ArcSight Logger Reviews

The functionalities of this particular server is absolutely phenomenal. The server has the ability to provide in-depth, real-time awareness of all actives on the network.

The platform also gives the administrators the ability to turn off some of the options displayed in case they don't need to see those specific sections.

The ability to query anything at any time using any specific field required, and the ability to automate the logger storage capabilities are great features.

Before the logger was installed on our network, we were very limited as to what type of information we could get back from our previous logger because the old one didn't have as many functionalities.

With ArcSight Logger, our ability to have a more in-depth look into the network traffic and the ability to save the reports for a set amount of time was a huge improvement.

The only thing I did not particularly like about the product was its speed on the web interface. It took very long for it to populate and perform the queries.

I used this product as a network administrator for two years.

The installation of the server and its agents on the network devices went extremely smoothly. The only issue we had was finding the correct agents to install on our older UNIX-based servers for which we had to contact HP to get information on how to go about acquiring the correct agents.

We have had no issues with the stability.

We had no issues scaling it for our needs.

We never actually had to call customer support because of the technical forums available to all ArcSight users who could share information and help troubleshoot in case anything was wrong or unclear about how to set up and use the system.

We were using a different product for our monitoring and logging services. The reason why we chose to switch over was the in-depth analysis capabilities provided by HP ArcSight which were not previously available to us.

Initially, we had some trouble finding the right agents to install on our servers since we were using some proprietary software on the network, but after we got past that step, everything else was pretty straightforward.

We had one agent come out to our office to assist us with the implementation.

Start using the available resources by registering your product immediately after deploying the unit and contributing to the ArcSight community.

Also, once you decide to go with ArcSight, make sure you go with the complete solution recommended by HP based on the size of your network because that could potentially cause the ArcSight server to perform extremely slow.

Several features are valuable to us, including --

• Log management in general
• Security options
• Integration with ArcSight SIEM as it uses the same connectors
• Simple GUI
• Powerful searching and reporting tools

Although I unfortunately can't comment on specific usage within my company, we have seen improvements from the use of ArcSight Logger and the many features that are valuable to us.

SmartConnector vendor support will always be a battle, but most major vendors and products seem to be supported.

Clicking on a log source on the main page should not pull all stored logs as this is too slow and way excessive. It should default to a recent and smaller sample.

My deployment is on Red Hat though which seems pretty speedy, so I am unsure for more Windows-based deploys.

We have had no issues with stability.

From what I can see, it scales well. It does require a pretty hefty baseline, but the more system resources you give it, the better it seems to perform.

HP support has been fairly impressive. Shifting personnel causes a bit of disruption in deployment tasks, but they seem to compensate for shifts pretty well.

For main components, HP SE’s seem eager to help. The way documentation is organized on their site could definitely use some work though. Documentation exists, and it’s generally pretty solid, but most times, asking an HP SE directly to email it to you tends to be much easier than searching for it yourself.

Implementation of anything this size and scope in a large company requires a lot of work. So getting outside assistance or additional staffing for deployment and support is recommended.

Splunk is definitely a direct competitor and equally powerful. Logger seems to have a better interface in my opinion. Also, if your company is already using ArcSight, it makes sense to go with Logger as it utilizes the same SmartConnectors for log parsing/forwarding.

I think where Logger shines is usability. Splunk is a beast unto itself and people build careers on it. Not to knock it too much, as it is a very powerful product. But the appeal of Logger is it makes log management accessible and usable to any IT/systems/networking employee or user to be able to make sense and use it while not having to become a guru of a specific log management system to use it to it’s fullest extent.

Data correlation, which unfortunately only comes with an ESM module, is the most valuable feature for us.

We have issues with connecting standard HP network devices as they appear to not be supported by HP ArcSight. One company/product is not aligned and apparently it is expected that all the network data is in CEF format, which is impossible for the HP network sources to deliver. Instead, HP ArcSight should be able to handle any file format.

We are still currently implementing it.

There were no issues deploying it.

We have had no stability issues.

There have been no issues scaling it.

I'd rate technical support a 7/10.

There was no previous solution in place.

It's complex for several reasons -

• Targeting and logic of systems
• Bandwidth dependencies
• Data privacy
• Location
• FW settings
• File formats

We're using a vendor team.

It is very expensive for what it delivers. Licensing is set at 80 servers, just enough to catch the most important ones.

• Real-time correlation
• Long-term log storage

It benefits the organization by identifying the threats ranging from the most basic ones to many advanced ones. Any of these threats could have a negative impact on business, so it's important that ArcSight Logger can identify all of them.

I wouldn’t mind adding a few features such as grouping of events based on the “name”, “source address”, etc. in real-time rather than requiring the running of reports every time. A few competitors allow this functionality already.

I've been using it for four years.

There have been no issues deploying it.

It's highly stable and we haven't had any issues with instability.

The solution is designed to be easily scalable depending on different organizations and their existing expansions.

The level of technical support is intermediate. Although they're helpful and polite, they don't help with emergency situations. However, the global ArcSight community is sufficient for the resolution of most critical errors.

It provides the level of flexibility and options specially to define custom use-case scenarios like no other SIEM tool, though I have experience with only one other.

The initial setup was a bit complicated to follow since there are many different components present within it. However, the complexity once learned adds a level of flexibility that you can play with.

We did it through a vendor team. Proper planning in place ensures smooth execution.

Plan, implement, explore and protect.

The most valuable features for us are the out-of-the-box device support capability and multi-tenancy maturity compared to other SIEM OEMs.

For example, it has helped us and the organization with a maturity level in the SIEM market to reach greater heights and compete with other organizations. We have an edge in the market with this product.

ArcSight Logger needs to improve in the area of threat analytics as security is vitally important to us. It also needs to provide some "upper-hand" features on some functionalities, as they're somewhat no so easy to use.

I've used it for four-and-a-half years myself, and it's been around 12 years of use by the organization.

We had no issues with the deployment.

HP needs to work on the stability as it is mostly dependent on Java and there are console-related issues.

We have had no issues scaling it for our needs.

I would rate technical support as good but not the best when compared to a few years prior. The level of support seems to have decreased lately.

Our first SIEM product is this. We chose it because it's a major player in the SIEM technology market and it's mature, even as it's in the earlier stages.

I would say the initial versions of ArcSight components were pretty complex. For example, consider ESM, for which we had to install the manager and database separately and there were major issues with it on the archiving, and also the database management was pretty tough. But over a period of time, they improved drastically when the CORR-E came into the market.

We have our own in-house SIEM administration and implementation team which handles all the activities for multiple customers.

For licensing, I would say ArcSight beats all the vendors in the market in complexity.

I would definitely say to go with this product as it's the best in the market, but before opting for this product your perform solution-sizing because otherwise you might end up digging your own grave in fixing it.

It has excellent query syntax and response. Complex queries of large volumes of data generally take seconds if not minutes.

ArcSight has improved incident response from days to minutes. It also offered ancillary non-security troubleshooting features, which were surprise benefits to teams such as network and operations.

I'd like to see more pre-built smart connector supported applications, although the list today is voluminous.

We've been using it for two years.

We had no issues with the deployment.

We have had no stability issues.

The original Connector Appliance peaked its events-per-second limit much sooner than anticipated and required us to purchase another, and significantly larger, appliance. The issue was self-inflicted as we discovered more use cases when adding new logs and log types.

Technical support is excellent. In fact, that was one of the best "features" of the implementation. I never had to wait to reach specialist help, and all engineers that I spoke with were highly technical and were pleasant.

I previously used a significant RSA Envision installation that had extremely poor performance with complex queries. It was routine to wait an hour or more for a more complex query. HP ArcSight was introduced by a CISO with previous experience at a previous employer and the improvement was immediately obvious. It was a wise decision that I took with me to my next organization.

It can be difficult to set up connectors to ingest and normalize different log types initially.

I would recommend HP professional services for starting up. I used that approach and was able to glean enough through knowledge transfer to hit the ground running from day one in production.

Security makes it difficult to quantify ROI, but I can say that we were able to complete incident response in minutes where the same had taken hours or days.

In terms of pricing, size appropriately, and realistically up front. That said, the product architecture is scalable as needs grow.

ArcSight has a Google-like query syntax with boolean-style operands. That said, there is also a GUI to craft queries. I'd recommend learning the GUI as this is the same GUI used in HP's ESM product, the engine that can correlate disparate log events and turn incident response from reactive to proactive alerting. Getting a head start on learning that syntax would help ease into the highly-recommended ESM or ESM Express products.

• Log collecting
• Big Data analytics
• Security analytics

This product was used to help us get PCI compliant. Its automated functions made it easier so we could concentrate more on real issues instead of standard log collecting and alerting issues.

With the connectors, there were some legacy devices that had some problems since support was dropped for those.

We've been using it for four years alongside ArcSight Express.

We had no issues with the deployment.

The stability of the system was good except when we had a DDoS attack, when we lost some functions for a short time.

Scalability is good if your need is high enough, but for smaller cases it isn't so good.

Customer service was very helpful.

Technical support is at a good level.

We used an older version that was going to be replaced.

The initial setup was complex, but that was mainly because of customer security reasons.

We used a subcontractor for the first part of the installation, and finished it off in-house.

We had some big licensing issues when there was a DDoS attack. The attack caused a huge amount of extra activity, so it would be nice to have an "emergency level" of licenses when there are these kinds of issues.

I would recommend, from a security point of view, calculating licensing limits according to what incidents could happen and then get 5-10% more licences on top of that.

We did an evaluation of major vendors and HP was fastest for us to get in and use.

Overall, it is a good system for what we use it for, but some licensing parts are really annoying.

As always, a pre-calculation and pre-planning will help a lot, and compare it to three to four other vendors. Changes on the system that is running are a bit harder to do., in our case this, of course, might be an issue of our customers strict security requirements.

• Scalability of the smart connectors
• Ease of storing billions of events without special storage needs
• Great compression rates

First of all, the collection of a mass of events is a challenge for enterprise companies. You need a great deal of storage and how you collect them is an issue. The smart connectors and great compression rates of ArcSight helped us a lot.

The other thing is to be able to be competitive as you need to show that you need a logging system that complies to the laws in your country and company policy so that you can continue to do your business. With ArcSight, we easily pass the requirements of the external audits our clients require.

I would say that the consolidation should be done only by using ArcSight. We need to use the ESM module to create complex rules and reports as we can only do limited reports with ArcSight.

We've used it for about two years.

The main problem is how to collect logs from various resources.

The smart connectors are very stable.

We've had no issues scaling it for our needs.

Since we work with partners, I can't say too much. However, for every company on this planet there is always room for improvement in the level of support.

This was the first solution we've used, and I believe it will be the last solution we need.

We used an appliance, so the setup was very easy. But I must say that even if you use an open server, it is not complex to deploy this product.

We worked with a partner for the implementation.

It is really hard to measure ROI financially, but there are some important things to say. First of all, since it's easy to use, our operational time has decreased so that we as technical staff have much more time to spend on other issues. Since we collect all of the logs, we can investigate fraud and find their sources. We can also find the causes of system outages.

It works fast and you can collect just about everything. The only drawback is that without ESM, you are limited. The most important thing is the scalability of the product and its ease of use. Companies like us need some specific connectors, and smart connectors give us a very scalable solution. Also, even though we have billions of events, it is really fast in finding the logs we need. That makes this solution amazing.