LogRhythm SIEM Reviews

Not just for security but from an operational standpoint as well. Perhaps an end user would call with a particular problem - "I can't print in this" - and, during the investigation of that, we could find perhaps there was a log message that was generated, an error from that application. Then we could create a rule, quickly and say, "Any time that you see that log generate an alert..." 

It enables our IT staff to be a lot more proactive, to fix problems, instead of having to wait for the end user to call and say something is not working.

The scalability. We had a huge problem with that before. Now, we can quickly search through all of our logs. If we have an issue that, perhaps there's something suspicious from a particular host, we can quickly go through there and search all the logs for anything that had to do with that host for a specific time frame, and anything coming to or from that host, or if it's a user, or whatever it is. Investigations, its really been helpful for.

It's not necessarily bad against LogRhythm, but I think an area that always can be improved is the parsing rules. The more information that we can get out of the logs, as far as specific metadata in the logs, whether it's an IP address, or something like that. Sometimes, LogRhythm will parse the rule but perhaps it won't get every little detail out of the rule.

Any advancement in those, could be very helpful to be able to correlate those logs against other items. Especially for items that are a little less - "mainstream" may not be the right word - that are not necessarily a top-tier vendor. Perhaps, instead of Cisco, it's a different firewall vendor. Those sorts of things, that sometimes we run into an issue where the log parsing is suboptimal. It could be a little bit better, could be some improvements there.

We have about 550 users and 150 servers or so, and I think we're feeding in approximately 800 logs per second on average, into LogRhythm. We haven't had any problems with scalability. It chews through the logs, and our searches are pretty quick, they're very responsive.

Fortunately, we haven't had to deal with them a lot, but when we have we've had really good luck with them. They have always been very knowledgeable, quick to solve our problems, very responsive. They'll follow up if there is a delay, perhaps they're still researching the solution. They're always quick to reply back and say, "Hey, I haven't forgot about you, it's still with the developers." Fortunately, we haven't had many issues with the product.

We were using a different SIEM tool before. It's probably not really fair to call it a SIEM. It just really wasn't quite robust, it was more of a log collection tool. The system worked fine, we could create some basic events from a single log: "You see this log, fire an alarm off of it," or something like that; not really correlation per se. 

We had issues with scalability with it. We could stand it up for about a month, and then after about a month, as the database started getting full, then trying to do searches and things like that, it was too slow. So you would have to clear out the database, start again, and again it would work for about a month.

Yes we did, unfortunately I don't recall exactly which other ones we looked at, but we had a number of different demos with other vendors and, obviously, chose LogRhythm. 

We are really happy with the product. We've been a customer for a number of years now and really haven't had any issues. It's done just about everything we ask it to do.

From my point of view, at a organizational level, we're able to get that insight into what users are doing, what our applications are doing, whether there is any untoward traffic coming in, whether the applications are misconfigured. It's also used, dare I say, to tick a compliance box.

The most valuable feature for me is that it's a single pane of glass for all of the analysts in my team. It gives us complete eyes and ears into what's going on within our environment. We run two separate installations. One is in our datacenter where we handle all of the sensitive data, and one is on the enterprise side, so it gives us a real good visualization of what's really going on.

In terms of the product, what really needs to improve are the metrics that you can get from it. We're all about mean time to detection, mean time to response, pulling those metrics out so I can put them into my KPI packs to present to the board. Everyone in a CISO role is having the same challenge. We've got multiple spreadsheets. Being able to leverage the SIEM to give us the information would be invaluable.

The other area is Office 365. We're cloud-first as far as our enterprise goes, and what we lack at the moment is being able to pull that information into the SIEM. I understand that that's coming, so we're looking forward to that.

On the whole it's been fine. We've not had any issues with volume, with the system going down. There are a couple of tweaks that you get with older systems. Patching time is always interesting. When you want to do an upgrade, if you're going from a minor version it's fine. If you're going from a major, then it's always good to use the autopilot services.

In a previous role of mine, we had an IT department that thought they could do everything, and virtualization was the way to go. That definitely didn't work. In the current organization, we found the two instances are very, very scalable. Being able to get additional licenses for agents works well, very easy to do.

The feedback I get from the analysts in the team is the first-line support is your traditional first line support, they'll log a call. We often get the responses in a timely manner. If it needs to be escalated, we've got good contacts within the wider organization and it gets escalated from level-one to level-two, definitely don't have any issues there. 

It's nice to see that the vendor listens. If something does go wrong, they're on the phone giving you the support that you need. Other vendors don't necessarily do that as quickly as LogRhythm.

If we go back nine to 10 years, we had the advent of PCI. The standards council says you needed to use file integrity. The only real solution at the time was Tripwire. That's when I got introduced to Ross Brewer (Vice President and Managing Director of EMEA for LogRhythm). From that point, we knew this was the right solution. We wanted to gather the logs into a central place.

In the various guises that I've had over the years, we've gone from multiple installations across 54 datacenters, globally, into our smaller setups. It's easy to install, it's pretty much, as they say, "out of the box," but it needs to be fed and watered on a daily basis. You do need a team to look after it, which I think is the same with any SIEM out there, but this is much easier to use. And because it's out of the box, you get the information you need within the first couple of hours.

With the new organization that I've been with for three and a half years, we spent seven months looking at other solutions out there; looking at Splunk, looking at ArcSight. We did a trial, we stood them up next to each other. Straight away it was fairly evident that the LogRhythm application itself, and the agent roll-out, was straight out of the box. Like I said, it needs feeding, watering every day, but in terms of being able to take the box, put it into your datacenter, get it up and running, they're definitely light years ahead of the competition.

In terms of the criteria for selecting a vendor, it always comes down to cost.

And usability. I like to make sure that my analysts are hands-on when we look at these tools. What's the interface like? How easy is it to use? What's the after-sales like? What's their tech support like? These are all things we need to look at. 

Also, which operating systems do the agents run on? Can you integrate into all the hardware that you've got? What syslog feeds can it take? Can it take SNMP as well?

If colleagues were looking to purchase a similar solution, the guidance that I'd give them is make sure that they draw out what they're looking to get from the solution. Make sure they have an inventory of hosts. Don't go all out, don't put everything on at once. As they said, don't try to boil the ocean at once. What are your critical hosts? Feed that information in first. Build case studies. What do you want to get from it, what are you looking for? And then work your way through it.

What I've done in the past is I've asked them to come over to our office and take a look at our implementation. I'm happy to share that information with others. I'm able to give them some case studies on what we've found with the Windows operating systems and some of the other hardware out there.

We're using LogRhythm NextGen SIEM only for a few databases. Members keep their data on our FTP server, and we monitor firewalls, endpoint management solutions, and some critical endpoints.

LogRhythm NextGen SIEM has improved the organization through the alarm system my team has configured. The alarm system is key to looking after all the hardware and endpoints.

What I found most valuable in LogRhythm NextGen SIEM is that it's user-friendly. I also like its dashboard, which shows all the logs and information I want to see.

One area for improvement in LogRhythm NextGen SIEM is that it's a Windows-based tool, and I feel it should be on the Linux operating system instead.

Another area for improvement in the tool is the UI. There should be minor changes in the UI to make it better, though I like the dashboards in LogRhythm NextGen SIEM.

I've been using LogRhythm NextGen SIEM for one month now.

LogRhythm NextGen SIEM is a stable tool. I didn't find any instability in it.

LogRhythm NextGen SIEM is a scalable tool. Scalability is one of the reasons why my organization uses it.

When I joined the company, a ticket was previously opened with the LogRhythm NextGen SIEM technical support team. Though I didn't directly connect with support, I have information that the problem was resolved and that the support team was very cooperative and very technical in solving the problem.

Though I didn't configure LogRhythm NextGen SIEM as it was pre-configured when I joined the company, any solution won't be difficult to implement, as long as you have an understanding and knowledge of the product or tool. I was an implementer once.

Senior management is in charge of purchasing the license for LogRhythm NextGen SIEM, so I have no information on how much it costs.

I worked on McAfee SIEM for six months, but that was when I was part of another team. If you compare McAfee SIEM with LogRhythm NextGen SIEM, I prefer LogRhythm NextGen SIEM because it's a user-friendly tool. It's also very easy to configure. The dashboards in LogRhythm NextGen SIEM are also very simple and very informative, and I've configured them to better understand what's happening in the organization. You can also create an alarm system in LogRhythm NextGen SIEM, that's very helpful.

I also evaluated IBM QRadar, and I found IBM QRadar to be a better tool than LogRhythm NextGen SIEM.

I work in the enterprise security department or the SOC, and I just have to deal with the logs. The tool being used within the organization for log management is LogRhythm NextGen SIEM, particularly the N-1 version.

My organization uses the on-premise version of the tool, and it's been applied to the data center.

I belong to a very small organization with a data center that has sixty people using LogRhythm NextGen SIEM. In terms of maintenance, the tool isn't difficult to maintain.

The only advice I have for anyone who'd like to start using LogRhythm NextGen SIEM is that it's a very good tool, with good features and functions.

My rating for LogRhythm NextGen SIEM is seven out of ten. I didn't give it a ten because it's Windows-based, plus I also don't like its UI that much. LogRhythm NextGen SIEM is also not as good as IBM QRadar.

My primary use case is for log retention. I've been using it for analysis, and to troubleshoot potential issues on my network and infrastructure. To find out what I have in my network that may be causing problems.

We can sit and see what's going on, as well as to be able to see errors as they populate immediately since spending time looking at logs is ridiculous, trying to put all that in place.

We will be using the playbooks in the future as we get everything implemented and put in place. The idea is it's going to help automate a lot of what we're doing and make it more efficient, as well as be able to preempt, potentially, a lot of other errors.

The most valuable feature has just been the log reporting. Within three hours of installation of LogRhythm, we were pulling error reports that actually indicated we had a switch about to fail. It saved us about ten thousand dollars of a potential failed switch.

We are ramping up the analysis and the analytics part of the LogRhythm. We're in the process of building a lot of that. We're trying to build out as clean as possible, so what we have in place is a lot of the intrusion detection and basic PCI compliance.

For me it would be the efficiency and signing up and standing up systems, as well as a little bit cleaner on case management. That can be a little bit complicated to go through and actually be able to analyze it and compile the information that I have. At least that's what I've found so far. Those would be the two biggest things.

Stability thus far has been really good. We've had it up for about six months and I've had no failure points with it. Little bugs here and there, but that's expected as you're working through and getting everything stood up. But it's been pretty stable and pretty rock-solid.

I'm probably gonna be around seven hundred and fifty sources that I'm using right now. Somewhere in that realm. It's been robust enough to handle everything that we've been putting through it. I have about 150 to 200 more that I need to stand into it, but it's been pretty stable there.

The times I've used tech support, it's been really efficient. I've gotten responses usually within 24 hours.

The initial setup was actually me and the technician. I did 90% of the installation myself and he basically came on board and verified everything I did and gave me some pointers as I went through.

Installation was incredibly straightforward. I was able to get it set up. I said, I stood it up on my own about ninety percent of the way, without any input from anybody else and just the final pieces of staging was done with somebody else.

We needed to set up a new solution based on our company requirements that were being ruled out. We needed to step-up and add something. When I came on with the company, I wanted to add-on a SIEM solution immediately, I just got the funding and benefit because the company said we had to. There wasn't anything in place before hand. So it was just very much me saying this is what we need and this is how we need to roll it out. Through my research is where I fell back on to LogRhythm.

The most important criteria on a vendor is ease of use. Since I have a small team, it's pretty much me running everything, so I need to make sure that I am able to do it efficiently and be able to pass it off to somebody when I need to be able to hand it off to do. Next piece is what it can provide and the amount of tools they can provide to me in a very short order.

My short list for SIEM solutions would have been Splunk. Also looked at Spiceworks, SolarWinds, and a few other smaller ones out there. But basically Splunk and LogRhythm are my primary two.

My security program was non-existent when I started, so this was basically one of the first implementations that I did to step-up my security implementation. Before this there really wasn't anything to work with. So it's slowly building its maturity through LogRhythm and a couple of other sources.

I would rate this product an eight out of ten, just because there's always room for improvement and there's always room we can work on. So there's always benefits, but it's been really good with what we needed and it's been very stable for our implementation.

My advice to somebody who's looking to stand-up a SIEM solution is to do your research, look at the white papers, look at their documentation they have available on how other people have responded and how many people have stood it up on their own. Get this information and then start playing with it before you start doing implementation. Gives you a lot of foundation and makes the implementation part a lot easier.

We didn't have a main logging system, so it's really nice to have that now, and in place. We are collecting all our logs from all the servers, routers, and its really helpful, and it's a great product to have.

Right now I really like the dashboard, and being able to view it easily, and to just have all the data right there available for me.

I think the dashboard could definitely have more features. I've seen some of their roadmaps that they're going towards. I really like it.

One of the features that I actually put in a request for was, they have the ability to build this great case and have it all ready. But you can't export it, right now on my specific 7.2 product, you can't export it from there. So, I can't have a nice PDF to give to a CEO, or give to legal, or wherever it needs to go to further their investigation. That's definitely a product that their actually going to come out really soon with.

The stability is pretty good. We haven't really had any problems with it. I think in our deployments, we had about 25 monitoring agents. One of the agents did start acting kind of funky, so I just called up support. I said, "Hey, we can't get this agent to work properly." They helped us out right there that same day. We actually updated that specific agent, and its been working ever since.

We're a fairly new customer to the product so we haven't had to meet problems like that with it. But we do plan to scale it fairly soon, so we'll see.

It's been pretty good. After the deployment, I really haven't had to call them. They have a pretty nice knowledge base, and their user guide pretty much explains everything you really need to get done. 

There are some issues that I had with Forcepoint, and getting it to work properly with LogRhythm, but that was more on the Forcepoint side of the problem than LogRhythm.

It was due to compliance that they decided to get a product.

I actually was hired within the last five months. I showed up, and they said, "Hey, you're going to get to deploy this." I said, "Sounds great."

Deployment was fairly easy. They gave us some prerequisites that they needed us to have ready for them, so we went ahead and got those all ready, went through change management, got everything approved. 

They needed to have - if you want it to collect logs remotely - a service account created, you needed to have specific ports already open, to make sure that everything communicates properly.

We went ahead and had everything set up. We got the support call because we got the DMX appliance. The day came, we got it all set up, it was fairly simple. The support agent walked us through everything we needed to do. He showed us tips, and tricks, and best practices for specific situations. He did training at the same time as we were deploying. It was a fairly simple, easy process.

It's one of the top 10 SIEM solutions. What I really like about LogRhythm is that they're always innovating, new ideas. They're consistently trying to improve. I think that's really great about them. 

More of the AIE drill-down notifications. I don't have to customize a lot of stuff. I'm more of an advocate for LogRhythm dashboards for my company, to make sure that other teams utilize what I'm bringing into LogRhythm. Use it for their operations, use it for their alarms and so on.

For my situation, besides the investigation that LogRhythm offers, it's the AI Engine rule set that it offers. It has brought us more significant changes in how we alarm and notify our users about what's going on in our network. It's not just one specific log, it's the correlation of multiple logs on different log sources.

More features that I would like to see more development in are the automation and the smart response. A lot of the attendees here at the LogRhythm User conference are working towards that, and most of us are not even developers. But we're trying to figure what are the skill sets and how do we make sure that LogRhythm gets more intuitive in automating and responding to alarms and notifications that we get.

The stability is pretty much straightforward. I know the product has grown very big and it has tried to cover a lot more features, it has brought more features, and I was surprised that I've seen a lot more features coming out in version 7.3.

I'm at that point where we're investigating getting a new box, looking at other options. I'm at that point that my box has reached its maturity and I need to replace it, probably next year. We're in the process of working that out with our sales engineer.

There are multiple use cases for the solution, such as long log formatting, log consolidation, data isolation, malware detection, identifying suspicious attacks, and locating ISU records across the network.

The GUI is very intuitive and the solution has good integration.

The built-in functionality of the solution for NDR, SOAR, SIEM, and EDS has room for improvement.

The price of the solution has room for improvement.

I have been using the solution for ten years.

The solution is stable.

I give the scalability an eight out of ten.

The technical support is good.

The initial setup is straightforward.

I give the price a six out of ten.

I give the solution an eight out of ten.

The solution can meet the most mature customer's requirements.

Its primary use cases are log aggregation, security information, and event management correlation.

All of our clients use different versions across the board. In terms of deployment, some use it on-prem, and some use it in the cloud. It is all over the place.

As a SIEM, probably the best feature is that it can be tuned effectively. There are very few SIEMs out there that can be effectively tuned to provide you with meaningful information and not be overwhelmed. It has the capability to do that, but it probably takes a little more time to do that. 

It should be improved for automated setup and auto-configuration. There should be ease of integration and ease of setup.

I have probably been using it since it has been around.

It is stable.

It is scalable.

They provide very good support.

It takes a little more time to get operationalized, but I haven't personally set it up. I'm only taking feedback from my customers when they say they've gone through the steps and the process of setting it up.

It is a very cost-effective solution.

Don't do it without managed services, but I would say that for any SIEM. In SIEM technology, the setup and maintenance side is different from the monitoring and alerting side. I recommend all of our customers to always go with a managed service provider to take care of the monitoring and alerting side, or at the very least, to fill in for off hours because you only have so many people on your staff. Small and medium-sized customers are our bread and butter, and most of our customers don't have the staffing for this. 

If you don't have the expertise to set it up, manage it, or the time to learn it, a managed service can help you get it set up. For most SIEMs, LogRhythm included, for the first six months, you probably need one to one half of an FTE for doing the setup, getting it operationalized, and doing all the tuning. You're going to need one-quarter of an FTE for ongoing operations, maintenance, and support. That doesn't include monitoring of alerts and the response to the alerts. If you've got it well tuned, you don't need a lot of staff to do the monitoring and the alerting during the regular daytime hours. That's where having a managed service provider during off hours and weekends is handy. It is beneficial to have a managed service to do the operational work for maintenance.

It is good, but there is room for improvement. There are plenty of solutions on the market that do a lot of what it does. It is not a huge product differentiator or market differentiator.

I would rate it an eight out of ten.