LogRhythm SIEM Reviews

• Visibility
• The AI Engine for rule generation

We have two facilities, a combination of all different platforms, Linux, Windows, etc. It's just all across the board.

It's definitely given us a lot of visibility into areas that we probably wouldn't have normal visibility into, such as code execution and things like that. It allows us to really drill down as to what's happening on the servers as they are being used in production, to where we can really get in and figure out what's going on.

It's pretty effective. In some cases we have run into some issues: The way that the rules work, and the alarms trigger. We get a good number of false positives.

I wish that there were more instructional videos on how to do different things and more walk-throughs.

Also, easier generation of AIE rules, or custom ones.

So far it's been really good.

Scalability is very good.

I've used LogRhythm tech support. I would rate it as very good, not excellent. For instance, we were trying to deal with pass the hash, which is a very common exploit and LogRhythm tech support told us they were just going turn that rule off, that we can't use it. We had to keep pushing until we had someone in another department push to an upper level of tech support to finally get it to where it was working.

It's very important for a solution to be a unified, end-to-end platform for us.

It's a really good solution. It's been very stable. At the same time, we have had some issues, some false positives.

And that issue I told you with tech support, there have been some challenges getting it to be where we wanted it to be, for a solution, like LogRhythm, that is supposedly best in the industry. I just thought it was kind of poor that they would take a common exploit that's been in use for years and say we can't get it to work when, obviously, they could get it work. It was kind of lazy.

Still, I would say go with LogRhythm.

The fact that I can quickly determine if there is a threat actor from internal to external. That's our primary goal. We have a lot of traders and a lot of developers, internal, so that's generally where our presence is. We don't have a whole lot of online presence. We're not so much worried about external actors.

Being able to determine what a user is doing is really helpful for us.

We've got two facilities. We pretty much have one setup, the DX. We don't have any failover, just because it doesn't work for us.

Our key challenge is weeding out who is actually trying to be a threat. Now, LogRhythm certainly helps us, but it's still very difficult because we've got not a super high turnover, but high enough that you're constantly going through them looking at stuff.

Being able to actually track somebody down and figure out what they're doing. Before, we didn't really have these insights, we were going by the the seat of our pants and trying to pull whatever logs we could, whatever Unix logs we could find, and it wasn't really helpful that way. Now it pulls it all into one spot and we're actually able to correlate data and say, "Hey look, this person's really actually being shady," and go from there.

We've been able to identify certain individuals and not have issues past that.

There is a Group-By field that they're breaking out, which stopped me from being able to have certain events. They're breaking it out in 7.3, so they've already got it. That was the one thing that bothered me, so I'm happy about that.

Stability is not great but I think that's our issue. Qualys seems to blow it up all the time, but that's more on us to stop Qualys from scanning LogRhythm.

Scalability is pretty good. We rolled it out at our primary company and then rolled it out past, to our sister company, which went really, really well.

It's awesome.

It's fairly important that a solution be end-to-end unified. The fact that LogRhythm is, is working out very well for us.

I gave it eight out of 10 because of some of the issues we've had with the system actually going down but, again, that might be entirely on us. We're still in the defining phase of that.

One thing that surprised me over the course of our deployment is the amount of logs that I didn't realize we had, different log sources that we're seeing pop up, pending, being brought into the system and we haven't even seen them before. People are standing them up left and right and I'm thinking, "Guys, stop it."

Make sure that your operations guys, your network guys can actively search through it well. Get them training. Don't do half a job with it.

• The SmartResponse and the alarming
• The ability to write your own rule set

It allows us to delegate some of the alarming, where there's not just one person looking at it all the time. Some lower-level techs can handle basic alarming.

Sometimes our rules don't fire correctly, events don't get created correctly, but that's mostly just because we have to write custom regex.

Also, moving from away from the fat console, more into the web console for log sources and tuning and things like that, would be helpful.

At times It gets a little clunky, or resource-intensive, but it works.

It works pretty well. It's somewhat hard to delete something out of the system. That's probably our only challenge, because we reuse an IP address and then it's difficult.

We've used them a few times. They were pretty good.

We actually weren't using anything before. It was a conglomerate of a firewall and the Windows logs. But we had an IT architect that was more into security.

It was pretty easy.

Regarding a solution being a unified, end-to-end platfrom, it helps, but it's not completely necessary.

For what it does, LogRhythm works pretty well.

If I were to advise a colleague who is looking into a this solution, I would say train someone, as their full-time, job to use it. It's not an easy product to get around.

Private monitoring is our primary use case.

In terms of security, LogRhythm NextGen SIEM is great.

I have been using LogRhythm NextGen SIEM for one year.

LogRhythm NextGen SIEM is stable.

Scalability-wise, it's not that great, but integration with other solutions is pretty easy.

The technical support is great.

We also use Splunk, but in terms of security, we always recommend LogRhythm NextGen SIEM.

The initial setup was very straightforward. We deployed LogRhythm very easily. In total, including configuration, we deployed this solution in less than one day.

In the context of our country, the price of this solution is too high.

Overall, on a scale from one to ten, I would give LogRhythm NextGen SIEM a rating of eight. 

I would definitely recommend this solution; my only concern is with the price — it should be lower.

What I found most helpful out of it is the ability to see all of the same data, that I would get from my appliances, in one place. I don't have to log in to six or seven different appliances and hunt for that kind of information. I can just do some queries within LogRhythm and it tells me the same information.

One of the things I find that would be helpful is the GLPR information, to be able to understand what is actually being processed. I've got, say, 20 different rules, but I don't know which one is getting more of the data, which is getting none of the data, because there's not really a good interface for that.

The stability, it's pretty high, there were some early issues, we were overrunning it with data, and part of it was a sizing issue. Once we got through that it's been running a lot better and it's been more stable. We haven't had to worry about it falling over on itself.

At this point we're still using a single XM appliance. The scaling that we've had is really just upgrading from an older-series to a newer-series XM appliance.

There were a lot of support calls we went through, and they would tweak and change a few settings here and there. Then eventually, what we did was we upgraded to different hardware because there wasn't anything else we could remove. We had to continue to keep getting those same logs.

Being able to centralize and have one view of all the threat events coming out of all my multiple security sensors.

It has been the easiest SIEM platform that I have worked with or seen in production.

It is an easy, centralized view of our environment.

Our key challenges and goals are maturing our security operations and security event management process.

• Better correlation of all events: We seem to get a lot of misinterpreted data coming from multiple sources. It would be nice to have an easier way to interpret the data and correlate it.
• The challenge of maintaining it: Maintaining compatibility with all of our log sources is still a challenge for us.

We have implemented it as a necessary feature, but we need to be able to mature that.

I was just involved in the decision-making process. However, I know that the deployment was straightforward.

It seems to be highly scalable and easy to scale.

I have not used LogRhythm technical support.

I was just involved in the decision-making process. However, I know that the setup was straightforward.

It is extremely important for our solution to be a unified internal platform.

I would recommend looking into it.

It helps by collecting logs from a lot of different security items, like firewalls and IPSs. It helps to give us alerts to let us know if something is happening on our network. It has really good log collection and event and alerting capabilities, so we have used those alerts to help us mitigate issues more rapidly.

We have been able to stop ransomware by being alerted through LogRhythm. That was probably one of the biggest things. Also, malware events and things like that.

Using the web console to get a quick look at what's happening on the network, so the different dashboards that are available. Those are probably the things I look at first. Probably very useful at really analyzing what's going on.

We haven't seen issues with the product itself. There are updates which are now automatic through the knowledge-base. So, I'd say it's a stable product.

We have not had issues with scalability as far as LogRhythm's concerned. We're not big enough to have issues of scalability with it. It is a much bigger product than that. We're not a huge global organization, so it's more than enough for a company our size.

Our environment is about a 1000 users, about 900 workstations, and a couple 100 servers. It is a Windows and Cisco shop.

They are really good. Whenever I've needed their help, opened up a ticket, I haven't had any issues getting help from them. We have a guy right now who is really excellent, and will go out of his way to help us with making sure we are getting things setup properly, so that's really been a big help. They have really smart people there. When you work with them over the course of a number of years, you see how bright these guys are, so it's nice.

We're fairly close to Boulder, so buying something that was local, I like to do that, and it is a great product. We're happy with it. I think it is one of the best SIEM tools out there. So, no regrets about going local, and it's nice to have them down the road if we need to get to them.

It is a great product. We brought it in initially as a central event log for PCI compliance. It's been really good for PCI compliance, but then we leveraged it for security across the network, so it has been really good that way. It really requires somebody to be able to dedicate a lot of time to getting sources into it. It's hard if you're a partial user of it. It takes a lot longer to really understand the product, because it's big. There's a lot to it.

I believe the most valuable feature for us has been that we have all the logs together. We can query them, we can find all kinds of different situations that are going on in our network that we wouldn't have knowledge of without searching many different servers and logs.

Quicker ability to troubleshoot the problem, find the problem, get it fixed, and get the customers back up and using our system. 

I'm sure there are always areas, in stability and scaling, that need improvement. I don't have anything right off that I can say I know needs improvement right at this point.

We installed in 2009, and the stability has improved over the years. I consider it to be quite a stable product now. It seems to work day after day, week after week.

With version 7, we feel the scaling improved a lot. We are a large health system and we are quite often adding new businesses, new healthcare offices, new hospitals to our system. We we are able to add those extra logs into our system without causing any issues.

Tech support has always been good from the very first. In most cases the first response is a good one. It does the job, and if not, then you get back to them and they stay with you until they get it fixed.

We thought the setup was very quick and easy, of course we didn't try to boil the ocean all at once. We've been, over the years, adding more and more phases to our system, completed it in phases.

Really figure out what you want it to do for you, because it is very flexible and can be used for many different purposes. Determine what you want to use it for, and then get the assistance from LogRhythm to help implement it in that way. Then you can always expand it and take in other areas. But your primary goals need to be met right up front.

We are very happy with it.