playbook edition coming up and I am excited about it.

It is excellent.

I have used the tech support and think they are great. I have many vendors that I deal with for other tools and hands down LogRhythm has been the best SIEM solution.

It is a big project, but very worthwhile, and LogRhythm has plenty of documentation, support people, professional services, and classes that can help get a business implemented and push them all the way to completion. I definitely think it is worthwhile.

It is very important for me that the solution be a unified end-to-end platform.

Visibility. Being able to see the system, see what's coming in, and being able to report on the logs coming in. Seeing what other people are doing and being able to track down quickly what is going on in your network.

We're a worldwide company with 50,000 employees, in probably 15 locations, three SOCs and four or five data centers.

It's made it quicker for us to see threats. It's an easier platform to work with. Its more user friendly, GUI based.

Easier creation of rules and parsing, and more user-friendly. A more user-friendly basis of using the tool to create rules and alarms to be able to report off of, and quickly stop any attacks and the like.

Also, more in-depth training on how the security platform works with other pieces of software like Sequel, firewalls, or PowerShell.

A ten again. It's very easy to scale.

Great. They respond quickly and are very knowledgeable and they also allow us to be hands-on. Instead of them doing it for us, they actually teach us how to do it. So better knowledge transfer.

We were using RSA Security Analytics and, before that, we were using RSA enVision. The challenges behind them were that they were very clunky, not very user-friendly, and you had to know coding, and you had to know command-line interfaces to even use them. Even on their GUI side. With LogRhythm we don't have to.

It was straightforward and, like I said, a lot of good knowledge transfer on what to do and how to proceed.

IBM QRadar and RSA Security Analytics, but LogRhythm stood out because of their scalability and their interface and their user friendliness. Being able to easily navigate through the system.

It is very important that our solution to be a unified end-to-end platform. Very important. We wanted a one-stop shop with LogRhythm. We didn't want to use anything else to record our logs and stop threats.

I would give LogRythm a 10 out of 10 just purely on the fact they are very helpful, very knowledgeable. The software is very easy to use. Easy to learn. I came into security with no knowledge of security or how to do anything, and within a year I'm an administer of the software. So it's pretty good.

I would say go with it. Hands down, one of the best security platforms I've seen. Easy to use, ease to scale, huge visibility into your network. You just see everything and you see it easily. You don't have to go search for things.