LogRhythm SIEM Reviews

Absolutely. It has helped us gain visibility into events that we didn't have before at all. We have a lot of remote locations. We manage national parks and point-of-sale devices on ships, at the top of mountains and little cabins, gas stations in the middle of Death Valley; we have a lot of difficulty around trying to keep an eye on things, and LogRhythm lets us have agents running almost anywhere we want.

It also has provided us ways to do compensating controls for systems that we couldn't otherwise secure, because of different product upgrade paths and costs. LogRhythm helps us on the compensating control side as well.

I think we're right around 1000 to 1500 (peak) logs per second, which is not a lot, but we've tuned it heavily in the last few months. We've added compression and we've turned off verbose logging, and just try to get the important things. We've been working with LogRhythm to tune what we collect, to make it is more useful or applicable. I wouldn't say that we're one of the higher end users or higher logs-per-second users, but we have 15,000 employees in peak season. We have six ships and we manage most of the national parks, so there's a lot of locations around the world. I don't have a number on buildings or assets though, but maybe 4,000 endpoints total, if you include routing and switching servers, desktop PCs.

Up until recently, I would speak with LogRhythm and they would ask me, "What do you want to do?" I'd say, "I don't know. What can you do?" "We can do anything. What do you want to do?" It's hard for us to know what we want. We just know that we want to be secure. We know we need to collect logs, we know we need to do basic things. But recently, LogRhythm came out with a package to help us tune our system for PCI compliance, like industry best practices. We don't know what all those are, so we're working with them to turn on all the bells and whistles that will make us more targeted in our strategy and collecting information, so that we're not just looking for things at random, or it's dealing with a crisis.

When we have a crisis we know what we're not getting, but we don't know how to predict that, we're fairly new into the maturity phases, so I think that they've compiled a lot of that for us, and I'm very happy that we're able to work with them now to get that hammered out.

The PCI compliance pieces that help us produce reports for our external auditor, and their support.

I constantly sing the praises of their support group. It's a complicated, vast product with a lot of breadth and depth. Things go wrong. But when I have a problem their support group will get a hold of me within minutes to hours, at the most. If it takes a group of people to solve the problem they pull a group of people together. They will create remote sessions. I don't have any other vendors with the same level of support that LogRhythm does.

Global management for registry integrity monitoring. Right now you have to apply what they call RIM policies, Registry Integrity Monitoring policies, one agent at a time. If you have thousands of endpoint agents, you have to touch each one of those one at a time. That is a pain in the rear, so I would really like to see some type of group or global management for RIM policies, like they have already for FIM, the File Integrity Monitoring. You can grab hundreds of agents at one time, and apply them across the board. I don't know why you can't do that with the registry piece.

It'll scale forever, and especially in the VM and cloud environment; so the time and money, those are the only two things. But it fit's our needs, where we are.

Like I said, we're not a really high volume user at this time, but that could change. We're owned by Philip Anschutz, he's always incorporating companies that he thinks will make us bigger, better, and more marketable; so that could change overnight.

But right now, where we're at, it meets our needs, I'm happy that it can scale anywhere that we need to go. There's no limitations there, as far as I know, and there are lots of options, with hardware, clusters, distributed environments, cloud-based environments, VM-based environments, combinations of all those things, so there's no problem with scalability.

They're a 10 - out of five stars! I have great success with them, very pleased. Love working with them, they're funny. They're also right here in Colorado, so when we need somebody on site it's not difficult. But it's rare that we can't solve problems with GoToMeeting or WebEx.

We used AlienVault, and before that Splunk, but neither one of them worked, and even their pro-services people couldn't get the products to really perform well in our environment. I understand the LogRhythm sales engineer who came out the first time to demo or do a proof of concept, was doing things in minutes that the other folks were trying to do in weeks, and my boss said, "That's what we want. I want that."

We need stability, ease of use, ease of investigation, so we had looked at a number of products in the past. Again, that was mostly before I came on board, but I understand the challenges with them included having to write a lot of custom parsing, and you either had to have Linux gurus on staff, coding gurus on staff, to make those products sing. LogRhythm has all that built in, and you just need to let them know what you want to turn on. They have all the features and policies and alerts that you could ever hope for, so you just have to know what you want to do.

The only other SIEM tool company that was even close to LogRhythm was QRadar, IBM's SIEM solution, in performance and cost and features. Actually, not cost. I think they're very expensive, and that company makes a lot of people nervous. LogRhythm is, like I said, local, and stable, growing, aggressive, helpful. IBM is a big monolithic company, which I have a lot of respect for and they've come a long way, but they're constantly splitting off and selling pieces, and you never really know where that product's going to be in a few years. LogRhythm hasn't had that problem.

It's effective, it's like a Ferrari. You have to have a lot of mechanics, and you have to fine tune it, and when it's running well it runs very well, but there are a lot of things that can go wrong too. I'm pretty much a one-man shop, and it's difficult for me, but that goes back to having good support and good communication with them. It's a struggle, but the product is strong and we just need to continue growing with it, in our understanding, in our use of it, so we'll get where we want to go. But it's a partnership, so we appreciate that.

I already mentioned some of the most important criteria when selecting a vendor, but the main ones for us were

• local presence: so we have a door to kick down when we need help
• support: LogRhythm has very strong support features
• scalability and cost: LogRhythm had a higher initial cost, but it had almost everything built in that we needed, there were no additional or hidden costs later, so it was much easier for us to plan ahead.

Also, our company likes to spend capital dollars, so the hardware option was more attractive to us. I like the VM and cloud, and I'd like to move in that direction, but having the multitude of options that they have was a big plus for us.

It's very important for us to have a unified end-to-end platform because we have so many different locations and we have such a small team. Having 50 different products and 50 different interfaces doesn't help anyone, even if they're good products. Having one single product that can do a lot of things is very important.

It's a 10 our of 10 for sure. Even 11. I love it.

Don't just look at cost because, as I said, LogRhythm was a little bit higher in the beginning, but look at the features that they have and the support, everything, especially in this field. It's a complicated business, so everybody's going to have problems. Can they fix those problems, and will they work with you to grow? Look at the big picture. Long term.

• Security analytics
• Compliance: The reason we implemented was compliance. We're hoping to use it more now.

Security analytics have definitely improved. It is definitely more dynamic than our old flat file archives system.

As a security organization, the key challenges and goal are data integrity and definitely user access to insure that certain sections are kept more secure than others.

It seems with all of the advanced features that we haven't quite figured them out.

It is very complex. More training maybe, in addition to the LogRhythm training on the community website, which is a lot. Better adoption starting out, so we are more comfortable when we start and when we go live.

We are pretty new.

We are learning more as the days go on. I am sure a lot of the really impressive stuff will come later.

Scalability is extremely great. We are looking to scale it way more than we already are as we grow.

We haven't contacted them yet.

The initial setup was straightforward.

LogRhythm came in and did so much for us. We were up and running before the week was over.

Take advantage of the feature set that LogRhythm has to offer. It has more features than a lot of their competitors. You will be further in the end.

It is creating a whole ecosystem, integrating different security components together, whether it is bringing the CloudAI, a UABE solution or smart response case management.

Definitely, the LogRhythm solution is a central piece. It helps us in visualization, it helps us in monitoring of our different log sources, and helps us with auditing compliance.

This is all tying things together, bringing a lot of functionality and benefit to us.

One of the features that we'd definitely like to see is the user inference, entity inference, where one entity would have a unique ID and then with that unique identity you could pull out the information or log associated with that. It helps a lot in the investigation, because currently what happens when we get an alert from LogRhythm it's just the tip of the iceberg. Then we need to do lot of investigation. But having this entity inference kind of tool would help us. We could tie all the logs with that unique entity, and we would be able to collect the information, I think it would be really cool to have something like that.

Also, with automation, like identifying new log sources and the environment, or automation of log sources that have not been reported from last month or a week. You can put up some kind of alerting system there so you can retire or look into it.

It is quite scalable. This whole solution, you can have different components on different servers or platforms. For example, I was in that meeting, and we were talking about collecting 50,000 to 60,000 messages per second, which is really a high number. I was very impressed to see how many records, 12 DPX or five or six AIE servers or similar platform managers. It looks like it's quite scalable and they are quite happy with that.

LogRythm technical support is really excellent, very good in timing and answering questions very quickly. I have not seen such a good time response with any other product we are using. In those terms they are very good.

Though we had some issues initially in terms of technical support, the expertise of technical people, but I am seeing that they have improved a lot now, so a lot of our questions and queries get solved with the technical support.

I was not initially involved in the deployment but I read all of them on the business case at that time: Splunk and ArcSight and one other.

We've got around 2500 logs per second, and primarily a Windows-based environment. We have around 300 Windows-based servers, and we are also collecting a lot of logs from the end-user devices, which are primarily on the Windows base. We also have some Lynux-based servers and also some network component firewall proxies.

Over a period of time, LogRythm has improved a lot and the future, the road map of the product, really looks nice.

The most important criteria when selecting a vendor is the scope you have defined for the business objective you want to solve, whether it will meet that objective or not. Also, for us, feedback from industry peers matters a lot, and the people who are really using a product help us a lot. It needs to suit the budget as well. So financial, commercial and meeting the business objectives.

It is quiet important that a solution be a unified, end-to-end platform
because we have limited resources. It's very difficult if we have to scale and train on all the different platforms or security tools; and once someone leaves the organization it is difficult to hire a new resource. So having something unified under one platform means that scalability. We can have someone and utilize their skills to fulfill our requirements.

I would definitely recommend LogRhythm to someone looking for this kind of solution.

Well our eCommerce site is very important to our business. So not only NetMon, but also just knowing the traffic that's coming in and out of there, and whether it's coming from bad sources. We have to protect our eCommerce site and it is helping us do that.

• We have been impressed with the data that we're getting back. 
• We have been impressed with the look and feel, ease of use, and things of that nature.

As a security organization, we are constantly attacked, either from disgruntled ex-distributors, as we're a distributor-based company, or just people that don't like distributor-based companies at all. Therefore, we are constantly attacked, and we are pretty confident LogRhythm will put us in a good way that we can deal with this. 

We have got a lot to learn. However, doing the research that we did, it looks like LogRhythm is going to be a great solution for us that we'll be able to monitor external and internal traffic with our SIEM, again with Netmon, and log the sources that we need. 

Better knowledge transfer during implementation.

We definitely thought it was complex when we initially set it up, but that is usually just a single pain problem. It could definitely be more straightforward.

We are a new customer.

We are around 3000 logs per second. We have datacenters in Amsterdam, one in Florida, and some in Salt Lake City. It's a global company, so we get traffic from all over the place.

I don't know that I have much to answer on this yet. We have only purchased a single appliance and the NetMon appliance. I think it will be interesting to see if we need to scale, depending on if we ramp up, how many logs we're actually processing. 

We have come from a separate SIEM, SolarWinds, and just purchased LogRhythm within the past couple of months. 

They switched because they flat out didn't like SolarWinds and their interface or anything like that.

We've had, in the past in our company, ransom attacks. Prior to me being, there there was one that they paid out, and obviously, that is a painful way to go about doing business. We want to secure our data. We want to make sure that does not happen again.

We have implemented the core implementation, but we haven't done any of the onboarding or anything like that yet, but I was there. 

We were overwhelmed at first, and now we're starting to figure out what the capabilities are.

7pace and Nagios.

We chose LogRhythm due to its better interface. We had demos and felt like LogRhythm was the better solution for us. 

Do your due diligence. For the most part, you're dealing with the same data depending on who your SIEM is. It is still the same data that's being returned or that you can pull. Definitely do your research because your SIEM itself may not get you what you need out of that data. 

A unified end-to-end platform is very important to us. We don't want to go to 12 different user portals. We want to know in a quick way what we're dealing with. We want to be able to see the data without having to jump all over the place to get it. 

Most important criteria when selecting a vendor: 

1. We are buying a product that is going to succeed for us.
2. We want to know that we are going to have good support and help when we need it as we won't know anything or everything for a long time. But we have experts that we can lean on, that's a definite benefit.

We're in the process of a rollout right now. But from what I've seen, it will definitely be a huge benefit.

Our impression is the solution will be excellent toward meeting our meeting our existing security challenges.

Our biggest challenge right now, there is a big push towards docker containers and trying to wrap my head around how we are going to monitor and provide security for that.

The artificial intelligence engine.

Focus on open source, long sources like Linux and Docker, and those kind of things. More help and assistance with some of the open source products, everything seems to be focused on Windows versus giving some guidance and some documentation on how to use it. This seems to be lacking.

It would be a huge help if there were some guidelines or some new technologies that were developed specifically for that.

It seems pretty stable. I'm not had any issues with it.

It seems like you could grow it horizontally. The solution that we have, it is the one that can split out with a couple of different data indexers and data processors. However, we are still in the roll-out phase.

They were excellent and very knowledgeable.

No, just some open source type of things.

We searched for a security solution because it is such a huge surface area to cover for a very small security shop. It is just two of us, and we have about 5,000 servers. It is a lot.

I was involved in the initial setup. It was somewhat straightforward, somewhat complex. There are a lot of moving parts.

If they had some type of a script, which you could run depending on the solution and what boxes you have. A script that would just go and automatically configure things and get that part of it done, then you could focus on getting the events in, things like that.

I would recommend that whatever sales quotes to them upfront, they will probably go up. Because they are probably going to outgrow that very quickly or once they start getting everything into it, they are going to have to move up anyway. Better to do it upfront and have that headroom.

We were evaluating Splunk, and also QRadar.

We chose LogRhythm because the price point was within what we were looking to pay. It seemed like a more mature solution than some of the others.

A unified end-to-end platform solution is important but I understand that there will be different tools for different jobs. LogRhythm, that is their sweet spot and I hope they stay there because they do it really well.

Most important criteria when selecting a vendor: It is about the integrations with all the different products that we are using. LogRhythm seem to have most of those boxes checked. Therefore, it was a good fit for us.

• Ability to collect logs
• File integrity monitoring

It has helped. We are still not very mature in our use of the product, but we are trying to get there. We are pretty small on the security side, but it has helped to give us visibility into our point of sale applications.

Just maturing is one of our biggest challenges, and really leveraging all the tools that LogRhythm provides. Just keeping up with it.

Just integration into our ticketing system, which we're using service now. Just being able to integrate LogRhythm with that so we can track incidents.

Continued support to help us understand the solution better.

It is very scalable, though we have not scaled it yet.

It is very good. LogRhythm has also contributed some sales engineers to help us, We have also participated in a weekly call, and we did an evaluation of that for 90 days. This has also been very helpful.

We were using another product called AlienVault. The main driving factor behind looking for this solution was our PCI compliance requirement. We switched from AlienVault due to a lack of parsing rules providing by them, and LogRhythm provided those parsing rules for various devices we were collecting information from.

I was involved in the initial setup. It was very straightforward. I had used a different product previous to LogRhythm, so I had a basis of what I wanted to compare to. I was able to take that little bit of experience and bring it to LogRhythm, and ask them how do I accomplish these goals, and it was very straightforward. They helped through that process.

I can't remember anymore.

Though LogRhythm's involvement in providing quick answers to some of the criteria that we wanted to accomplish (5-10 things), and they were able to come up with those answers very quickly.

Make sure that what data you are collecting is usable. That is probably the biggest advice. Because the first product we used, we had problems just understanding the data presented in the SIEM console.

It's nice if the solution is a unified end-to-end platform, but it is not a deal breaker.

Most important criteria when selecting a vendor: Support after implementation is probably the biggest.

It has improved our ability to see incidents when they occur, instead of maybe a few weeks or a few months down the road.

Overall effectiveness is very good. I like how it is oriented to both analysts and technical support people. It's easily adopted by end users as much as by technologists.

Key challenges are going to be maintaining visibility as the technology changes, especially with cloud coming onboard, probably fairly soon. Also, the implementation of a SOC, which is relatively new to what we've been doing.

• The overall view of the solution: It encompasses end-to-end analysis and response.
• Log management
• Threat management: Threat hunting is going to be a large topic for us as well, which being a big data engine, will go a long way for us, too.

We have not move into cloud security so much, but eventually we will be there.

I would like to see case management become more independent from LogRhythm itself. Right now, it is very oriented to LogRhythm based events, but not manual events, such as user reported things and incidents where we might have large volumes of data that we have to store as part of the case. It works real well as a workflow device, but not real well for overall case management for an organization.

It's highly scalable, though we have not really been able to take advantage of all of its scalability yet. We're moving into the new architecture as we speak with having separate data processors and indexers. I am hoping to find out how scalable that becomes.

We're currently between seven and 11,000 logs per second. By next year, we'll probably be close to 20,000 logs per second. We have 14,000 branch offices and two large data centers. We're growing rapidly and trying to improve our visibility.

As far as technical support, professional support, and overall organizational support, LogRhythm has probably been one of the best companies that I have worked with since I have been in technology.

We did not have a previous solution.

When we originally put in this solution, it was for log collection and analysis of all of our branch network devices, but it has evolved over the last seven years to encompass pretty much anything that provides some kind of security visibility.

I was involved in the initial setup. It was straightforward, but it was seven years ago. We have gotten more complex as the system's evolved.

The SIEM solutions comparison we did included QRadar, RSA, and LogRhythm.

LogRhythm stood out due to ease of deployment, cost of ownership, and ease of use.

Look at all of the factors, including total cost of ownership and your roadmap of where you are going, and compare those to the needs that you have going forward. There are a lot of solutions out there that are either way too complex to manage, don't have a good roadmap, are a secondary solution in a larger company, or are going to just be astronomically expensive when they get to a useful state.

If the solution is a unified end-to-end platform, it helps with the overall management, skill set training, and retention. It does provide some long-term benefits.

Most important criteria when selecting a vendor:

• Usability
• Growth potential based off of cost.
• Architecture.

So, where could we grow the system, because a lot of systems were either too complex, too expensive, or very oriented for that particular network-based solution. I was looking for some kind of compromise in the middle.

It is the dashboards. Up until just a couple of weeks ago, we were just using the standard dashboards. We actually had our account manager and professional services team members come out to our Security Operations Center (SOC) and essentially walked through our processes and how the SOC operates. One of the immediate improvements was using the dashboards more effectively, so we just used the standard, out-of-the-box dashboard, and it actually wasn't really telling us much.

Now, the SOC have custom dashboards, showing them a lot more useful information, puts the information in context, and they are actively using it for proactive investigations, rather than just responding to alarms.

It has certainly helped with the visibility. We probably don't use the platform to its full extent. We've expanded the size of our SOC and the number of people in it. We are now starting to use the features, such as SmartResponse, to help automate things. We've probably been guilty of throwing people at the problem, as opposed to leveraging the tool itself. We are now trying to change that.

We host quite a volume of sensitive, personal data. We are a credit reference agency, based in the UK, and we hold records on probably, around about 50 million adults, both personal information and financial information. Our core role is protecting the confidentiality of that, so breaches, such as the Equifax breach, that happened recently, we have absolutely got to avoid that.

We are not leveraging the tool to its fullest extent at the moment. We had a focus session with our SOC, the other week, and we've got a defined roadmap now to make things a lot better.

We are at a good place now. We have just started using things, such as case management, whereas previously we were just responding to individual alarms.We're starting to use things a little bit more intelligently now, so not just using the technology, but also helping improve our processes through the use of the technology.

There are enough features that we are not using, and not to their fullest extent, at the moment.

The company has been using the platform for seven years. I joined the company three years ago.

We tend to struggle. We do see performance issues fairly regularly. I think part of this is the stress that we're putting it under, with the volume of events that it is receiving. When we put the new appliances in, which is imminently, we're hoping that it will solve a number of issues: the number of the performance issues that we see.

It seems to be scaling well.

We have currently just got a single platform manager that's been carrying out the role of the web console and AIE server. We've probably thrown too many events at it, and we are now, effectively, putting in a DR solutions, a second platform manager, and then spinning off individual components, so appliances for the web console and AIE server.

We are effectively doubling the size of the platform, at the moment, to cope with the volume of logs that we're throwing at it.

A couple of the team do tend to find that certainly the initial contact with support slows things down a little bit. I think their support has their script or their route to follow to triage the issue, whereas we've already done that because we know the platform, we've been there and we know what to do when something happens. Generally, we contact support when all else has failed. For us, we probably need to hop down the line a little bit, rather than just hit the initial support function (the first line).

When we do reach the right level, they are knowledgeable.

The risk appetite changed. We are in quite a regulated organization, and having something like LogRhythm in place gives us the visibility and the comfort that we've got the monitoring required in place.

I would not know.

Technology's important, but it is the support you get as well. Don't just focus on, necessarily, the features and technology, but also consider the support and the engagement you get with the organization.

Most important criteria when selecting a vendor: the relationship. I would not want to work with an organization that just sells you the technology, then disappears or only ever speak to when there is a problem. It is starting to look a little bit more like a partnership now with LogRhythm, that's exactly what we want to maintain.