LogRhythm SIEM Reviews

We have 10 hospitals or so throughout Minnesota, and a lot of clinics and smaller health facilities. The technology stack is mostly Microsoft based. We do about 25,000 MPS.

Key challenge is just protecting PHI, personal healthcare information, that's a challenge in our industry. Patient care comes first, even before security. Then also, healthcare is a bit behind the loop. It's a large organization, we've got over 30,000 end points.

Just like any SIEM product, LogRhythm gives you a lot of insight into your organization. The web UI has been particularly helpful for our analysts and our budding SOC program. Being able to give them a nice kind of sexy layout, dashboard. And the reporting is great for management.

Then there are all the "cobwebs" that we're discovering, that LogRhythm gives us insight into.

We can't feed it fast enough, is basically what it comes down to. It's given us a ton of insight that we didn't have before. It's been magic.

The functionality of it. It definitely does a lot of things out of the box. You don't have to do a ton of tweaking and tuning, but that's there for you if you want it. Big-time usability and implementation is easy.

Maybe it's just my lack of understanding of it, but I would like to see the web UI expanded further.

I would also like to see - and there might be some documentation around it - building your own smart response plug-ins.

I think those would be pretty nice.

So far so good. No complaints.

It's been very good. I've had a couple instances where it's taken a week or more to figure out the issue. But usually, when it gets to the tier-2, tier-3 guys, they get it answered really quickly. We've also had a lot of success sending logs to them so they can do RegX on those for us, some custom parsing. It's nice.

The issues we had surrounded integrating the Qualys API, and some questions that we had. It ended up taking awhile to get it figured out, that we needed to get a feature request put in.

In terms of a solution being unified, end-to-end, for us it's huge. We have a ton of different security controls. I'm sure we're not any different than any other organization. Being able to bring it all in and put it on a single pane of glass is awesome.

My rating of eight out of 10 for LogRhythm is because, while I think the support is great, the solution is a little rough around the edges. Like I said, I'd like to see the web UI built out more, and be able to jam more data into it. The fat client console feels a little rough around the edges to me, even though I use it every day. But overall, not a ton of complaints.

Definitely check out LogRhythm. That's one of the things that I've noticed in talking to other people, it seems like people really focus on other top 10 SIEM tools like ArcSight and such. I don't hear LogRhythm talked about that much, so usually I'll bring it up and say, "Hey, go check out Logger."

We're using LogRhythm NextGen SIEM only for a few databases. Members keep their data on our FTP server, and we monitor firewalls, endpoint management solutions, and some critical endpoints.

LogRhythm NextGen SIEM has improved the organization through the alarm system my team has configured. The alarm system is key to looking after all the hardware and endpoints.

What I found most valuable in LogRhythm NextGen SIEM is that it's user-friendly. I also like its dashboard, which shows all the logs and information I want to see.

One area for improvement in LogRhythm NextGen SIEM is that it's a Windows-based tool, and I feel it should be on the Linux operating system instead.

Another area for improvement in the tool is the UI. There should be minor changes in the UI to make it better, though I like the dashboards in LogRhythm NextGen SIEM.

I've been using LogRhythm NextGen SIEM for one month now.

LogRhythm NextGen SIEM is a stable tool. I didn't find any instability in it.

LogRhythm NextGen SIEM is a scalable tool. Scalability is one of the reasons why my organization uses it.

When I joined the company, a ticket was previously opened with the LogRhythm NextGen SIEM technical support team. Though I didn't directly connect with support, I have information that the problem was resolved and that the support team was very cooperative and very technical in solving the problem.

Though I didn't configure LogRhythm NextGen SIEM as it was pre-configured when I joined the company, any solution won't be difficult to implement, as long as you have an understanding and knowledge of the product or tool. I was an implementer once.

Senior management is in charge of purchasing the license for LogRhythm NextGen SIEM, so I have no information on how much it costs.

I worked on McAfee SIEM for six months, but that was when I was part of another team. If you compare McAfee SIEM with LogRhythm NextGen SIEM, I prefer LogRhythm NextGen SIEM because it's a user-friendly tool. It's also very easy to configure. The dashboards in LogRhythm NextGen SIEM are also very simple and very informative, and I've configured them to better understand what's happening in the organization. You can also create an alarm system in LogRhythm NextGen SIEM, that's very helpful.

I also evaluated IBM QRadar, and I found IBM QRadar to be a better tool than LogRhythm NextGen SIEM.

I work in the enterprise security department or the SOC, and I just have to deal with the logs. The tool being used within the organization for log management is LogRhythm NextGen SIEM, particularly the N-1 version.

My organization uses the on-premise version of the tool, and it's been applied to the data center.

I belong to a very small organization with a data center that has sixty people using LogRhythm NextGen SIEM. In terms of maintenance, the tool isn't difficult to maintain.

The only advice I have for anyone who'd like to start using LogRhythm NextGen SIEM is that it's a very good tool, with good features and functions.

My rating for LogRhythm NextGen SIEM is seven out of ten. I didn't give it a ten because it's Windows-based, plus I also don't like its UI that much. LogRhythm NextGen SIEM is also not as good as IBM QRadar.

Our primary use case would be for compliance. We needed a check in the box for compliance. Right now, it's performing and doing its job, allowing us to say that we are compliant with HIPAA, PCI, etc.

It has improved the way our organization functions. It has allowed us to dive deeper into our network and figure out what is going on by parsing logs properly and being able to reduce the time it takes to work cases down from seven days to approximately two days.

LogRhythm has increased productivity because all the tools that we need are in the web UI, allowing us to find threats on our network fast and efficiently.

Our security program is still in its infancy. There is a lot of work that needs to be done. We finally were able to get our SIEM. A few things that we need to do are data loss protection, user behavior analytics, and another feature that LogRhythm offers that we're probably going to invest in the future. The program could use some work, but it is pretty solid now.

The most valuable feature is the Threat Intelligence Services (TIS).

We would like to see more things out of the console into the web UI. I guess this is what they are doing in 7.4.

In the three weeks that we have had it, we have had 99 percent uptime. It is a very stable platform.

It is scalable. They don't charge for going over your messages per second. It does scale with the business. 

Technical support could use a little work in the terms of responding back. The feedback that we received is they do need a little more staff, but every issue that we've opened a ticket up for has been resolved.

We did not have a previous solution that we were using.

The initial setup is straightforward and complex as it requires a lot of work. It's very straightforward and very organized. Our consultant guided us as to what we needed to do, but the entire thing is complex. One misstep or incorrect character can bring the whole thing down.

I do all the deployment and maintenance.

The sales engineers and salespeople who come in and scope out what you need are very knowledgeable. They are not there to upsell you. They get you what you need for what you have, so everything runs perfectly. The consultants are extremely knowledgeable. Getting LogRhythm up took less than a week. It's a very solid solution.

When it comes time to renew, they say, "This is what you are using. This is what we can do for you." So, they work with you on pricing.

There were multiple competitors. We almost went with Splunk, but LogRhythm ended up being the best for the price. It ended up being everything we needed in one solution.

Everyone needs a SIEM. Go with LogRhythm.

We are not using the full-spectrum analytic capabilities yet, as we are brand new.

We have not used any of the playbooks. We do have them. We find them to be very detailed and organized. We just need to find a way to implement them.

I run in about 45 log sources with 12 of them being domain controllers, aka DNS.

Messages per second are fluctuating between 3000 and 9000. We are still trying to figure out why. We think it is our very chatty domain controllers, as we do deal with the Hard Rock and Seminole tribe, but I would say that we average about 5000.

Most important criteria when selecting a vendor: customer service. Do they care about our business as much as we care about our business? Also know as, do they care about our data as much as we care about our data?

My customers use the solution for user behavior analytics and as an anti-malware and anti-threat kind of tool. My customers are in finance-related areas. I deal with some gambling companies, and in my country, it is categorized under the finance sector.

The solution's features include good visibility of events, faster response to threats, and advanced ability to analyze events and data. In general, the visibility of events and advanced analysis of events are good.

The tool needs to improve the implementation part and have a virtual list of files for a virtual appliance or something like that because it is a very complicated area when it comes to implementation. There are a lot of pieces that need to be installed and prepared, and, of course, there is a need for virtual resources. The tool must offer better virtual resources and prepare some virtual appliances with some ISO or VMDK files. I don't care, but the solution must do something to improve the product. There are too many things that are complicated during the implementation phase.

I have been using LogRhythm SIEM for a year. I use the solution as a partner.

Stability-wise, I rate the solution an eight out of ten.

It is a highly scalable solution. Scalability-wise, I rate the solution a ten out of ten.

From LogRhythm's perspective, my company deals with small to medium businesses.

The solution technical support team provides quick answers to any request. The team's knowledge and way of resolving issues are also fast. We haven't had any problems reaching out and getting the support we need for the tool. I rate the technical support a ten out of ten.

Positive

The product's initial setup phase is pretty complex. The tool offers good guidance, and everything else is clear, but there are a lot of steps involved in the implementation. From the client's end, there is a need to include a lot of people, like system admin, DB admin, and network admin. Sometimes, I think the tool needs to improve something in the area of the setup phase so that there aren't difficulties during the implementation process.

If ten means easy setup and one means difficult, I rate the product's installation phase a four out of ten.

The solution is deployed on an on-premises model.

If everything is prepared already, the solution can be deployed in one or two days. In the end, there are a lot of things that you need to prepare before starting the tool's use, so it takes two to five days for the initial deployment, but after that the installation processes take just two days.

For my customer, I think the tool is reasonably priced. I think the tool is reasonably priced. There is a need to pay per year towards the licensing costs of the tool. From what I heard, the tool has a very reasonable price, and users pay on a yearly basis for its licensing charges.

Speaking about how LogRhythm SIEM influences operational costs, or if it does have any security efficiency, I would say that I don't work with the tool every day to know what the operational cost benefit is. In any case, with fewer people, the tool has better visibility. There is a need for three or four people in a team for SIEM. The tool ensures better efficiency of the team by improving costs, but I am not very sure how to explain it as the tool has centralized events as it is spread out geographically with a lot of branches. We get a better understanding of the networks in different countries with the centralization part, improving the efficiency of the SIEM team.

With LogRhythm SIEM, there is a need to deal with a lot of customized services. The tool spends a lot of time with professional services for customization. The good part is that the support team finishes their job very quickly and offers very good responses when it comes to the area of customization. There was a little disappointment since the tool did not have some of the parsers for some systems in the environments, like IBM, which was a surprise. In any case, support did the job, as there were tons of customizations needed. We were able to deal with the customization area and resolve the issue around it, making it a very customizable tool. It is a very flexible tool. I spend a lot of time with the support team doing the customizations. Customizations take a lot of time, but they are still a plus.

I have not noticed any AI elements in LogRhythm SIEM.

I recommend the tool to others.

It is a perfect search engine, and every report is analyzed really quickly and in a straightforward manner. The tool has an easy GUI, and it is the perfect choice for security analysts. The tool has consoles, including an administrative console and a web console. For some people, that can be a problem. I think it is really good when you have administrative guys who deal only with the solution and analysts who deal only with the analyzed part without some preparation for the core configuration. Everyone can deal with the day job. For me, the tool is advanced, but maybe for others, it can be an issue. In any case, it is really visible to others for documentation. The tool is scalable and really operational. The tool is easy to use and for sizing. In the end, it is a good tool. In the Serbian market, most of the tools demanded are on-premises. When it comes to the on-premises solution, I think LogRhythm is one of the best tools. We are a little different than the other parts of the world. Everyone wants to go to the cloud, but here, everything wants to be kept on an on-premises model. The market in Serbia is very strange because we aren't a part of the European Union, and so, with regard to compliance, we always have some problems. The companies in Serbia like to have on-premises solutions because most financial institutions, banks, or government institutions have data centers, so they won't go to the cloud. In Serbia, we don't like to deal with cloud solutions, especially when the data needs to be consumed somewhere in the cloud because the biggest problem is the cost of cloud solutions for SIEM tools. Most of the applications and everything is also hosted on-premises in Serbia. Normally, the SIEM tools are used in an on-premises model.

I rate the tool a nine out of ten.

We operate a Security Operations Center. We have to provide internal security to our client base and intel. That's why we use it.

We mostly deal with phishing email attacks from our Intel-related clients. So, most of the cases are related to using the SIEM. And we receive the logs in our database to do all those things.

In Sri Lanka, we have a local SIEM supplier. And in addition to that, if we need some more calibration or help with incidents, we raise a ticket to LogRhythm, and they will give us their support.

It is good for us. 

The price could be improved.

In future releases, I suppose if they can give us some training related to LogRhythm, that would be very beneficial. I suppose the training is not enough.

And the product might be a little bit complex for non-experienced people

I have been using it for two and a half years. 

It is good. 

Positive

Our Security Operations Center (SOC) and our SIEM use LogRhythm. We have to renew our license and are looking for another SIEM. We are doing a comparison with Elastic.

The initial setup is complex. There's a complexity, actually. We have received some training in the last two and a half years. We got training from our local supplier. Actually, we haven't received any training before from [LogRhythm], so I suppose they should provide training for that.

I suppose there's a very high cost in that. So that's the main reason we are trying another solution.

I would recommend it to others. Overall, I would rate it an eight out of ten. 

We are consultants providing governance solutions for the banking sector. We have a lot of use cases. We have more than 400 use cases for the client side.

Its ease of use is valuable. It has improved a lot from the previous versions. It had a lot of issues before, but now, it's way better in terms of integration, the console part, report creation for use cases, false positive numbers, and so on. Its AI engine is a lot more advanced in the latest version.

The web and on-premise console interface should be the same instead of having a separate engine for each. 

I hope that they remove the console and have only one GUI. There should be one engine for both the web and the console. They shouldn't have two different engines for each one of them.

There should be easier deployment status, and like Splunk, there should be a more professional way to write the search. There shouldn't be only a drop-down menu. It'll be a good thing to add.

I have used LogRhythm for about three years now.

LogRhythm SIEM is stable.

LogRhythm SIEM is highly scalable. We have more than nine users working with this solution.

The technical support depends on the technician you get. Some are good, but some aren't.  We had multiple sessions with one person for over a year with no results. Other engineers are excellent. 

Setting up LogRhythm is complex. It took our team more than a month to deploy. We have a large team in my company because we are working with dozens of clients. Our BS team is almost 15 people. 

Its implementation is handled by a different team. We have a very big team in our company because we are working with a lot of clients. Our implementation team has almost 15 people.

There don't seem to be any costs in addition to standard licensing.

I'd recommend LogRhythm SIEM to others. I'd rate it an eight out of ten.

Our primary use case for bringing on a SIEM in general was the need to correlate our data across dozens of different solutions that were spitting out logs. We got to a level of complexity where it became mandatory.

This solution has been almost like a transformative change in how we detect and then respond to incidence. Quite honestly before, we didn't know what was going on and we couldn't detect anything other than  a random virus that sent an email from our AV solution. For us, it really took off when I was a little onboard the Office 365 logs and then we were able to start monitoring locations of login and we actually detected multiple accounts that were logging in from countries that had no business being there.

That led to some investigatory work and actually led to some password resets. It was really positive and we continued to detect that type of activity and enhanced the rules, changing here and there. That was a big one for us because we had never even looked at the Office 365 audits because we didn't have a way to do it. LogRhythm brought that in and within a day or two, we're like, "These three accounts are popped and we need to get these guys off the network now." It was amazing.

We're currently processing about 3,500 messages per second. We have experienced a massive decrease in our mean-time to detect. It's actually hard to improve on nothing. It's hard to get worse than no detection, so we went from being able to like, "Oh, a virus happened," to, "This user went to a weird website. We got that from your DNS logs and then 10 minutes later, their antivirus fired on something." And now we know that we can go over there and triage that system quickly as opposed to maybe not getting the virus log for a day. The other thing is detecting when we think breaches are happening, which is something we just didn't have the capability to do before we brought in LogRhythm.

When it comes to our security maturity, I was the first person at my company to do security, and the company had been around for 30 years. I bet that started from scratch, and I started where we were bleeding which was our endpoint detection for malware and ransomware. And then be added on more layers. We added on like IPS and we added on a lot of perimeter type stuff.

While LogRhythm was probably the last component that I have onboarded in like first two-year time frame, it's now the center of the program. Everything feeds into it and that's where I go for just about everything. There are a few solutions that I still have to go out to those solutions to look at stuff but even like from a purchasing perspective, even my IT operations team, my IT applications team, my company asks vendors two questions right out of the gate. Do you have a cloud offering, and do you natively support LogRhythm? And those two are heavy, heavy hitters when it comes to whether or not we're going to put you in the running to buy your software.

The most valuable features in LogRhythm, honestly for me, the single most valuable feature is the web console. That is actually the primary reason we chose LogRhythm over some of these other solutions because I was able to leverage web console usage across multiple layers of IT, and I didn't have to sit back and teach everybody complex SQL queries. Just that point-and-click interface, it's nice and bouncy and it's beautiful to look at has really driven the adoption of the use of the software. Secondarily, I think another really great feature is the LogRhythm community. And the content that that provides has enhanced our adoption over the years.

We don't use the full-spectrum analytics capabilities of the SIEM mainly because I'm a lone wolf in running it. It's just a matter of timing and focus. We do a lot of analytics around user behavior although we're not a cloud AI customer yet. We're doing a lot of what they call the AI engine to do user behavioral modeling and we're starting to onboard some network behavior modeling analytics as well.

It honestly comes back to me for log sources. The time to get support to onboard a log source runs about 18 months, and that's just too long. Like I said, I'm a lone wolf running the system. I don't have a lot of free time to write ReGex and build out my own policies, and I tend to write bad ones that are very inefficient. It is tough when I get a critical source or when a part of the business went out and just bought something, never consulted IT, and now we have to audit it and it doesn't support LogRhythm or it doesn't even like have a function that gets us the logs. We have a cloud solution where we can't even get the logs out of it. It's crazy bad. But when we do get those logs in, it would be really helpful if we could get a supported log source policy from LogRhythm in a shorter amount of time

I have had a lot of trouble with stability, perfect timing. We onboarded way too many log sources on the get-go and overran our appliance's capabilities. And I've spent probably the last 12 months working to stabilize the damage that I caused the system when I did that. It's been a rough year for stability. Even just before I came to this conference, I think I got it finally stabilized. I'm cautiously optimistic that I can take a deep breath and start focusing more on the logs instead of the appliance itself.

We've scaled the solution twice. I haven't done a whole lot of like large-scale build-outs. We're still a single appliance. What we did scale was we scaled the memory and we scaled our NPS license and then I added in some external storage. And all of those things went great. We're to a point now where they're recommending that we buy what they call a data indexer separately. My leadership is more interested in moving it to the cloud than buying more hardware, so I'm working to get a POC started up to get it up into Azure and see if we can scale horizontally in Azure as opposed to buying more hardware. I might have a lot more to say about scalability next year.

Tech support LogRhythm is one of my favorites. Of all the solutions I deal with, those guys and girls are insanely good at their jobs. And so when we bought the solution, my leadership did not buy professional services to help me deploy it. I did it blind, basically, with the user guide. And I think in the first year, the number was about 75 tickets that I opened in the first year. And they still answer me when I call them, so that's great. And they're very willing to stick with you as long as you need.

The only challenge I do have with their tech support is the time shift because their tech support is all based here and I'm on the East Coast. They want to meet it like 5:00 p.m. Denver time, it's like, "Oh, no. I'm at 7 o'clock, dude. I'm done for the day." One little annoyance but it's well worth it in the end to get the support that we get.

The support for log sources is fantastic. It is challenging because you're always going to come up stuff that you need that is not recognized, and writing my own policies has been very challenging. As far as log sources, the last time I checked on Friday, I think we were at 2,900 log sources. It's a lot for this little appliance.

When we went shopping for a SIEM, I had come from a Splunk shop. I was very familiar with Splunk the interface. I like the software, so Splunk was number one on my list. And who was number two? SolarWinds had a SIEM solution that we had played with a little bit at my company, so they were also in the running. And then actually one of my partners talked to me about LogRhythm because I'd never even heard with LogRhythm before and so we did a demo.

And ultimately, it was two big factors. From a Splunk perspective, cost. Cost to build it out and then cost of licensing, it's just unattainable for us. And number two, LogRhythm's WebUI and the speed with which you can run searches in it was hands down my primary reason for going with LogRhythm.

I'm going to give them an eight. It's a fantastic solution and I totally support what they're doing and I like where it's going. But there is room for improvement, and there are some pain points and honestly I've had a rough year. That kind of influences it too. It's been a lot of time on the phone with support this year.

I will tell them what I wished I have known the day I started onboarding logs, and that is when you're looking for a SIEM, put all the features and everything to the side. Go talk to your business people and find out what's important to them because that's how you're going to know what to bring on initially. And once you know those things that are critical and the things you have to do, then you can evaluate the different solutions to see who has the native support because we didn't do that.

We bought it simply because it was awesome and fast and less expensive than Splunk. And then I onboarded 1,500 log sources in a week and brought the system to its knees. And I'm even now today still cleaning up and removing log sources that just bring no value. It's just noise.

Take the time and plan that out before you even go talk to vendors. Figure out what logs are out there, which ones are meaningful to you and the business and then find the solution that fits best with that.

It's our central security monitoring platform. It's where we bring all of our events together so we can monitor our network.

It's helped us be more streamlined in our monitoring processes. We used to have multiple places where we'd have to do this work and now we have centralized all of it into one platform.

Also, the alarm functions have helped us cut down on the manual work. They bubble things up to us instead of our having to go look for stuff.

In terms of our security program maturity, I think we're fairly mature. We definitely have some ways to go still, but we're continually improving. We've had a security program for some 15 years, so it's been around and had time to mature. LogRhythym has definitely been a part of that. For the operations and monitoring pieces, going from what we had before to it being the central component for us, it has really helped us become more mature in those areas.

From an operational perspective, day to day, the Case Management functions are really useful for us. They allow us to track what we see in the incidents that we have.

We use the full-spectrum analytics capabilities. We have a number of rules that we've built, and built-in rules that we leverage as well. We've got a whole bunch of dashboards and the like to do the analytics. We definitely find the full-spectrum analytics to be valuable.

Hearing the roadmap items, it's pretty good. I especially like the fact that the playbook is coming with the ability to integrate the smart responses into the playbooks. That way, we can not only have the playbooks, take those steps, but start to automate those steps as well. I think that is really powerful.

We played around with the CloudAI portion during the beta. We're not currently using it. But I think more in that area is going to be really important, where we can look at machine-based patterns, as opposed to just, "I saw two of these and three of these things, so set an alarm." I'm really excited about that.

Generally, the stability has been good. We have run into problems with stability going through upgrade processes. Recently, we have been on the front edge of the upgrade path. When that happens we tend to run into issues either with certain functionality not working after the upgrades or stability issues because of the upgrades.

It will definitely meet our needs going forward. We're not a huge shop, so we haven't had a whole lot of problems there.

But going back to the upgrade issue, in a previous upgrade from 6 to 7, we ended up with some hardware problems, because of scalability, with the software change. The hardware that we had didn't meet the needs anymore. But we were able to get that resolved.

Technical support is not bad. The lower-level, first-line support is not always great, but if we can get to the right people, then it's pretty good.

At this point, it's a pretty core platform for us, so we haven't been looking around.

We do not use any of the playbooks currently. We'd definitely like to. It's a feature that we're planning to implement pretty soon.

Regarding our log sources, it's in the high hundreds, probably not in the thousands. When it comes to messages per second that we are processing, looking at the average, we're at about 1,000, but we peak somewhere north of 1,500.

I rate the solution an eight out of ten. It's a great platform, but I don't want to give them too much confidence, there's always room to improve.