LogRhythm SIEM Reviews

We did a bake-off with several others when we brought in LogRhythm, 10 months ago. And a lot of it was around a cost perspective. Also, its capability of easily ingesting event data from many different types of platforms. 

Some of the competitors require the use of agents that are deployed on those various end-points, or they'd be servers or otherwise, to ingest it. So this is a much quicker deployment. 

And through their upgrade processes that we've seen, it makes it a much more streamlined process, rather than having to touch on multiple end-points.

Any SIEM, in and of itself, should be easy to ingest data, it should also be easy for the analyst to assess the different types of events that are coming through, be able to sift through false positives, and ensure that they are only acting on things that are truly actionable, that need to have attention. It's not one of those things that you want to have analysts spending a lot of time on, and then seeing false positives in the system. It just gets to a lack of trust within the system.

LogRhythm has shown to us, to this point in time, that it has the capabilities of being able to deliver actionable intelligence to the security engineers and analysts.

The biggest thing that we need - in one of the presentations today here at the LogRhythm User conference they were talking about it - is automating your SOC and trying to get your systems to do as much as they can do without human intervention. Which is great. 

I provided feedback afterwards to say, "We need to be able to ingest all data. And we need to be able to parse all data." What that means is, my Checkpoints that I have today, which is my unified-threat management system, I'm only able to ingest firewall logs and events from the blade. I own all the other blades from Checkpoint: IPS, Threat Emulation, threat detection, Data Loss Prevention. All of those blades have data that I need to be able to feed down into LogRhythm. From there, we also need to be able to truly parse the data. I've had to have a couple of custom collectors built specifically for SQL Server-type events, for database analysis, to ensure that the data that's being brought in, the events are parsed, we can be actionable on that.

Stability has been, for the most part, quite good. We do have a HA, High Availability configuration, between two different datacenters. 

There have been a few challenges that we're working through. Mostly it's a Windows-based, all-in-one appliance that we have. We are in discussions with LogRhythm support right now in respect to HA breaking through automated patching. But we're encouraged that we're going to be able to get over that hurdle, and then we'll have a 100% up-time with it.

As the Security Officer of the organization, I don't have to interact with them directly. My team has found that there are some very good engineers that they've been engaged with, and have been able to work with them throughout different issues. They've said a lot of good things about the support portals; better than some of the other technology products that we offer. 

I know some of the other technologies that we use for our unified-threat management systems and the like, some of those portals are a little bit more cumbersome to actually put in support tickets. LogRhythm seems as if they want to really engage with you, so they don't make it overly cumbersome to put in a ticket.

It's been fairly good interaction, with the capabilities that they offer to quickly get an engineer on the line.

We were a QRadar shop for five years prior. To be honest, the product was great initially, when it was a Q1 Labs product. Things started to change a bit after IBM's acquisition of it. So we were looking to see if there were better alternatives. The top-two were LogRhythm and Splunk. 

We did a several week SIEM solutions comparison between the two of them. Splunk is a great product in and of itself, but it was too massive for us, for our size of organization. As well, it looked like it would require a little bit too much of an analytical programming background for my engineers and analysts, which they don't have. So they were really most satisfied with the LogRhythm platform, its capabilities, the ease of use. And then, from my perspective, from the company's checkbook, the sustainability of it, the upfront cost, and the long-term ownership of it.

I did oversee the implementation, and the initial setup that we did seemed to be fairly straightforward. My engineers were very happy with the simplified installation process. 

Being an all-in-one appliance, that helps a lot in the initial setup. You rack it, you perform the updates, being a Windows box. And even some of the software upgrades that we've done since our initial purchase and installation, those have been fairly trivial as well.

A lot of the competitors, IBM specifically, there's these WinCollector and other types of agents that you have to install and push the event data to the SIEM. 

LogRhythm is more of a collection using APIs to pull the data down, so it's much more efficient. And you don't have to get any of the other areas within infrastructure, or the application teams, to participate. You just go and point at the systems, assuming you have the correct level of authorization and credentials, and then the data is ingested naturally.

The solution, one to 10 at this time, would probably be a strong seven. Right now there is the concern about being able to gather all of the data into the system. That's key. It's one of those things, pre-sales versus post-sales, what is said can be done, and then what actually is fruition. There is only so much you can do in a proof of value, or what they sometimes call proof of concepts - in those bake-offs - because you only have a limited amount of time with it to do that connectivity, and analyze. It really is that integration and some of the customization that we've had to do from parsing rules, not only for SQL Server, but also for ingesting NetFlow data from our Gigamons - which is the core of all of the network activity that happens within our environment.

With this or any technologies, that pre-sales process is key. Really asking the intricate questions, try to get them to talk in-depth about the capabilities. Just saying that, "We have integration with this technology or the other," is not sufficient. You really need to have a good understanding of the capabilities that you are looking for, what your systems are capable of, and what you need that integration to be. The last thing that you want is to get in there and say, "Well, it works. But it only works 30% with that." You want it to be 80% at a minimum or better.

The consistency of its interface, whether you go to a dashboard, a search, an alarm - everything comes back consistently. There isn't a different interface for every function that you do, so it makes it very usable.

The benefit is really getting insight into the security posture of my organization. Proof in the pudding was that we had a penetration test over the summer and we caught the penetration testers five times because of various LogRhythm alerts.

The biggest thing I want is, right now you have thick console and the web console. Most of the reporting has to be done in the thick console. I'd love more reporting in the web console. A lot of our users don't have access to the thick console, only administrators do, so a lot of users can't run their own reports.

I think part of the thing that LogRhythm has always done with the deployment is a lot of hand-holding by Professional Services. I would tell everybody that was going to do this to pay the money and get Professional Services. Don't try to do it by yourself.

Awesome. In fact, I just went through a scaling exercise where we outgrew our initial implementation and we were able to double, very easily, our capacity through an upgrade process.

They're awesome. We use them all the time. I tell my staff that whenever you have an issue, the first thing you do is you open a ticket with tech support, then you start playing with it. If you have solved it by the time tech support gets back to you, cancel the ticket.

We were previously using SolarWinds and we outgrew it. It wasn't scalable. We needed to find a solution that would scale as we grew it.

It was straightforward.

We're a big university. We're the 26th largest university. I've got 45,000 students, 10,000 researchers and faculty members, plus staff. Main campus is in Philadelphia, Pennsylvania. A mile down the road we have a Health Science campus that has a medical school, a dental school, a pharmacy school, and it's kind of attached to the hospital, which is separate from us. We also have campuses in Harrisburg and Center City that are small adjunct campuses. We also have a campus in Japan and a campus in Rome. We have a big international presence, that's the size and the scope.

Our key challenge is that the drivers of the university have been notoriously open, but with the threat landscape of today we have to be mindful that the openness that the faculty wants has to be balanced with the needs of protecting all of the data information that we have, like any business has.

When it comes to the most important criteria when selecting a vendor, a unified, end-to-end platform is really important, but it's one of the key features. We look at the overall value that a platform has. Cost comes in, but also leadership in the field, manageability, how many FTEs it's going to take to run this solution. All of those things are factors.

I've been around this field for 25 years. I've used many solutions. LogRhythm is scalable, it's robust, they're constantly growing it, their tech support is good, their Professional Services are good. We just went through a massive upgrade to double our capacity. They give us training credits on our old solution. They want customer happiness and customer success.

Definitely do your homework. Understand what logs are important to you and really evaluate what scope you need to do, and take your time. This is a big project, you can't do it all at once. You really have got to do it in phases.

The ability to threat-hunt and, being a small staff of five people, we can actually not put a lot of time in administration, the care and feeding of it, and get useful analytics out of it.

We have two facilities, roughly 500 logs per second. Microsoft shop, Cisco stack on the networking side. We run two FortiGate firewalls, and a slew of different security products that we have not integrated into LogRhythm.

We haven't seen the improvements yet. We bought it as a compliance tool, and it's still sitting there. It's part of the reason why came to the LogRhythm User Conference, to figure out what our next steps are. When we had to tackle PCI compliance, one of them was log aggregation, and so that was why we brought it in.

It's met all of our compliance issues, really easy to do. As I said, there's not a lot of admin overhead, so it doesn't cost an FTE for us, which is nice. I think the added benefit is when we start using it for actually doing some analytics and in increasing our security posture, we're just not there yet.

I can't think of any features they should add because we haven't used everything they've already released. They have Office 365 logs integration. They've got this new phishing engine that we haven't used. They've got dashboards we haven't used, so we're basically right at the very bottom, we need to start building with what they're already doing.

In terms of improvement, their community boards, where to go find things, as a customer. As they're growing and they're moving stuff around, and it would be nice if we knew exactly where to find what. They're constantly reinventing how they do things and where they put stuff, that's the one challenge I've run into. I've always found the answer when I got to the right person: "Yeah. That's over here now," but I know other customers have shared that same issue.

Being a small shop, we're in an XM, everything in one appliance, which is really easy for administration, but I think it can get more complex as you get bigger. They've scaled to really large Fortune 500 companies, so that's nothing that we're worried about.

Great, you have almost the service-desk model, where you're going to get a live person. They're going to answer the call. They're going to make sure you get routed to the proper team. They're really good at followup, when "Everybody's busy now," they're really good at scheduling times, when both the technical agent is available and our staff is available, which I really appreciate. You don't have those, "I tried to get a hold of you," going back and forth. Not a lot of vendors understand that. LogRhythm does a good job with that.

It's straightforward, to the point that we brought it. We did a week of engagement with our security value-added reseller, and we were basically shoulder surfing. Everything looked like it made sense and why they were doing it, and it's not that complicated.

Where it can get more complicated, like I said, is if you're a big organization, you didn't have it all on one platform. Those components would have to be put together, and there can be a little bit more to the infrastructure.

The SIEM's a very technical tool, but LogRhythm - that's one of the beauties of it - once you figure out how it's installed, the care and fitting of it, the updating of the SIEM to new versions, and even the monitor agents, it's really pretty straightforward. Good documentation.

ArcSight and Splunk, and that was it.

We went with LogRhythm because of cost, administration, and ease of use when you're in the tool. Those are the top three. The fact that it was the lowest cost one, easiest to use, and easiest to administer. It was a no-brainer for us. It wasn't even really a conversation, other than the fact that we have to shop at the three different vendors.

Right now our focus is on user behavior, and that's part of why we joined the cloud Beta, they are our biggest risk. We don't know what they're going to do when and why, and so we've rolled out some security awareness training, we've rolled out some phishing exercises, and really trying to figure out how we can stop them being their biggest risks. Learning about what we learned today at the conference, with LogRhythm doing their phishing intelligence engine, it's going to be nice to see how we can implement that into the SIEM as well.

Security solution, number one is FTE; being a small shop and how much FTE does it take to run that? If that's a challenge for somebody, so they have co-piloting that you can do. We were able to absorb that in with two different FTEs splitting the duties, and they probably spend 45% of the time doing that. Might be different for a bigger shop, but that's our focus.

The most important criteria when selecting a vendor:

• reputation
• have they delivered on what they say they can do
• are there customers out there that we can talk to, that can validate what they're saying is actually true?

Regarding a solution being a unified end-to-end platform, it's not necessarily so important. Going forward, as we mature, more maybe, but we're really just tacking on the stuff that we go after. It's addressing certain needs, it's a little bit siloed right now, so it's not a huge need for us.

I gave it a nine out of 10 because I hesitate to rate anything a 10, that's perfect. But I think they do a great job, and I think it's more on us to really engage them more. They're always happy to talk to us about where we want to go with it, and it's just us dedicating the time to them.

Talk to people in the industry, make sure it can fit those needs you're buying it for. Proof of concept is huge. Do a proof of concept, especially in a SIEM. You don't want to just buy one and then implement it, and then try to figure out is it going to actually work for me?

The web interface, especially since the move to the open source storage system in v7, allows almost instant access to detailed log data from across the platform.

I work in the IT Security channel, reselling LogRhythm and associated consultancy services. The improvements from implementation of LogRhythm are to my clients' organizations.

The reporting engine is poor in comparison to other areas. It should be moved to the web interface to improve its functionality and usability.

I've been using it for over four years, since v3.

We have had no issues with the deployment.

We have had no issues with the stability. We haven't experienced instability.

The scalability before v7 was sometimes difficult due to the hardware performance required. Since v7 was released, the clustering and scalability options have improved significantly.

The UK-based technical support is good, and the engineering and lab teams based in the US are great.

I have experience with Splunk and ArcSight. LogRhythm's correlation capabilities (part of the AIE component) is much better than Splunk's, and the solution as a whole is generally cheaper and easier to implement than ArcSight.

The initial setup is straightforward. Follow the initial setup guide and the solution works within hours. Easy to use configuration tools are included.

I work for a reseller and consultancy firm in the IT security channel. I would recommend using a vendor or reseller to assist in the deployment, as although the basic build and set up is easy, on-boarding log sources and setting up the system to report and alarm on events requires experience and expertise.

As part of your plan for SIEM, identify what you expect the SIEM to be able to do for you / your organization. SIEM is not a silver bullet. SIEM will take a considerable amount of use by a security analyst or similar to get the best out of it. SIEM managed services offered by resellers or system integrators may be good value and should be seriously considered to ensure the best outcomes from the SIEM.

It allows me, through the reporting functions, to take a quick scan of what's happened in the prior 24 hours.

Also, it's essential for our compliance. We're audited frequently and this is the piece that's essentially mandated by the State.

It creates a good feedback loop whereby I'm able to scan through and see what off-limits activities users have been doing. I think it improves the organization by letting them know that everything that they're doing is not invisible. It's a demonstration to them that they need to do what they say they're going to do and follow the policies that are in place here.

I'd like to see a real-time dashboard of events. I know it's available, but it needs work. I haven't been able to put in the 20 or 30 hours that it would take to really become an expert with it. I rely on the PDF reports which guide my day, but having the information in real time in the dashboard would be nice.

To me, the best additional feature would be, much like you see with a firewall or with an antivirus scan or intrusion prevention, a real-time console for activity and almost sort of automatic updates for certain features. That would be helpful.

We got our first unit here in 2009.

We've had no issues with deployment.

Stability has been fine. There were some problems in earlier versions, but I wouldn't put that all on LogRhythm. Part of it was that we needed and equipment upgrade and it was literally a year and a half or two years where it was optimally built for that we had to continue using the old version, the old appliance, and it took us a long time to get upgraded. So we were dealing with some rather clunky situations, running out of disk space, that kind of thing.

I really can't comment on scalability because we're a rather small organization. We only have 50 or 60 staff members and no plans to really grow or extend the use of it out to another organization. From the beginning, it's handled all of our work and again, without any real big plans to grow, it's hard for me to comment on that.

Their support team is very good. As IT organizations go, I can only think of maybe one time when I had to request a second person to look at a problem. They provide timely responses, and they provide really good training. I have no complaints.

The setup requires an agent to be installed on all the machines and we have an in-house intrusion prevention system server base. We did a fair amount of finagling with that. I would say in an organization without those types of software running, it would be a piece of cake. I think it would be excellent. With us, we had a few extra hurdles to jump through just because of the fact that we had to be so secure in-house here.

LogRhythm sent the appliance, we hooked it up, and we plugged it in. From there, they gave us 10-15 hours of time with a setup team via WebEx. They took control of the machine and taught us the basics. Then we took it from there.

We've maintained the same base of licenses since we began, and it was sized properly. I would say they gave us good advice on how much to spend on licensing. We've been able to collect all the logs we really need here for that issue.

We evaluated the freeware alternatives, but we needed a turnkey solution and we just didn't have hundreds of hours to put into a starter box, so we went with a commercial buy.

We didn't perform an exhaustive search, but the result was somewhat fortuitous. I began the search and found someone at LogRhythm I felt I got along with. This person was very knowledgeable beyond the salesman-type of knowledge. He was able to relate with our needs here.

I would recommend them. I think that their product has evolved over time. I think there were a couple of years in the very beginning when I was a little frustrated with them, but now, and especially, we just bought a new box last year, the newer version, it seems to have a lot of the kinks worked out, and so I wouldn't have any problem recommending them.

The Web UI is perhaps the most valuable feature in the solution.

LogRhythm allows our IT/IS teams to quickly identify issues across the enterprise. Searches can be performed using any known value, IP address, hostname, username, event. The results are then used to "open a case". The case is assigned to an analyst, who can add additional info during the research and remediation efforts.

Report-building is in Crystal Reports and has a limitation. A non-editable template must be created, then the report is created against the template. OFI is this. The template needs a preview option, as well as an edit option.

8 months

None that were not easily overcome.

None

No, we right sized the deployment and also deployed as a high-availability environment.

I have been very pleased with customer service. I have only had to contact my CS a couple of times, and he has done a great job of followup to insure my company's needs were met in a timely fashion.

Great support team. Average call pickup time has been less than 1/2 hour. I have had a couple of "scheduled" appointments get delayed when the agent's previous call ran over.

We previously used Juniper STRM, rebranded QRadar. We faced 1. Log processing could not keep up with collection, so events were being dropped. 2. Support was poor. 3. When a ($45 at Bestbuy) disk drive went out, we were sent an entirely new system. 4. When faced with upgrading to support our log collection demands, the estimated cost was several times greater than the LR deployment.

Depending on the size and complexity of the deployment, i recommend paying for the Professional Services team to assist. All work was done in a remote session.

I also recommend not attending the training sessions until a few weeks of bake-in have occurred. Too many topics were covered to fully absorb all the information that was disseminated.

Our internal security team performed the majority of the installation, again working with the PS group at LogRhythm.

We immediately saw benefit on our first investigation.

Depending on the size, number of logs, I recommend deploying VM (or physical) collectors, and have the logs forwarded to the appliance. We are collecting logs from 2500+ systems, and did not want to impact the appliance with collection, but rather, analyzing logs. This solution has worked very well so far.

We reviewed several solutions including Alien Vault (not large enough for our needs), Splunk (would need a full time programmer to write queries), QRADAR (since we already had a previous version. We did a month long POC on Correlog, attempted to POC EIQ Networks.

We are very pleased with the LR solution and are looking forward to the upcoming update.

There are multiple use cases for the solution, such as long log formatting, log consolidation, data isolation, malware detection, identifying suspicious attacks, and locating ISU records across the network.

The GUI is very intuitive and the solution has good integration.

The built-in functionality of the solution for NDR, SOAR, SIEM, and EDS has room for improvement.

The price of the solution has room for improvement.

I have been using the solution for ten years.

The solution is stable.

I give the scalability an eight out of ten.

The technical support is good.

The initial setup is straightforward.

I give the price a six out of ten.

I give the solution an eight out of ten.

The solution can meet the most mature customer's requirements.

Our customers are financial institutions, basically banks, and others in the financial sector. They have a lot of web-facing applications and technologies for which they need to have a complete trail of logs and audits. Whether they log in through their mobile devices and do mobile banking or internet banking, or do some queries, or are working on their systems, we need to have security logs for future audits and compliances. One use case is on the data protection side, because we are a data protection tech company, which determines if we need to activate security. The second is for audit trails, compliance, and if there are any issues. We need to have logs of all events and these logs are stored in the central bank. These logs have to be maintained for 10 years.

The user interface is good.

We are still implementing and have not yet completed the LogRhythm implementation for one particular customer. We haven't faced any issues right now. Once we've completed and we are doing the log analysis and the correlation and audits, at that point in time, if we find challenges, I can update you. Right now, it's okay.

Let us see once we finish the website we are working on. Then we'll understand better more of what we need. We'll probably need an improved user experience in terms of reporting and analytics. If the reports are very easy to configure and generate what we require, that will be the best thing. At the end of the day, it is just logging, correlating and reporting.

I have been using LogRhythm NextGen SIEM for the last four years. We are using the latest version.

The stability is there, it is good.

As of November we have four customers in the field of info, security, officers, managers, and risk and compliance. Generally, these are all risk and compliance teams at the financial institutions or in the government. The implementation is done by the IT security team but the reports and everything are part of the risk and compliance team.

It is scalable.

One person is more than enough to operate it. We have a specialist, one engineer who does it.

The support is quite good. We haven't had any challenges. Initially, there was something that they requested, so we logged a call and they were able to respond immediately. We had no challenges. They are quite responsive.

The initial setup is not so easy because it is quite a process. Nevertheless, from my experience in implementing SIEM, Splunk is the easiest, and LogRhythm comes next.

LogRhythm is okay, we never had any challenges.

The installation is per site. Because these are all government customers, public sector government customers, we generally take anywhere between four to six weeks for installation. We have five people doing it.

When they buy the license, whether on-prem or cloud licenses, I don't think that's all they pay. We do charge them for implementation and installation, but that's about it. Subscription is year on year.

We have tried many other products. But if you want to look for a mature product in the SIEM market - Gartner Quadrant, LogRhythm and Splunk are all leaders and are well placed products. The rest are yet to come up.

When I say LogRhythm is a mature product, I mean it covers all 360 degrees for SIEM requirements which is not there in the other products. Only a few products have this kind of totality of integration, especially in the reporting. It has very good machine learning and AI techniques. It is very good.

I of course would recommend LogRhythm NextGen SIEM to others.

On a scale of one to ten, I would give LogRhythm NextGen SIEM definitely a nine.