LogRhythm NetMon Reviews

It's the ease of use, right off the bat. You can type in certain applications to bring up, it brings up graphs and it's meaningful information off the bat with a very low level of entry. Then, as you get more comfortable, you can get more advanced, more granular. But it's probably the ease of entry into it that is one of the key features so far.

With other solutions it's a lot of care and feeding to keep it going, making sure that your alarms and use cases are built out. With the Network Monitor it's pulling packets right off the network and doing that deep packet analytics. You're able to look right off the wire and get a true picture of what's going on. "Did this person send out an email? Did this person go to this website? Is this application running on our network in these certain areas?" You can get a very granular look.

It provides data in a user-friendly interface that I can pull off and get to management.

It does packet captures as well, so if I really wanted to dig into it I could pull those down. I could run those through other tools as well.

You can really really dig into it with some other packet-analysis tools we have. But just having it there, it's incredibly smart, incredibly easy to use, and the breadth of information we get off it is really good for investigations for us.

It's just finding the knowledge and figuring out how to apply it. The platform itself is good, but the breadth of capabilities that it has is difficult, and not always super-well communicated between LogRhythm and us.

We were using it for certain things and, as time went on, we brought in different tools to meet certain capabilities. Then after researching, "Oh, LogRhythm does this too."

It's that communication between LogRhythm and us, just letting us know - maybe it's a little bit on us as well - what the capabilities are and how we can leverage it and make the most of our investment.

Things like this LogRhythm User Conference are really great, to know where they're going, and what we actually have.

I've only been in the department about two years. I think we have had it for about four or five years at this point.

No issues since we upgraded. Previously, it was typically every Monday that I was coming in - it would die over the weekend - and I would spend a day cleaning up databases. That was LogRhythm 6.3.

Now we're on v7.25. Since that upgrade, searches are a lot quicker. The stability, the way they split it up now with the data processors and the data indexers with the new platform, it's been fantastic.

The Network Monitor itself, I haven't had any problems with it. We're capturing rolling PCAPs, and we have about a month and a half of PCAPs from our different environments right now. Stability is quite good.

Regarding scalability, I think it's more just getting time to spend in LogRhythm. We're not a huge security shop, so it's getting the time to dig into it and really figure out how we're going to build it out and learning the functionalities that exist, that we can leverage.

A lot of the time you end up getting a product, standing it up for one use case, and that's what it gets pidgeon-holed as, when really there are 100 other capabilities you can use there.

We've never had any problems. We have a few different platforms we run, for vulnerability management and the like. LogRhythm's support is always, compared to the other vendors that we use, it's always same-day, next-day. Whereas other vendors, after a week, two weeks, you have to follow up.

LogRhythm support has really been "Johnny on the spot." I write to the other guys who manage the other systems and I'll say, "I put the ticket in today and it was solved the next day," and he's been waiting two weeks and following up with them and really hounding them. I've never had to do that.

Very good support.

We're upgrading from the old version to the new version. Then I did some research on the Network Monitor box and saw some potential there for use cases. I sold it to my management and showed them what we could do with the Freemium version first.

From there, once I showed the use case and the value there, we were able to move forward and purchase the nice nice big appliance.

Because we're government, if it's existing we can do the upgrade process, but if we wanted to switch vendors it's more of a RFP process, very arduous and long. We knew we wanted to stick with LogRhythm, but there was an opportunity for us to look at new use cases and new capabilities that we spin up.

We're Palo Alto for a lot of our Edge stuff. We run Cisco. Palo Alto on endpoints for their traps, McAfee on some others. It's fairly distributed as well. We run all the casinos in British Columbia, they distribute all around the province, and we run all of those and they're all reporting back to us. We also run the lottery point-of-sales systems as well. You go into gas station, there's a lottery terminal there you can buy your ticket off of. We manage all those as well. Those are all wireless. A ton of stuff. Very, very large.

Definitely the log aggregation. We enjoy having all of our logs in one place, where we can get the analytics from a single dashboard. Really, that is the goal. That's why we purchased, really just to aggregate.

We're running a single XM appliance, LogRhythm side. We're just under 2000 events a second. Our entire stack is VMware ESXi. We're completely virtual. We have two datacenters, about 300 VMs. We're also aggregating logs from all of our network equipment. We have 200 remote sites that all push their logs back to our data center.

We're very young in our deployment, out six months. We have yet to really derive substantial benefit from it. What we've seen so far has been, when we see events we can go back and drill into it, and see the path, see the kill chain. But we haven't made it to the point where we have tuned our alarms, yet. I expect it to do all of these things, we just haven't made it there yet.

The goal is to protect our users, certainly. Our environment is set up much like a retail environment. We have the vast majority of my users directly interfaced with the public. Their computers or their devices exist in the wild, not behind my corporate firewall. The overriding goal is to protect that equipment, protect those users, and then of course protect myself from anything that would happen if one of those devices or users is compromised. The challenges are really the same. All of these devices exist in the wild. They're not behind my firewall, they are out on the open internet daily, on a regular basis. That is the biggest challenge, making sure that those devices are visible to us, and that we can collect data, collect logs from those devices.

Again, we're so young in our deployment, that the perception is that there is a lot of potential there. We know that we have a long way to go to tune it, to onboard all of the log sources. The impression so far is very, very good. We were sold on the product based on the fairly narrow use cases that the sales reps gave us. What we're seeing during our usage is that we can get there. Again, we're so young in the deployment that we haven't made it to that point yet. But we definitely see the potential, we're very excited about the potential.

This is one where we're so young that it's almost impossible for me to answer the question, because I haven't explored everything that's available today.

One thing that surprised me was the current version of LogRhythm does not natively support Windows 2016. We're diving in feet-first. We are deploying only Windows 2016 now. During the deployment, there was a lag time between the time that Windows 2016 became generally available, and when LogRhythm was going to support it. During this period we had to trick LogRhythm into believing that these 2016 machines were 2012 machines. That was a bit surprising because of all of the automatic updates that we get, the threat feeds, everything that LogRhythm puts into the system automatically. To not have support for a very, very big new release was a bit surprising.

Six months.

So far - and I hate to keep going back to the fact that we've only been doing it for a few months - but so far we've been very impressed with scalability. We have a single appliance, and we have several collectors that run against that appliance. We really love how easy it is to just add another collector. I have data sources, I have log sources that exist in my DR facility. I can stand up a collector in that facility, and then push it back across the wire, and it's very easy. It's a couple of clicks, done. We're very excited about, again, the potential for scalability without having to re-architect the entire solution.

We haven't used them. We went with the partner that sold it to us.

We did not have a SIEM solution previously.

Our CEO was phished several times. After the third time in a month that we had to go change his password, and counsel him again on not connecting to open WiFi, we realized that...

We have on-premise Active Directory that's federated against Office 365. We have three very different log sources. We have our local AD, we have our federation service that authenticates, and then we have Office that contains all of the logs. It was very, very difficult for us to follow that chain. Time stamps are slightly different. One's in this timezone, one's in that timezone. Really, it was born out of this frustration of: I need to figure out what happened. "What did he click on? Where was he? Where did he log in from?" to establish the chain of events. I just couldn't, because I didn't have one single repository to go to.

Complex in the sense that I don't have much experience with SIEMs. We came from nothing. As an organization, we don't even have any experience behind the scenes. It felt very overwhelming, but the partner was able to lead us through it. From that perspective, having that person there leading us through it was relatively simple.

IBM's QRadar was there, and Splunk was the other.

What really sold us beyond everything that we've talked about, was the single pane of glass that LogRhythm gave us. Candidly, it was the Web UI Dashboard. The executive dashboard that I could put in front of my VP, I could put in front of my C-level to say, "Here. You can log into this, you can look at it. It gives you all of the high level rolled up information." That was incredibly difficult to come by with some of the other products.

When selecting a vendor, for us the most important thing is the trust of their user base, really. We did a lot of due diligence when we were looking. Everything that we heard from LogRhythm's user base was that they love the product. They were very fanatical about it, that it could do so many things that really were time and effort on our part to implement. That was basically it. Everything was built-in. Really, it was more the user base. It was everything, all SIEMs do all things, and so it was more the support of the product. We knew the product would do what we wanted it to do, we were concerned about support, we were concerned about the way that the community reacted to it.

In terms of a solution being unified end-to-end platform, it's not critical, but definitely important. We are a very small shop. We support a lot of people, but our IT staff is incredibly small. I think there are five of us and two in the security aspect. An end-to-end platform was important to us, simply because it was a single vendor at that point. I could go to a single source, "one throat to choke," as it were. Wasn't critical, but definitely it was high up on the list.

Honestly, that rating of eight out of 10 is because we haven't used it very long.

I would advise anyone looking at this or similar solutions to define your use cases very well. That is what is going to separate a LogRhythm from a QRadar, from a Splunk. Everything can collect data, but pulling the data back out of the system, analyzing that data is the critical component. Definitely define those use cases and present those to the sales reps, and see how they respond.

We use the product to monitor and report network utilizations.

The platform's integration features often need to be improved.

I have been using LogRhythm NetMon for just a few months.

The technical support team is quite good and responsive. They meet their SLAs and are knowledgeable.

The initial setup is straightforward because we can deploy an open server. We download the ISO, create a bootable device, and install it on an open server. During deployment, we also have assistance from the principal because we need to take an exam. We need to get certified first before we can deploy on our own.

The product is expensive for smaller companies. The deployment often involves additional professional services, which can make it expensive.

The deep packet analytics capability is quite granular because it captures and analyzes data using NetMon. However, the value of the information depends on the customer's requirements.

I rate the product an eight.