LogRhythm SIEM Reviews

The primary use is monitoring logs, to see what's going on.

It's head and shoulders above what we were using, which was SolarWinds LEM.

Alarms are the most valuable feature. We also like the dashboard and how things are at your fingertips. The fact that we can now edit the report templates is going to be a great thing.

My installation has some unique problems, apparently, because of our network architecture, and that's why we're looking at other solutions, and possibly a replacement. 

We're looking at user-based analysis. Granted, we haven't enabled the UEBA module, but we're forwarding all our proxy logs to LogRhythm and we have a really hard time pulling those proxy logs back out of LogRhythm. However, when we take LogRhythm and forward the same logs into somebody else's user-based analytics software, we get the majority of what we were missing. So we know the logs are making it to LogRhythm, but we still can't pull them out. If we've got all our proxy logs and I go out to Google or Facebook or the like, we should be able to go in and pull that information out ten minutes later, but it's a big challenge to do that.

As long as you don't overfeed it, it's fairly stable.

The scalability has been fairly decent so far, as long as you don't overfeed it.

Tech support is hit-or-miss. Some of the tech support agents are just wonderful and I've learned a lot from interfacing with them. Some of the tech support agents seem like they are metrics-based: How many tickets they can close in a short amount of time? I usually express my feelings in the ticket notes, so these are not unheard-of comments.

The initial setup was fairly straightforward.

My advice would be to definitely look into it. I've used other SIEMs that were a whole lot easier to program and I've used other SIEMs that were vastly oversold and cost way too much money. LogRhythm is a good product for what it is.

We have more than 500 and less than 1,000 log sources. In terms of messages per second, therein lies the rub. We bounce anywhere from 2,500 to, on certain days, a peak of over 12,000.

We are not using the full-spectrum analytics features. We don't use any automated playbooks. In terms of the number of staff for deployment and maintenance, the latter is me. I've got two other analysts that work with me.

Regarding our security program maturity, we've grown a whole lot in the last three years. LogRhythm, fortunately, was a part of that. Our previous SIEM had to be rebooted two or three times a day. Unfortunately, now that we're trying to leverage it to get more data out of it, we don't seem to to be able to do that.

I can't say I have seen any measurable decrease in the meantime to detect and respond to threats because I can't watch it all the time.

It serves several different features. We can check the checkbox for HIPAA compliance, SEC-type stuff.

But really, our biggest focus was actually on our clients. Because we're an accounting firm, a lot of our clients actually audit us, or they have large security questionnaires that we have to fill out. So having a SIEM product is one of those check boxes, and being able to say "yes" on security questionnaires; or one that clients come in and say, "We want proof that you're auditing your domain controllers, that you're auditing the security files servers, you know who touched our files, how they read them, deleted them, modified them." 

Being able to pull all that information up before the auditors, it's great. Very critical.

We're fairly new to LogRhythm. One of the things that we really liked in the deployment PoC phase was the dashboard. How easily it percolated critical information up onto a screen that we could immediately review, and drill-down to look at the raw logs. That was one of the key features that we liked in the PoC. Still today, that is by far one of the best features.

Probably the biggest improvement and I've talked to several of the management here at the LogRhythm User conference on it, is their thin piece, which is their file integrity monitor, that we use on some of our security servers. The data sets are extremely large, tons of files are being modified, deleted, created. That product could use some more enhancing.

We've been working with them to enhance that product for future releases. It's been a good experience. 

Any issues that we've had, they've actually fixed the majority of the issues that we had with the initial product, by even giving us customized installation packages to adapt to our environment.

It's been real good. We've done several upgrades since then. Each time, if there has been an issue, we've just opened up a ticket with support and literally, it's hours to minutes sometimes - depending on time you open up the ticket. There's a response and then engineers calling you, and helping you out through some of those issues. It's been good.

We haven't scaled because, like I said, we're still the first-year phase. Now, when we purchased the product, we did purchase it to scale it out a little bit over time. We overbuilt it just a little bit so that we could keep adding log sources to it. But so far, we've been right on the money, as far as the initial build of it. 

We had come from two other SIEM products that were going end-of-life. The original one was the Cisco Security Manager, and then the latest one was RSA enVision. Because that was going to end-of-life, we needed to find a replacement product.

The big thing was the PoC was a great tool to get a great overview of what the product was going to be like. We also worked with an SE that helped deploy the product. Then we also were able to talk to support. So we got a good feeling to how the product was going to operate, not only from our operational standpoint, but also from a support standpoint, and also from help from our local support engineer.

We just had a great experience all round, and when comparing feature sets, the web interface to the alarm drill downs, the AI Engine drill downs, to the network monitor product, it was definitely on the top of the list.

The other big thing that we really liked about LogRhythm - we had a unique requirement - was that we had to have appliances, we didn't want virtual devices. Just from the security side of things, we wanted to be able to manage those devices ourselves, rather than having our infrastructure group manage those. LogRhythm also provided us the appliance base versus Splunk which is all virtual base.

We actually used LogRhythm's Professional Services group to help us get the product up and running. It went real smooth. Matter of fact, the amount of time that we allocated the Professional Services, we were short of that. It just went real well. 

Our group caught on to the product very quickly, which was another great benefit. We were able to do a lot of the work ourselves, versus relying on Professional Services to do it, just because we caught on much quicker than we had thought initially.

Our SIEM solutions list included several different vendors from Splunk to LogRhythm to RSA, their new product. We ended up choosing LogRhythm.

Just from the simplicity standpoint, it's met all of our expectations now. Like I said, you always have that little thing here and there that you still have to tweak, but other than that, we've really liked the product. 

The biggest thing in this product is not everybody on our security team is well versed in SIEM or analytics, but we found that LogRhythm - the Web Console UI - really simplified, especially with the metadata parsing out. It allowed those people to read those type of events much quicker, because it was right there, and it was pretty easily translated. So "user" is username, "host" is the host, and so it's very easy. You're not having to dig through this big long raw log file to actually figure it out. Then if it needs to go there, it goes to an advanced person.

LogRhythm SIEM is a cybersecurity solution that we use to protect our network and devices from external and internal threats or attacks. It's part of our overall cybersecurity strategy, which includes SIEM, EDR, and DLP solutions.

LogRhythm SIEM offers advanced features such as AI engine modules, machine learning, and threat intelligence integration, which help reduce false positives. Advanced analytics streamlines incident response processes, enabling incident responders to prioritize and automate alerts.

LogRhythm SIEM can improve its user interface. The current interface is quite complex and can be challenging to navigate. While it offers many valuable features, understanding how to access and utilize them efficiently takes time. Simplifying the client console's user interface would significantly enhance the user experience and make it more user-friendly.

I have been using LogRhythm SIEM for the past five years.

I would give it a nine out of ten in terms of stability, as the support and tech teams are reliable and efficient in resolving issues.

Considering its capacity and ability to meet requirements, I would rate LogRhythm SIEM around seven out of ten.  As a service provider, we cater to multiple users and organizations.

The technical support for LogRhythm SIEM is good.

Positive

The setup for LogRhythm SIEM can be rated eight out of ten in terms of ease. It's an on-premises deployment and typically takes about ten to fifteen days for a basic setup. Still, depending on the complexity of log sources and integration needs, it could extend to twenty and twenty-five days.

We’ve integrated LogRhythm SIEM with various systems, such as Cisco switches, databases, PAM solutions, and Trend Micro ADA solutions. AI integration plays a significant role in enhancing security monitoring efforts by automating tasks and detecting zero-day attacks.

I would rate LogRhythm SIEM an eight out of ten and recommend it to others.

It is an SIEM tool. It gathers logs, parses and normalizes them, and correlates the logs with the rules we write. For example, if an account tries to log in multiple times with the same username, I can write a rule for it. The SIEM tool would analyze the logs and generate alerts based on the rule.

The user interface is pretty good compared to other SIEM tools. The log search capabilities are good. It gives results pretty fast.

The correlation can be improved. If an alert is generated, we want to know the related events. We often have to search for the drill-down option. Sometimes, it is not available. Sometimes, the tool fails to get the correlated events that triggered the alerts. Searching logs is a bit difficult compared to other tools.

I have been using the solution for one year.

I rate the tool’s stability a seven out of ten. The tool fails if we run big queries. The search breaks down even if we put a limit on the number of events.

I rate the tool’s scalability a seven out of ten. It generates alerts but doesn’t give us the related events that generated them. Sometimes, we need to mess with the configuration to get it back up. The security team uses the tool to analyze the logs.

I used QRadar before. I prefer QRadar over LogRhythm.

The initial setup is easy. It is not that difficult.

People who want to use the solution must not do any big searches. Overall, I rate the product a six out of ten.

We have about 600 employees supported by this solution. Our goal is to try and bring in at least one additional application into our SIEM tool each month so that we can get better insights for those particular platforms.

This solution has improved our organization in many different ways. The biggest benefit is being able to view all information in one dashboard instead of having to look at several different applications and dashboards. I can see information across our entire environment and every aspect of our network.

LogRhythm really helps with our cybersecurity exposure because it gives us insights to make us more proactive versus reactive regarding events happening in our environment. LogRhythm gave us so much insight into blind spots that we didn't even know we had.

LogRhythm also really helped our environment in terms of security posture because it gives us so much more information that we can use in a timely manner. Some of our other providers don't give us reports until as late as the next day. With LogRhythm, we can have alarms triggered within seconds that let us know that there are particular things that need to be addressed. This is much quicker than if we just trusted that particular vendor to let us know.

My favorite feature is the Drill Down which allows us to look at several different logs originating off of one particular alarm. If there is suspicious activity, we can use that feature to access one dashboard with different anomalies that might stand out or different places where alarms would've been triggered for particular events. 

We use the Event Log Filtering feature quite often. It makes it much easier to find useful information in our SIEM tool in a quick and efficient manner. There have been several times when we have imported 20,000 plus logs within a matter of minutes and it makes it much easier to find what we're looking for, especially when time matters.

The Event Log Filtering utility also allowed us to find information much quicker in our environment because it simplified the process of finding information. 

Better integration with different services is needed, as there are quite a few platforms that we use that don't integrate very smoothly with LogRhythm. We would like to plug in an API key for another system and have that vendor's information readily available. 

We've been using LogRhythm as our SIEM provider for about five or six years now. I have personally only been using it for the last six months, learning the ins and outs of how it can support our organization. 

LogRhythm is very stable and reliable.

LogRhythm has amazing scalability potential for whatever your particular needs are.

We've had really good experiences with LogRhythm's technical support for things that are already in the environment. When it comes to trying to innovate with some of the newer things, this has been a little bit more difficult. I feel like they could be a little bit more intuitive going forward. I would rate their technical support an eight out of ten.

Positive

I would rate LogRhythm an eight out of ten.

It monitors any potential security threats within any of our important network security appliances, like our firewall, or any of our important databases. The idea being that you can't look at all the logs at once, so we now have a central point of monitoring for all potential threats.

I have been using LogRhythm for just a few months, but the college has had it for over a year. Until I worked with it, there was no monitoring it and the solution just sat there. The solution is just picking up speed now.

• The threat analytics
• Seeing what potentially could be happening; what are the riskiest things going on.

I would like it to do a lot of the automation (which I still need to learn more about), because I am essentially a one man shop doing all the jobs. I'd like for it to be able to do more for me, so I can focus my attention on my other job responsibilities, because there are a lot of them.

The only issues that we have had with it were Windows-based. The actual appliance has been up and continuously logging everything that we have, and CIS logging through it. There have been no signs of any problems nor instability.

When it comes to dealing with support, all my interactions have been great. Everyone has known what they're doing and have been quick to respond. They seem to always know the answer. I haven't stumped anybody yet. That's not something that I typically encounter. Usually, I wind up being the person finding the weird thing where people have to get back to me and it is left up to the developers.The few issues that I have had while doing upgrades, LogRhythm's support answered them incredibly quickly.

When it comes to dealing with support, all my interactions have been great. Everyone has known what they're doing and have been quick to respond. They seem to always know the answer. I haven't stumped anybody yet. That's not something that I typically encounter. Usually, I wind up being the person finding the weird thing where people have to get back to me and it is left up to the developers.

The few issues that I have had while doing upgrades, LogRhythm's support answered them incredibly quickly.

I have never used a competing product.

I love the potential of this solution. It sounds like a "set it and forget" type of solution. Let it deal with all the problems. It is good at doing that.

On the day-to-day, I haven't had a huge amount of time to work with the full-spectrum analytics. I have been focusing on getting it updated and up-and-running.

Currently, we have a Windows agent. Therefore, we technically have just two log sources, because the Windows agent is picking up all the domain logs onto one box and forwarding them on. It is taking all the Windows Servers and single-sourcing them. Then, currently, the only other thing that we have actively logging is our Sonic logs and CIS logs. We only have two individual sources listed, but it is more logs than that.

It has improved our ability to see incidents when they occur, instead of maybe a few weeks or a few months down the road.

Overall effectiveness is very good. I like how it is oriented to both analysts and technical support people. It's easily adopted by end users as much as by technologists.

Key challenges are going to be maintaining visibility as the technology changes, especially with cloud coming onboard, probably fairly soon. Also, the implementation of a SOC, which is relatively new to what we've been doing.

• The overall view of the solution: It encompasses end-to-end analysis and response.
• Log management
• Threat management: Threat hunting is going to be a large topic for us as well, which being a big data engine, will go a long way for us, too.

We have not move into cloud security so much, but eventually we will be there.

I would like to see case management become more independent from LogRhythm itself. Right now, it is very oriented to LogRhythm based events, but not manual events, such as user reported things and incidents where we might have large volumes of data that we have to store as part of the case. It works real well as a workflow device, but not real well for overall case management for an organization.

It's highly scalable, though we have not really been able to take advantage of all of its scalability yet. We're moving into the new architecture as we speak with having separate data processors and indexers. I am hoping to find out how scalable that becomes.

We're currently between seven and 11,000 logs per second. By next year, we'll probably be close to 20,000 logs per second. We have 14,000 branch offices and two large data centers. We're growing rapidly and trying to improve our visibility.

As far as technical support, professional support, and overall organizational support, LogRhythm has probably been one of the best companies that I have worked with since I have been in technology.

We did not have a previous solution.

When we originally put in this solution, it was for log collection and analysis of all of our branch network devices, but it has evolved over the last seven years to encompass pretty much anything that provides some kind of security visibility.

I was involved in the initial setup. It was straightforward, but it was seven years ago. We have gotten more complex as the system's evolved.

The SIEM solutions comparison we did included QRadar, RSA, and LogRhythm.

LogRhythm stood out due to ease of deployment, cost of ownership, and ease of use.

Look at all of the factors, including total cost of ownership and your roadmap of where you are going, and compare those to the needs that you have going forward. There are a lot of solutions out there that are either way too complex to manage, don't have a good roadmap, are a secondary solution in a larger company, or are going to just be astronomically expensive when they get to a useful state.

If the solution is a unified end-to-end platform, it helps with the overall management, skill set training, and retention. It does provide some long-term benefits.

Most important criteria when selecting a vendor:

• Usability
• Growth potential based off of cost.
• Architecture.

So, where could we grow the system, because a lot of systems were either too complex, too expensive, or very oriented for that particular network-based solution. I was looking for some kind of compromise in the middle.

We operate a Security Operations Center. We have to provide internal security to our client base and intel. That's why we use it.

We mostly deal with phishing email attacks from our Intel-related clients. So, most of the cases are related to using the SIEM. And we receive the logs in our database to do all those things.

In Sri Lanka, we have a local SIEM supplier. And in addition to that, if we need some more calibration or help with incidents, we raise a ticket to LogRhythm, and they will give us their support.

It is good for us. 

The price could be improved.

In future releases, I suppose if they can give us some training related to LogRhythm, that would be very beneficial. I suppose the training is not enough.

And the product might be a little bit complex for non-experienced people

I have been using it for two and a half years. 

It is good. 

Positive

Our Security Operations Center (SOC) and our SIEM use LogRhythm. We have to renew our license and are looking for another SIEM. We are doing a comparison with Elastic.

The initial setup is complex. There's a complexity, actually. We have received some training in the last two and a half years. We got training from our local supplier. Actually, we haven't received any training before from [LogRhythm], so I suppose they should provide training for that.

I suppose there's a very high cost in that. So that's the main reason we are trying another solution.

I would recommend it to others. Overall, I would rate it an eight out of ten.