LogRhythm SIEM Reviews

I found it very useful in our day-to-day operations with monitoring user activity and looking at system analytics and system performance. I found it very useful when investigating threats like IPs, and seeing what's going on with our endpoints, like certain lateral movements that we've noticed. 

I definitely found it very useful when looking at, for example, a compromised host, or a suspicious IP that has been scanning us. I've definitely found it very useful when I look at a log, it'll give me a detailed drill-down of all the information that's needed, including what the rating is, the rating of the threat, and what actions should be taken. 

It gives my team a better idea of what we should do to improve our security posture.

It's improved our organization. For example, if we have a user who's traveling overseas, or we get a suspicious login from the VPN, from a country that we're unfamiliar with, it gives us the ingest logs. The SIEM gives us a better comprehension of what type of threat activity it is and helps us decide if it's benign or legitimate.

Looking at the logs and how much detail each log has when it is ingested into our dashboards is quite useful. I found it very useful when looking at, for example, what emails are inbound and outbound of our networks. 

I like how detail-oriented the logs are in terms of what the origin is and what network it's coming from. 

I also like how the detailed logs give us what host or user it's coming from. On sight, I have a pretty cohesive understanding of what threat intelligence looks like in terms of reviewing what we have to deal with.

I use the Event Log Filtering feature daily. Every day when I look at event logs, I use the filters on certain time ranges and AIU engine rules. Overall, it's had a very positive impact. It helps us expedite certain security incidences very quickly, thanks to how detail-oriented the logs are. It really helps me report threats to my supervisor. For example, if someone's trying to scan us, my boss will ask me, "Can you look into this further?" I'll go ahead, and use the searches and the lists that the LogRhythm console has to offer, and I will get back to him in a timely fashion, with more details on the threat. 

The Event Log Filtering feature has definitely helped reduce administrative overhead. On a scale of one to ten, I would rate it a seven.

It helps us manage workflows and cybersecurity exposure. In terms of managing workflows, it definitely has given us leverage on what our overall security posture is, and gives us a better understanding of what we need to focus on more in terms of what threats are persisting. Our workflows have been pretty seamless so far. I would say our workflow is pretty seamless in terms of static manual investigations.

In terms of blind spots and our ability to shut down attacks, while we don't see all the blind spots, it gives us enough understanding and information about where we can classify a threat. 

Overall, it's had a very positive impact on our security posture. It gives us good visibility of what we need to see right now. It definitely gives us a better understanding of what we deal with, and what we should focus on in terms of what threats are more critical than others. In terms of our daily operations, it's very helpful.

It's positively affected our overall rate of efficiency. It's given us what we need for now. We're looking to improve our efficiency by looking into what LogRhythm offers in its newer products. Still, it's pretty efficient. On a scale of one to ten, I would rate it around eight or nine in terms of efficiency. My immediate coworkers in my department could use what we have right now for looking at critical alerts, user analytics, and overall IT operations since we usually have daily operations where we look at all user activity throughout our organization.

So far, it's pretty robust, and yet, we look for more improvements.

On a day-to-day basis, maybe we could look for more improvements with automation, however, so far, it's good.

In terms of blind spots, we are looking for more improvements since we don't have visibility over everything. Right now, we just use LogRhythm for our on-prem solution, not our cloud solution. We could definitely use more improvements with that in the next product.

Ingesting logs into the web console user interface and probably updating the threat intelligence database are the two places where we'd like to see improvement. We get a lot of noise. Oftentimes, we see a lot of false positives, so possibly using AI or machine learning would be ideal. Implementing that more into the next product would help us actually determine whether it's a false positive or legitimate threat.

I've used the solution for about a year and three months.

In terms of using it on-premises, it is very stable. Granted, we have some hiccups here and there. However, that's what we reach out to tech support for. They're able to provide us with immediate support, and they're willing to really put in the effort to figure out what the cause of the problem is and will work until it's fixed in a timely fashion. 

The scalability is, so far, very robust. I look forward to hearing more about the latest LogRhythm products and what they can do in terms of on-premises and cloud.

The product offers excellent service and technical sport. They're very prompt with getting back to our team regardless of the severity of the incident. Overall, I've had a great experience with this so far.

Positive

I'd rate the solution ten out of ten. 

Those that say SIEM is an outdated security system, don't understand cyber security. SIEM is what allows analysts like myself to be successful. Without a SIEM, how can we see everything? We can't.

The recognition of many device types, log message formats, and the most common device types out there. Then, the ability to quickly display data, and do the classification on it. That is the big value.

I have used it a lot. I have used it against other SIEMs. I have used it in conjunction with other SIEMs, and it is the easiest to use and makes the most sense to me.

• Being able to gather the data into one central location.
• Being able to leverage alarm and case management features through there on that centralized single pane of glass. That lets us work through those issues that we find from all those disparate device types, fairly quickly and efficiently using that stuff.

Key challenges and goals are retaining talent. Guys tend to do really well in this field, oftentimes monetize those skills pretty quickly. So, there is always someone willing to pay a premium out there for those skills and that talent. Therefore, you find a lot of churn from that.

I would like to see additional features around alarm management. We are producing alarms right now, and we are able to change statuses on them. But, I would like to see more details around having timers on those alarms. So, if I have a new alarm that has been sitting there for 15 minutes and no one has gotten to it, I would want some sort of alert to tell me that or a threshold I can set.

I was not involved in this particular deployment, but have deployed about 25 LogRhythm deployments previously.

It is straightforward. Not too bad.

It scales well. It can go from 1,000 messages per second to 50,000 messages per second fairly easily.

I have used a lot of tech support, and I think it's the best out of other SIEMs that I have worked with: McAfee ESM and IBM QRadar. LogRhythm definitely has the best support.

Go ahead and do the evaluation with their other competitors out there. Understand each of the SIEMs capabilities by sitting down with them. I think you will find that LogRhythm will win out.

A unified end-to-end platform is extremely important, because as we get going to this more holistic security model, we will be looking at minimizing the number of tools that we have to have in our environment, and trying to centralize a lot of that work into one platform, which LogRhythm is definitely one of those platforms that does that.

Most important criteria when selecting a vendor: Selecting a vendor is pretty important. We go through a lot of things, a lot of due diligence. We like to put them up against their main competitors in the market. That is generally a step we take when evaluating different vendors for a solution.

LogRhythm SIEM is a cybersecurity solution that we use to protect our network and devices from external and internal threats or attacks. It's part of our overall cybersecurity strategy, which includes SIEM, EDR, and DLP solutions.

LogRhythm SIEM offers advanced features such as AI engine modules, machine learning, and threat intelligence integration, which help reduce false positives. Advanced analytics streamlines incident response processes, enabling incident responders to prioritize and automate alerts.

LogRhythm SIEM can improve its user interface. The current interface is quite complex and can be challenging to navigate. While it offers many valuable features, understanding how to access and utilize them efficiently takes time. Simplifying the client console's user interface would significantly enhance the user experience and make it more user-friendly.

I have been using LogRhythm SIEM for the past five years.

I would give it a nine out of ten in terms of stability, as the support and tech teams are reliable and efficient in resolving issues.

Considering its capacity and ability to meet requirements, I would rate LogRhythm SIEM around seven out of ten.  As a service provider, we cater to multiple users and organizations.

The technical support for LogRhythm SIEM is good.

Positive

The setup for LogRhythm SIEM can be rated eight out of ten in terms of ease. It's an on-premises deployment and typically takes about ten to fifteen days for a basic setup. Still, depending on the complexity of log sources and integration needs, it could extend to twenty and twenty-five days.

We’ve integrated LogRhythm SIEM with various systems, such as Cisco switches, databases, PAM solutions, and Trend Micro ADA solutions. AI integration plays a significant role in enhancing security monitoring efforts by automating tasks and detecting zero-day attacks.

I would rate LogRhythm SIEM an eight out of ten and recommend it to others.

I am a security architect, so I don't develop the use cases with the customers if they deliver a team who is in charge of these activities. Depending on the case of the customer, we define something with the customers, according to the technical sessions that we have with them. I prepare all the documentation for the delivery team and present the project.

LogRhythm is deployed on-prem. There are about 60 people using this solution in my organization.

SOAR is integrated with the dashboard that we use for threat management. Because it's all integrated, it is useful for us when we deploy something on-prem.

I don't think the cloud model in LogRhythm is developed enough. This is one of the reasons they changed the position in a negative way in the Magic Quadrant Gartner for SIEM in the recent report. The cost of UBA is also high when you compare it with Securonix.

I would like to have a different cost model for cloud. If that happens, I think LogRhythm could be competitive in other cases with the customers.

The virtual machines require a high computer power, and sometimes customers say it's expensive. There are specific requirements from this solution. LogRhythm has a specific requirement when implementing in virtual machines, which is a very complicated issue. The best solution is in the cloud, most of the time.

I've been using this solution for more than five years.

It's stable.

When we are using LogRhythm in the cloud, it is scalable, but it's more expensive than other solutions. When we are on-prem, it's a little complicated and has a lot of challenges that the customer doesn't want.

It is scalable in the cloud, but not on-prem. It is not easy. It takes more time and money. I would rate it 3 out of 5.

I would rate the presale support 3 out of 5. They could be in contact more and give more information. It's average. I have heard that post-sale support is good.

It's simple because you only need to consider one component and that's it. But if you have a customer with different companies and each company has different subsidiaries and all of them want one only service, all of them will be sending the logs into one single SIEM, so you need a distributed architecture. You need to think about how to include new components and how that will be impacting the architecture in the near future, because we don't know the cost. In some cases, it's complicated if we don't know the new versions or the changes that the vendor will be publishing.

Deployment commonly takes three months but can take up to six months.

We use about six people for maintenance.

We deploy the solutions on our own.

I would rate the pricing 4 out of 5. There are no additional costs to the standard licensing fees.

The customers commonly want to know what is the price for the service in different bands. So we work on a banded price model, and it is something that is complicated. We include the UEBA, which is sized and quoted in terms of the number of users and entities. So we need to make a price banded model for the SIEM and a price banded model for the UEBA. We need two of them and they are related. 

If you increase the number of users, you are increasing the cost of the service of the SIEM. Sometimes we don't know the exact relationship between these two components. In the case of other solutions in the cloud, like Securonix, you just need to say to the customer, "This is the price of the different bands."

I've evaluated solutions that can be deployed in the cloud and have other features or components, like the UEBA. In the case of Securonix, it is included. We need to decide if we are going to propose something that is on-prem or in the cloud, depending on the requirements of the customer. The architecture is more complicated when you deploy something on-prem, so you want to increase the number of EPS, the events per second. You need to consider the architecture.

With Securonix or Splunk, we just need to go to the partner and say, we need an increase in the number of EPS. We also don't have to provide maintenance to the solution because it is in the cloud. Our specialist is more focused on the security aspects instead of providing maintenance to the components.

I would rate this solution 8 out of 10.

My advice is that if the requirement is to have someone on-prem, for example, someone that is working in a financial entity, it is a requirement to have all the information in their own data centers and using specific connections. If you have that case, you can use it. It is convenient. And you can use it if you have a case where the evolution of the environment is not going to change for the next three years. Otherwise, if you have a lot of changes during the time that you are going to be using this solution, you need to include different components that will probably be complicated to architect.

My primary use case is to alert to any anomalies that may have security relevance as far as some of the industry regulations that apply to our health care, as well as payment card industry.

We have a product that is a security orchestration and response tool Demisto and I think that from the standpoint of automation and response perhaps the first version of the playbooks is not going to compare to the product that we have that's a stand alone for that purpose. However from a price point it's very attractive and I think that as it matures we'll look at probably moving over onto the LogRhythm playbooks if it can support the kind of things that we're leveraging out of this other product and it looks like that's their plan.

It was the same that was brought up in one of the talking sessions. Our users will tend to forward every email they don't like just to be safe. It's a spam review and it takes our analysts then a ton of time to go through. So we have leveraged this to go and read from the mailbox that those spam emails all get forwarded to and then to look and analyze the hashes of any files. They'll hash them or the links in the file or the sender or anything that looks funny and it'll do all the things an analyst will do and make its determinations and then we'll see from there if we have anything to follow up on.

Our ability to respond quickly or the time to detect has dropped significantly. There's some things that we see now that we would have never seen. For example, maybe a domain administrator adding an account to a server's admin group that goes against process and policy but they're doing it to troubleshoot something or whatever. We have never seen that before because of the amount of logs that come out of those Microsoft security logs and the fact that we've got 6,000 servers in our environment. But the other things that we would have seen we still see them faster. When we see something that from the power firewalls that verdict change did pass something through, but now it says it's malicious an attachment on an email or something. We can take action now far faster whereas before we might have got the indication out of our antivirus tool when somebody tried to double click the attachment.

Most valuable features for our organization are the centralized painted glass for us to go through and triage and see everything going on in our environment. We're a mature organization. We have a lot of tools and a lot of different implementations and to go through all those dashboards monitoring everything is just not possible. So we centralize everything and then we get it, come into the web console and we're able to triage and respond quickly to anything that is important.

We do use many other capabilities with LogRhythm. We of course collect from our printer devices and our servers as well as some of our security specific systems. We'll drink from API's. We'll also implement file integrity monitoring in our data environment. So we use a lot of different features available within LogRhythm.

It makes is possible to stay aware of much more of what's going on. We get an overview, a macro view that we can zoom in on as opposed to prior to that we had individual panes of glass. You might be stuck in the firewall interface for half a day whereas something goin on is not getting addressed that we really should probably investigate. So that's our biggest benefit.

We're not using any of the built in playbooks. We are about to go up to version 7.4 once it becomes available. We were not an early adopter because of our size.

There's two that I can think about off the top of my head. One is service protection. So for example to compare it to the antivirus product, if I'm an admin on a server I can't uninstall the antivirus product unless I have the administrator password for the antivirus not the domain administrator passwords. In the same way these guys that are out there doing upgrades in the middle of the night and stuff they don't know why anything isn't working. But the first thing they do is they want to peel off all the security products 'cause they think that's interfering. Then all of a sudden I'll have a server that is no longer even has the LogRhythm agent on it. I'm trying to figure out who uninstalled this and whatever. It gets into a situation where I just go well why is that possible? Product like Symantec antivirus or trapps or something. I couldn't uninstall it from my work station even if I'm a domain admin. I got to have that admin password for the product and I think that should be baked into the LogRhythm agent so we have more stability over our deployment.

The second thing that I would like is, like I said our login level is about 750 million logs a day, but sometimes we'll go 850 or 1.2 billion logs a day. Sometimes maybe 680. So what in my environment changed? I don't have the ability really with the tools they give me to profile the systems very well and the log sources except for running supports which I can look at and kind of the crystal reports interface or I can export it to a big giant PDF or spreadsheet. But then I'm looking, well last month the exchange service kicked out this many logs and it's a little bit more but where did the rest of it go? If I go from 750 million logs average in a day to 850 it might not just be a delta of 100,000 logs increase, it could be 150 because something else might not have generated the same amount of logs.

So for the ability for me to be able to profile a system and say what's behaving normally and abnormally you can do some of that with the AI rules and we've played a little bit with that in the past, but it would be better if it was something like what they're doing with UEBA where I can say this server kicked out 80 million logs yesterday and that's not normal for it. I'd like to see what was going on with that box. That would in some ways where my mean time to detect which servers went through a significant variance in what they typically do would be very helpful for me on a lot of days.

LogRhythm gives us the ability to automate. We do have some smart response plugins that we're using. Unfortunately with healthcare you end up using more contextual smart response plugins then you do actionable ones. I can't go and shut down a system 'cause unless I have absolute 100 percent confidence in the fact that it's not actually touching a person because a biomed is a computerized medical device that connects to a person. So in our environment with a half dozen hospitals, 130 clinics. We can't just go around shutting things down or even necessarily quarantining them because it might be a client server type of situation where we can't interrupt this if maybe they're giving a radiation treatment to someone. We have a lot of different enclaves and things. But LogRhythm allows me to see things that I may want to take action on via a human resource. I can send a desktop tech out there to make sure that whatever it is I'm concerned about is not in fact taking place.

In LogRhythm the stability is very good. We're pleased with it. However we have a high rate of logs for at least I think it is. We approach 750 million logs on a daily basis is about our average and if anything stops working or service needs to be restarted it will rapidly vary itself. We don't have too many problems with anything like that it's just from time to time if something's not available, resource it needs, things will begin to back up and then it's exciting trying to recover.

Scalability is good. We had 23 systems not counting the collectors that are big LogRhythm servers, data processors, indexers. That monitors web consoles, pm's. We have in two different data centers we find that scaling for volume is very good. Scaling for the flip over for any disaster recovery situation we don't use Microsoft DNS we use Infoblox and the DR utility up to this point did not incorporate that product line and what was necessary. But they did take it back and that's what I like about how responsive they were. They didn't charge us the PSR's for all the time that we spent when it didn't work. They went back, they worked with Infoblox they handed off a technical document that I can work with my DNS guys back there and then reschedule the hours with PS. So it's really, I liked the way that they addressed it. They made it like we were important. I know we're one of many, but they took that back and they expanded their disaster recovery capability based on the fact that that's what we wanted.

Oh, tech support's good. We generate a lot of tickets. Anything from log, sometimes the vendors will enrich their logging but then that changes the ability of the tool to parse it and so then we'll notice that a log is not parsing and everything's going to the catch all rule. We'll open up a ticket, they'll take care of that pretty timely as well as anytime that we have a high issue, something that's affecting our availability and visibility and our network, they're very responsive.

I was back in 2014, so I was assisting someone else who's primary function was to implement it and it was several full versions back. I think it was version six or five or something like that. I don't know what it was. I think your awareness of LogRhythm grows over time. There's certainly ways to do things that are advisable that you can get away with. Rules that are not two and two well when you're on a certain scale once you get big, no technology is going to really handle any efficient rules and log processing policies that are beyond what you need, right? So I think that we probably had a normal growth path and knowledge curve compared to others where we first got it and we tried to do too much, turned on a bunch of rules. Didn't know how to tune them. But I think that right now we have a solid implementation. We have 130, 150 alarm rules running. We're not maxing out resources. Everything is running really well from a reliability standpoint, availability from the product. We do wish that the web console would go back a little bit further with its look in time. However, it is fortunate that they've embraced some of the other stand alongside technology like Cabana and ELK stack where we can take a look at the parsed data and trend back over time.

LogRhythm gives us the ability to automate. We do have some smart response plugins that we're using. Unfortunately with healthcare you end up using more contextual smart response plugins then you do actionable ones. I can't go and shut down a system 'cause unless I have absolute 100 percent confidence in the fact that it's not actually touching a person because a biomed is a computerized medical device that connects to a person. So in our environment with a half dozen hospitals, 130 clinics. We can't just go around shutting things down or even necessarily quarantining them because it might be a client server type of situation where we can't interrupt this if maybe they're giving a radiation treatment to someone. We have a lot of different enclaves and things. But LogRhythm allows me to see things that I may want to take action on via a human resource. I can send a desktop tech out there to make sure that whatever it is I'm concerned about is not in fact taking place.

If I had to rate LogRhythm I would say I give it an eight out of ten. I think that I like the direction that they're going as a company. I like their philosophy and their milestones that they lay out at these conferences. I do like them also from a product standpoint because some of the competitors are just not, they're price prohibitive as far as volume especially when you look at SIEM tools like Splunk. Small shops can afford Splunk, but big shops you got to really need Splunk to really afford it. The same with Qradar that's what we had previously where we were at and they just became price prohibitive. So I like LogRhythm, they have the full package. I like where they're going with network monitor. I like the UEBA stuff. We're not currently using that. I like the playbook integration. It seems like they're really thoughtfully maturing their product line and I think that gives me confidence for even if I have a pain point now they're going to address that going forward.

We primarily use the LogRhythm SIEM for the law collection aggregation for all of our Windows machines. We have all our firewalls sending logs to it. We have it hooked into Office 365 with the API to manage our cloud environment, and it's performed phenomenally.

The most valuable features are the reporting tools. A lot of times as security, we are tasked with explaining to management and the executives how the security program is going, what our concerns are, and if we want to get anything out of them as far as budget to fix some issues. We have to be able to show the evidence, and LogRhythm does a great job of putting it forward and making it easy to create reports with nice looking dashboards, which show off what we are doing as a security program.

One to three years.

It has been completely stable. We have had it in for a little over a year now, fully in production, and it has never gone down once. 

The only thing we had an issue with was when I tweaked the AI roles to basically fire on everything, which then caused a lot of accelerated rollover in our events. This was simply user configuration, and not anything on the LogRhythm side. It has been a very stable solution the whole time that we've had it in.

We are currently in the process of upscaling our current LogRhythm instead of buying a new one, which is really beneficial.

I don't know what they do on the back-end as far as the algorithm for crunching logs and keeping everything small and compact, but we haven't had any problems with the sizing. With some of the other systems the we have used, we quickly run into the problem where everything gets overblown and you have to go in and filter stuff out. What LogRhythm does that I like is they have all these knowledge base add-ons and modules out-of-the-box. It comes with all these features that you can use and get up off the ground running.

Their customer support is friendly and willing to help. I can't compliment their support staff enough. They've been nothing but helpful. Any questions that we have, they come out and help us, or they email us. It's great to have such an attentive support staff.

Using the LogRhythm Community, you can find the answers to any of the problems that you have. Everyone out there is just trying to help each other get better. So, it's really nice.

The installation was a bit complex because we are running a virtual infrastructure. Some of the stuff that we dealt with on the virtual machine and the discs was a little complex. However, the engineers at LogRhythm were more than willing to help. I had a little trouble because I was unfamiliar with the way vSphere works in the way that disk sizing stuff goes to get it setup.

Everything is running on one large virtual machine instance that we have because we have a lot of virtual infrastructure. We help other companies and host their solutions. We are really versed in that. So, we have one huge deployment, and it works really well.

The nice thing about LogRhythm is you can either use the agents, getting a certain number of agents with your license depending on how you want to go, and those agents do a lot of cool things, or you can use CIS Log host, then you have like an unlimited number of them. So, we have used the CIS Log for a lot of ours because it was easy to put into LogRhythm and change the destination of our CIS log solution. Now, our CIS Logs go into LogRhythm, and it's easy. You see them pop up there, then you just accept them as new log sources, and bingo you're in. Now, you're working. So, it is really good.

Where some other engines have been touted as SIEMs, you actually have to do a whole lot of actual engineering work of your own to even get the basic functionality out of them. This is one thing LogRhythm knocks out-of-the-box. 

It helps that the product is fully realized and ready to go as soon as you get it installed. You can immediately see results and immediately see the data coming in. You're able to collate and correlate it, obtaining your data in a quick and easy manner. 

Do a demo. See what they're offering. Just know that their support is the best.

I haven't used any of the automated playbooks yet. Our engineers are leery about having the automatic stuff go off, which I can understand. We also have separation of duties. I don't have a lot of their credentials to work with it on my own, so we would have to go back and forth with the engineers, and that is something that they don't really want to do. However, we do have our own playbooks and security team, but it's more manual. I am interested in the playbooks feature, so I will attend one of the events here to learn more about it and figure it out, then take it back to the team to get buy in on it, so we can then use it.

We have about 2500 log sources sending logs to LogRhythm right now. We have about 20 firewalls, with a lot of Windows PCs. 

It's the best solution that I've ever used. We're expanding its use, not only in our corporate network, but out to the cloud environment where we host customer data stuff, too.

The primary use case is looking at our security as a whole, as an organization, trying to get all the logs collected, see how things can be integrated or what's happening through the different products. We also use it to see how people are trying to potentially circumvent security and what we can do to prevent people from doing that. Finally, we use it to get training out to end-users for certain things that they may be doing inaccurately.

We don't currently use the full-spectrum analytics or the built-in playbooks.

The benefits are having a deeper look into some of the applications, what's happening within them and possibly seeing configuration errors, enhancing not only the security but the functionality of different applications.

It has also provided us with increased staff productivity through orchestrated, automated workflows.

The most valuable features are the alarms, and some of the reporting features in the product are great. The web interface is awesome, it's very intuitive and gives a lot of great information.

So far the stability has been great. No issues whatsoever.

We're actually going through an expansion at the beginning of next month and it seems to be fairly easy.

We have used technical support in the past and it hasn't been an issue. They get back with us fairly quickly. Great people to talk to, very knowledgeable.

We were using another product before, McAfee Nitro SIEM, and that product was just getting too hard to maintain. We had other people on the team and within the organization who had used LogRhythm in the past, so it came highly recommended. We checked into it, checked reviews on some of the different vendors, and LogRhythm is the one that came out on top.

The initial setup was pretty straightforward.

In terms of the deployment and maintenance of the solution, for us right now, it was very light staff for the setup. It was two or three people that racked and stacked the servers. Once that is done, you don't really need them anymore. For maintenance, we've got two or three people on staff who manage and maintain it.

I'd highly recommend going with the product.

Our security program is pretty much in its infancy. We're always looking to improve things. Just as IT, in general, constantly changes on a daily basis, LogRhythm is always evolving and coming out with different things, helping with innovation. It's been great.

Right now we have roughly 70 to 80 different log sources. We have about 5,000 to 6,000 events per second, and we're looking at expanding that.

I rate it at eight out of ten. It's up there, top-of-the-line, but just like with any other application or program, as you grow, there are going to be some small hiccups. They're very minor.

We have 10 hospitals or so throughout Minnesota, and a lot of clinics and smaller health facilities. The technology stack is mostly Microsoft based. We do about 25,000 MPS.

Key challenge is just protecting PHI, personal healthcare information, that's a challenge in our industry. Patient care comes first, even before security. Then also, healthcare is a bit behind the loop. It's a large organization, we've got over 30,000 end points.

Just like any SIEM product, LogRhythm gives you a lot of insight into your organization. The web UI has been particularly helpful for our analysts and our budding SOC program. Being able to give them a nice kind of sexy layout, dashboard. And the reporting is great for management.

Then there are all the "cobwebs" that we're discovering, that LogRhythm gives us insight into.

We can't feed it fast enough, is basically what it comes down to. It's given us a ton of insight that we didn't have before. It's been magic.

The functionality of it. It definitely does a lot of things out of the box. You don't have to do a ton of tweaking and tuning, but that's there for you if you want it. Big-time usability and implementation is easy.

Maybe it's just my lack of understanding of it, but I would like to see the web UI expanded further.

I would also like to see - and there might be some documentation around it - building your own smart response plug-ins.

I think those would be pretty nice.

So far so good. No complaints.

It's been very good. I've had a couple instances where it's taken a week or more to figure out the issue. But usually, when it gets to the tier-2, tier-3 guys, they get it answered really quickly. We've also had a lot of success sending logs to them so they can do RegX on those for us, some custom parsing. It's nice.

The issues we had surrounded integrating the Qualys API, and some questions that we had. It ended up taking awhile to get it figured out, that we needed to get a feature request put in.

In terms of a solution being unified, end-to-end, for us it's huge. We have a ton of different security controls. I'm sure we're not any different than any other organization. Being able to bring it all in and put it on a single pane of glass is awesome.

My rating of eight out of 10 for LogRhythm is because, while I think the support is great, the solution is a little rough around the edges. Like I said, I'd like to see the web UI built out more, and be able to jam more data into it. The fat client console feels a little rough around the edges to me, even though I use it every day. But overall, not a ton of complaints.

Definitely check out LogRhythm. That's one of the things that I've noticed in talking to other people, it seems like people really focus on other top 10 SIEM tools like ArcSight and such. I don't hear LogRhythm talked about that much, so usually I'll bring it up and say, "Hey, go check out Logger."