ArcSight Logger Reviews

We focus mainly on the enterprise market where the customers have the requirement for log management and compliance. And most of the time we propose ESM along with the logger for SIEM requirements.

We have multiple Logger customers here in Sri Lanka where we've implemented and maintained solutions for them.

Various log collecting methods helps customers to route logs from almost every application or device.In terms of ArcSight Logger's most valuable feature, it is their scalability and flexible log collecting options. ArcSight's real advantage is its scalability because they have two layers, Logger layer and correlation layer. So customers may benefit from this when it comes to licensing and designing. For example, let's say the customer wants to only have a logger requirement, they have the flexibility to only use the logger layer, instead of suggesting all the other layers. I don't see this kind of flexibility in other vendors.

A concern is that after their merger with Micro Focus I have some doubts. I don't see much development of the road map on ArcSight itself. The reason why I'm saying this is because we had a situation here in Sri Lanka which concerned us, where Arcsight suddenly decided to discontinue IBM as installation platform for the connectors. So in case of the road map and the technical improvements, I see the direction has changed somehow and now the customers and the distributors who are trying to implement it don't have as much visibility about the direction.

Arcsight should focus on inbuilt features like SOAR and UBEA features.

I have been working with ArcSight Logger for about two years.

The platform is very stable. We haven't experienced any unexpected failures at any circumstances.

As I mentioned, their scalability is one of their most valuable features.

I would rate the technical support only 5 out of 10. The technical support is not satisfactory. I think there is a lack of expertise when it comes to support . This appears to after merging with Micro Focus.

Log collection may seems tricky but if you have fundamental understanding about the product it's straight forward.

We implement arcsight solution for the customers. We posses skill set for the implementation.

We focus mainly on the enterprise market where the customers have the requirement for log management and SIEM. We have multiple Logger customers here in Sri Lanka where we've implemented and maintained solutions for them. We see that those customers has compliance, security in depth and log management as their main ROI drivers.

We have an annual subscription license. I'd say the pricing is okay.

I would advise anyone looking to implement this solution to have a good understanding of your infrastructure and to verify your architecture. You should be able to get an idea of their road map for the next five years to just verify what sort of effect it will be making on your system.

On a scale of one to ten, I would rate it an eight.

Data correlation, which unfortunately only comes with an ESM module, is the most valuable feature for us.

We have issues with connecting standard HP network devices as they appear to not be supported by HP ArcSight. One company/product is not aligned and apparently it is expected that all the network data is in CEF format, which is impossible for the HP network sources to deliver. Instead, HP ArcSight should be able to handle any file format.

We are still currently implementing it.

There were no issues deploying it.

We have had no stability issues.

There have been no issues scaling it.

I'd rate technical support a 7/10.

There was no previous solution in place.

It's complex for several reasons -

• Targeting and logic of systems
• Bandwidth dependencies
• Data privacy
• Location
• FW settings
• File formats

We're using a vendor team.

It is very expensive for what it delivers. Licensing is set at 80 servers, just enough to catch the most important ones.

We use the on-premise version of ArcSight Logger.

In our country we are a little bit private in terms of solutions, so we are just starting to use the basic data capture. Now some users can start to use additional features that come with Micro Focus ArcSight like user behavior analytics for investigating.

I think the ArcSight team should try to simplify legacy products for the customers, because that product is not easy to use or to work with. It needs more more competency or appeal to use. We hope Micro Focus is trying to resolve this.

A lot of people that compare this solution with QRadar or McAfee say that the other products in the market are more easier to use than ArcSight. After customers do the training to see how they can use it, they change their minds a little bit, but it still seems that Micro Focus should take some time to reduce the complexity in using Arcsight.

ArcSight should give each customer more visibility or a more useful presentation on the web product. There are a lot of customers that want to use the product in the web, especially to use the dashboard, but the dashboard is not so beautiful.

It has worked fine until now for whatever I needed. Sometimes an issue can occur when a client wants to upgrade the software to a major version. For the most part though, it is very stable.

Well before the last version I think it was a little bit difficult, but now with the new version that is integrated with the ESM it's little bit more efficient.

That is one of the bad things with Micro Focus. They are not so reactive and sometimes it takes more time to address the issue. There are many tickets that have not been resolved yet. We hope that Mirco Focus will be more reactive than they are at the moment.

The deployment doesn't take much time for the standard setup, but it can take more time when we need to integrate the device with the system. Sometimes we have found that we are not supported naturally and must do some tuning to integrate it. That can take some more time, but setup of the initial system does not taking more time. It's easy for me now to do this setup. I remember during my first year it took a little bit more time, but that's normal. It's easier to deploy the product in the basic standard, but in the complex module, it takes a little bit more time.

ArcSight Logger is very expensive compared to their competitors, but when we talk to the customer and explain what the features are and how we can scale, they understand. Still, ArcSight is more expensive than the competition.

I would rate this solution as ten out of ten.

Whenever I talk about the product I tell the user to start easy, not to take the whole package and to try to use it quickly. Start with the basics, then you can ramp up fluidly. Sometimes the client or customer wants to take it urgently so at that moment it will be more difficult to use. I prefer to take the product step by step.

We are a service provider and this solution is deployed on-premises for some of our customers. It is primarily used for firewall and Windows events. 

The most valuable feature is the level of detail that you can see about certain events, even when they do not come up in the console.

The searching is very good, where you can search for the larger part of the event.

I would like to see better scheduling in the next release of this solution.

It would improve the solution if some of the features available in the console were implemented within the search. More things can be done in the console, while the logger is restricted to just a few of them.

The stability of this solution is fine, so far.

When you export a large number of events then it gets slower.

We have about fifty users for this solution. We do not yet have plans to increase usage.

Technical support for this solution has definitely been helpful.

We evaluated Splunk and IBM QRadar before choosing this solution.

The first time you set up this solution it is a little bit complex. But when you try it again and you know where the errors are, it is much more comfortable.

We have four administrators who maintain this solution.

We deployed this solution ourselves.

We did not use another solution prior to this one, although we have upgraded versions.

This is a solution that is straightforward and easy to use. It is user-friendly and not complex.

I would rate this solution an eight out of ten.

We use the on-premise deployment model. Our primary use case is for monitoring. 

In the next release, I want to see more intelligence. 

We haven't had any crashes or bugs. It is stable.

Their technical support is good. 

We have a support group that helps with this. The setup isn't easy. The deployment took a month. 

I would rate it an eight out of ten. 

• Real-time correlation
• Long-term log storage

It benefits the organization by identifying the threats ranging from the most basic ones to many advanced ones. Any of these threats could have a negative impact on business, so it's important that ArcSight Logger can identify all of them.

I wouldn’t mind adding a few features such as grouping of events based on the “name”, “source address”, etc. in real-time rather than requiring the running of reports every time. A few competitors allow this functionality already.

I've been using it for four years.

There have been no issues deploying it.

It's highly stable and we haven't had any issues with instability.

The solution is designed to be easily scalable depending on different organizations and their existing expansions.

The level of technical support is intermediate. Although they're helpful and polite, they don't help with emergency situations. However, the global ArcSight community is sufficient for the resolution of most critical errors.

It provides the level of flexibility and options specially to define custom use-case scenarios like no other SIEM tool, though I have experience with only one other.

The initial setup was a bit complicated to follow since there are many different components present within it. However, the complexity once learned adds a level of flexibility that you can play with.

We did it through a vendor team. Proper planning in place ensures smooth execution.

Plan, implement, explore and protect.

The most valuable features for us are the out-of-the-box device support capability and multi-tenancy maturity compared to other SIEM OEMs.

For example, it has helped us and the organization with a maturity level in the SIEM market to reach greater heights and compete with other organizations. We have an edge in the market with this product.

ArcSight Logger needs to improve in the area of threat analytics as security is vitally important to us. It also needs to provide some "upper-hand" features on some functionalities, as they're somewhat no so easy to use.

I've used it for four-and-a-half years myself, and it's been around 12 years of use by the organization.

We had no issues with the deployment.

HP needs to work on the stability as it is mostly dependent on Java and there are console-related issues.

We have had no issues scaling it for our needs.

I would rate technical support as good but not the best when compared to a few years prior. The level of support seems to have decreased lately.

Our first SIEM product is this. We chose it because it's a major player in the SIEM technology market and it's mature, even as it's in the earlier stages.

I would say the initial versions of ArcSight components were pretty complex. For example, consider ESM, for which we had to install the manager and database separately and there were major issues with it on the archiving, and also the database management was pretty tough. But over a period of time, they improved drastically when the CORR-E came into the market.

We have our own in-house SIEM administration and implementation team which handles all the activities for multiple customers.

For licensing, I would say ArcSight beats all the vendors in the market in complexity.

I would definitely say to go with this product as it's the best in the market, but before opting for this product your perform solution-sizing because otherwise you might end up digging your own grave in fixing it.