LogRhythm SIEM Reviews

Our primary use case would be for compliance. We needed a check in the box for compliance. Right now, it's performing and doing its job, allowing us to say that we are compliant with HIPAA, PCI, etc.

It has improved the way our organization functions. It has allowed us to dive deeper into our network and figure out what is going on by parsing logs properly and being able to reduce the time it takes to work cases down from seven days to approximately two days.

LogRhythm has increased productivity because all the tools that we need are in the web UI, allowing us to find threats on our network fast and efficiently.

Our security program is still in its infancy. There is a lot of work that needs to be done. We finally were able to get our SIEM. A few things that we need to do are data loss protection, user behavior analytics, and another feature that LogRhythm offers that we're probably going to invest in the future. The program could use some work, but it is pretty solid now.

The most valuable feature is the Threat Intelligence Services (TIS).

We would like to see more things out of the console into the web UI. I guess this is what they are doing in 7.4.

In the three weeks that we have had it, we have had 99 percent uptime. It is a very stable platform.

It is scalable. They don't charge for going over your messages per second. It does scale with the business. 

Technical support could use a little work in the terms of responding back. The feedback that we received is they do need a little more staff, but every issue that we've opened a ticket up for has been resolved.

We did not have a previous solution that we were using.

The initial setup is straightforward and complex as it requires a lot of work. It's very straightforward and very organized. Our consultant guided us as to what we needed to do, but the entire thing is complex. One misstep or incorrect character can bring the whole thing down.

I do all the deployment and maintenance.

The sales engineers and salespeople who come in and scope out what you need are very knowledgeable. They are not there to upsell you. They get you what you need for what you have, so everything runs perfectly. The consultants are extremely knowledgeable. Getting LogRhythm up took less than a week. It's a very solid solution.

When it comes time to renew, they say, "This is what you are using. This is what we can do for you." So, they work with you on pricing.

There were multiple competitors. We almost went with Splunk, but LogRhythm ended up being the best for the price. It ended up being everything we needed in one solution.

Everyone needs a SIEM. Go with LogRhythm.

We are not using the full-spectrum analytic capabilities yet, as we are brand new.

We have not used any of the playbooks. We do have them. We find them to be very detailed and organized. We just need to find a way to implement them.

I run in about 45 log sources with 12 of them being domain controllers, aka DNS.

Messages per second are fluctuating between 3000 and 9000. We are still trying to figure out why. We think it is our very chatty domain controllers, as we do deal with the Hard Rock and Seminole tribe, but I would say that we average about 5000.

Most important criteria when selecting a vendor: customer service. Do they care about our business as much as we care about our business? Also know as, do they care about our data as much as we care about our data?

We use it to alarm our help desk. 

We staring to use it for SMART Response. We have been using SMART Response for about a year. Now, we are starting to push that towards the help desk, so the junior analysts can do more.

It allows us to automate a lot of things with a smaller team.

• AI
• SMART Response
• Looking forward to using the playbooks

• Move it to Linux. I would like to see it get off the SQL Server.
• I would like it to be containerized. 

Our appliance is a little older, so we need to upgrade it. We are going to probably move to the software-only version. However, the issues that we have are our own fault because we didn't buy the right-size appliance.

We are not that big of a company. We are only at about 800 events per second.

We have had a couple of custom logs built, but we don't call in that much.

The initial setup is easy with the physical appliance.

We have two people who are setting it up and doing the admin side.

Make sure you size the appliance correctly.

We use Ansible and Terraform for infrastructure, so the same concept as the playbooks. We are looking to use the playbooks going forward.

We have about 1500 log sources. We do about a 25 million logs a day. Obviously, they're not all events.

The biggest use case is visibility. Because we have a lot of flaws, if you don't have a tool that can bring it all in and give you that visibility, then all that log information is useless. Thus, LogRhythm helps us keep that visibility.

It has definitely improved our security program's maturity, because we have visibility that we didn't have before. We came from another SIEM platform that we had used for over ten years and we completely outgrew that platform. LogRhythm has given us more visibility. It has created more actionable items for us on a day-to-day basis, which gives us more work. At the same time, it has given us more tools than we had before, so that is definitely nice.

I wish I could just name one feature! There are so many: 

• The ability to drill down and pivot from an event is one of the biggest advantage the product has compared to other things that I have seen in the market.
• LogRhythm differentiates itself through its usability.
• Its simplicity. It can do more than just basic simplicity.

We have gone through a few versions which has caused a lot of instability. We have logged a lot of hours with professional services. The version that we are currently on is a lot more stable than what we have experienced in the past. So, it is progressively getting better day-by-day. However, we have had some instability in the past.

There are a lot of things that are on our wishlist which I found out about on day one.

As far as scalability is concerned, it is good.

I would rate the technical support as a nine out of ten. We have had some issues. Though overall, support has been great. The portal and their interaction with us along with their full support has been fantastic.

The initial setup is complex, because it's a huge product. LogRhythm is a beast. It can do so much more than just the analytic software, so it is not your typical installation. It's more of a three to four month installation process because you are gradually bringing in logs and fine tuning them. It is not a difficult process, just a lengthy one.

We have seen a measurable decrease in the mean time to detect and respond to threats. As it comes out new features and new releases, the window is becoming a lot narrower because you can pivot a lot more with the data. Therefore, the new features and enhancements are reducing that.

I just found out about the playbooks at the conference. I plan on using them as soon as I get back.

We have about 2500 messages per second coming in.

The primary use is monitoring logs, to see what's going on.

It's head and shoulders above what we were using, which was SolarWinds LEM.

Alarms are the most valuable feature. We also like the dashboard and how things are at your fingertips. The fact that we can now edit the report templates is going to be a great thing.

My installation has some unique problems, apparently, because of our network architecture, and that's why we're looking at other solutions, and possibly a replacement. 

We're looking at user-based analysis. Granted, we haven't enabled the UEBA module, but we're forwarding all our proxy logs to LogRhythm and we have a really hard time pulling those proxy logs back out of LogRhythm. However, when we take LogRhythm and forward the same logs into somebody else's user-based analytics software, we get the majority of what we were missing. So we know the logs are making it to LogRhythm, but we still can't pull them out. If we've got all our proxy logs and I go out to Google or Facebook or the like, we should be able to go in and pull that information out ten minutes later, but it's a big challenge to do that.

As long as you don't overfeed it, it's fairly stable.

The scalability has been fairly decent so far, as long as you don't overfeed it.

Tech support is hit-or-miss. Some of the tech support agents are just wonderful and I've learned a lot from interfacing with them. Some of the tech support agents seem like they are metrics-based: How many tickets they can close in a short amount of time? I usually express my feelings in the ticket notes, so these are not unheard-of comments.

The initial setup was fairly straightforward.

My advice would be to definitely look into it. I've used other SIEMs that were a whole lot easier to program and I've used other SIEMs that were vastly oversold and cost way too much money. LogRhythm is a good product for what it is.

We have more than 500 and less than 1,000 log sources. In terms of messages per second, therein lies the rub. We bounce anywhere from 2,500 to, on certain days, a peak of over 12,000.

We are not using the full-spectrum analytics features. We don't use any automated playbooks. In terms of the number of staff for deployment and maintenance, the latter is me. I've got two other analysts that work with me.

Regarding our security program maturity, we've grown a whole lot in the last three years. LogRhythm, fortunately, was a part of that. Our previous SIEM had to be rebooted two or three times a day. Unfortunately, now that we're trying to leverage it to get more data out of it, we don't seem to to be able to do that.

I can't say I have seen any measurable decrease in the meantime to detect and respond to threats because I can't watch it all the time.

We work on a dark site. It's the next generation ground station for the Air Force's GPS system. Our use cases are based mostly on an insider-threat perspective.

We utilize a lot of AI Engine rules within the LogRhythm SIEM to detect different types of privileged-user actions, whether it be escalation of privileges, creation of user accounts, or modification of user accounts. We also use it for IDS rules and firewall rules that are met, in terms of the IDS finding signature attacks.

It has helped our organization because we utilize the SIEM for a lot of analysis, not necessarily for malicious threats at this point, because we're in development. It's helping as far as figuring out how something got changed on the system, because it is in development and things are changing constantly. We are then using that forensic analysis to figure out what was changed, so we can turn it back because, a lot of times, in development, we don't know what caused something to happen.

The most valuable feature that we use is the AI Engine itself.

They're addressing a lot of the things that I've thought of over the past four years, in the various releases they're coming out with.

A lot of times they'll say something is coming out in a certain release and then we get to that release and they say, "No, we're pushing it back to a coming release." More engineering thought will go into when they are going to release something. Often, we'll give feedback to our management saying, "Hey it's going to come out in this release." That release comes out and it's not there and we have to go back to management and say, "Hey, they're not going to do it right now." Then management gets frustrated because they don't understand the intricacies of what goes into different components and into different releases.

The stability is very good, now. Initially, when I started working on this four years ago, the actual solution that was brought into our company wasn't very scalable, it wasn't architected properly for our type of environment. I've since re-engineered and architected a different solution with LogRhythm to actually meet our needs.

It's very scalable. It's a matter knowing what you need regarding the quantity of logs you're putting out on a routine basis. If you size it and scale it correctly, you can keep scaling it as far as you need to scale it. We've added data processors, data indexes - we have multiple for each for each environment. And we have close to 20 environments that we have LogRhythm SIEMs in.

I do more the architecting, engineering, and implementation, versus analysis. The only thing I would say in evaluating tech support is that a lot of times, I start out with the tier-1 and it's just not what I need. I need to get to tier-2, tier-3, and usually tier-3, before I get what I need.

If LogRhythm could do something on that side - for people who actually deploy and integrate the SIEM itself, instead of it just being an analyst - by having a different phone number for them, that would be a recommendation I could see going forward.

Was the setup complex? Yes and no. I did a lot of research prior, on my own, regarding using the recommended specifications that LogRhythm puts out. I designed it around that. I didn't utilize customer support a lot, only for a few questions. It was pretty straightforward after the research I put into it.

I would definitely recommend LogRhythm, based on my experience with it. LogRhythm is always trying to change and improve its product which is always a good thing. Other SIEMS are in development to upgrade and better their SIEMs but LogRhythm, across the board, has a great team. They look an inch deep but a mile wide, whereas other companies will look a mile deep and an inch wide. I think it's a lot better to do "across the horizon," instead of a small, six-foot-deep hole.

We are not using the full-spectrum analytics capabilities at this time. We are thinking about it, but there's a process for getting those changes into our baseline, being a development program. We have no playbooks at this time.

We have about 5,000 to 7,000 log sources per environment and there are 20 environments. In terms of logs per second, it all depends. We're in development. Some of our environments are not ramped up and they're all at different stages of development. Where we only get 100,000 to 150,0000 logs a day in some environments, in others we'll get close to 1 billion logs a day.

When it comes to what's important in selecting a vendor, price, names, and support are all great and dandy. Obviously, the big names of the world have a track record. LogRhythm hasn't been huge for a lot of time but they're starting to grow. They were one of the ones recommended by industry reviews in the SIEM world, but they were a relatively small company at the time. When you have industry reviewers recommending a small company, it says a lot for that small company. I know that they are growing now, but back when LogRhythm was first talked about by the industry they weren't very big, compared to the Arclights and IBMs of the world.

I rate it an eight out of ten because I don't have a lot of experience across the board with different SIEMs. I've worked with ArcSight but ArcSight is very expensive. And I've worked a little bit with QRadar. I actually like QRadar as much as LogRhythm.

It monitors any potential security threats within any of our important network security appliances, like our firewall, or any of our important databases. The idea being that you can't look at all the logs at once, so we now have a central point of monitoring for all potential threats.

I have been using LogRhythm for just a few months, but the college has had it for over a year. Until I worked with it, there was no monitoring it and the solution just sat there. The solution is just picking up speed now.

• The threat analytics
• Seeing what potentially could be happening; what are the riskiest things going on.

I would like it to do a lot of the automation (which I still need to learn more about), because I am essentially a one man shop doing all the jobs. I'd like for it to be able to do more for me, so I can focus my attention on my other job responsibilities, because there are a lot of them.

The only issues that we have had with it were Windows-based. The actual appliance has been up and continuously logging everything that we have, and CIS logging through it. There have been no signs of any problems nor instability.

When it comes to dealing with support, all my interactions have been great. Everyone has known what they're doing and have been quick to respond. They seem to always know the answer. I haven't stumped anybody yet. That's not something that I typically encounter. Usually, I wind up being the person finding the weird thing where people have to get back to me and it is left up to the developers.The few issues that I have had while doing upgrades, LogRhythm's support answered them incredibly quickly.

When it comes to dealing with support, all my interactions have been great. Everyone has known what they're doing and have been quick to respond. They seem to always know the answer. I haven't stumped anybody yet. That's not something that I typically encounter. Usually, I wind up being the person finding the weird thing where people have to get back to me and it is left up to the developers.

The few issues that I have had while doing upgrades, LogRhythm's support answered them incredibly quickly.

I have never used a competing product.

I love the potential of this solution. It sounds like a "set it and forget" type of solution. Let it deal with all the problems. It is good at doing that.

On the day-to-day, I haven't had a huge amount of time to work with the full-spectrum analytics. I have been focusing on getting it updated and up-and-running.

Currently, we have a Windows agent. Therefore, we technically have just two log sources, because the Windows agent is picking up all the domain logs onto one box and forwarding them on. It is taking all the Windows Servers and single-sourcing them. Then, currently, the only other thing that we have actively logging is our Sonic logs and CIS logs. We only have two individual sources listed, but it is more logs than that.

We have a lot of distributed offices and no visibility into any of them. The use case for this product is to collect and integrate logs from all the machines at all the different sites and get better insight into the security areas that we need to tighten up.

I am hoping that we will be able to response to threats and gain visibility into our environment that we don't currently have.

The AI Engine.

I would like to see our vulnerabilities counter. We will be using Tenable to fill that void right now.

It seems like it will scale easily with the way our environment is set up.

We have not used LogRhythm's tech support yet.

We were using an MSP and were dissatisfied with its performance. What we started to do was figure out what we could bring in-house and what we needed from a security standpoint, and this SIEM kept coming up as something we should look at.

The initial setup is complex.

We are using a LogRhythm partner, at least for the first three years, to help with the monitoring and the deployment of it. We are not a big enough environment where we have people that we can dedicate to it right now.

We require one person for deployment and maintenance.

I would recommend LogRhythm. I am really impressed with it, though we haven't start using it yet.

We are just in the middle of deployment of the full-spectrum analytics capabilities. We haven't finished the configuration of the product yet.

We do plan to use the built-in playbooks.

We have approximately 931 log sources at this point.

Most important criteria when selecting a vendor: 

1. The reputation of the vendor. 
2. The quality of the product. 
3. The integration into the environment that we have right now.

It came in as a compliance package. Now, it is more of a security analytics platform for us, so we try to route relevant security and computer logs. We also have some use cases that we came up with and some of the stuff that LogRhythm provided, which has been the basis of our use of this security platform. 

The company is dedicating me to working on this solution exclusively, so it has been great.

It has helped operationally with things that I have discovered stuff in logs, like errors. Without it, things going wrong would probably have gone undetected. It has certainly helped with some of the general user behaviors going on out there. 

It provides a measurement of the things going on in our organization from a security standpoint. We can either address the issues, or say, "That's the way it is."

The AI Engine can take an event and correlate it into something else giving meaningful context regarding what is going on. We integrated it in with our ticketing system, so if an alarm fires, it raises a ticket in our system. Therefore, if I find somebody needs to action other things on it, I can just forward the ticket along. This is all done via email, which is pretty slick.

I would like a more fuller implementation of STIX/TAXII so I can pull in some of the government lists without having to go implement a whole new STIX/TAXII platform. 

I'd like to do user based analytics, but that is a funding thing.

Stability has been good. We have been bitten by the knowledge base (KB) twice in the last two years. I had some things that I did that caused the AI Engine to have problems. 

Once you get stuff up tuned, it just runs.

Scalability has been fine. So far, we have been adequate capacity-wise but I can see very soon that we're going to be taking advantage of some of the features that come with the new version. In particular, the data processor arrays which will help us scale out. Then, there is whole mention of hot versus warm and being able to keep data because SecondLook is terrible.

We have a partner, a service provider, who helps me administer the platform. Then, there is me, as the company didn't want to hire additional resources, but this complements the staffing by having somebody else from the outside help with it.

Check it out.

We went through a competitive comparison of the three leading platforms out there. It was an easy win, not only from the technology-side, but from the company with its support. That's a big thing for us, when you are small, that you count on the support team. Some of the competitors, their support is not good.

Our security program is not real mature. The security group just got a CISO within the last year or two, so that has been the focus. The company is bringing up that side of the business. They recognize that it is something that needs to be invested in, along with their investment in LogRhythm.

I don't have playbooks right now. We are still on 7.2. I don't think playbooks are in there yet. It makes sense that we use that functionality, and we're looking to go to 7.4 as soon as the .3 release comes out.

We have about 1800 log sources. 

We are right at 5000 messages per second, and the system is scaled for 10,000.