LogRhythm SIEM Reviews

It's all in one solution since we bought the network monitor along with it. It has made finding issues or threats on our networks a lot faster and easier. Something that would have taken our team and multiple IT people 5-6 hrs to resolve before, can now be done by one person in 1-2 hrs. Plus with built in case tracking it makes it easy to track what is going on and what has been reported.

With built in reporting it makes change tracking and compliance reporting a lot easier. WE use to have to update the documents by pulling in data from multiple sources and having to wait to get data from other departments.

My favorite part of LogRhythm is its ease of use. Everything I have used is designed very well, and makes sense after little time on the system. The new web interface is very fast and easy to use and see what is going on in a glance.

The AIE rule set is easy to setup and use. They have a lot of built in modules that have the rules already created for you. The deployment guides are easy to follow for setting up the modules. Personally I love the UBA or threat modules. These will first do a system baseline then start flagging events outside your normal operations. Creating new rules is very easy with the GUI.

Compliance reporting is another great feature of this product. It has built in reports right out of the box. Plus it was one of the few products with FIPS 140-2 encryption for the data base.

Only area I can think of to improve on is the proof reading and using the guides before releasing them. Out the the 20+ guides I used one had issues with wrong information in it.

We have a HA setup and have had zero down time so far.

Haven't had to scale it up yet.

Customer Service:

10 out of 10. They are fast to answer any tickets or questions I have had.

Technical Support:

10 out of 10. They have had a fix or answer for every question or problem I have had

Yes we did. It just wouldn't handle our environment all. It was going down all the time. One update caused it to delete all of our logs over a month old.

The setup was easy and straightforward. Even the HA setup was simple.

The first network was done by a team from LogRhythm, the other networks where handled in-house. The team from LogRhythm was very good at the setup and deployment.

The calculated ROI around 90-100% for the first year because of our implementation and design of this solution allows me to cut my team in half. This includes the costs of setup and training. We will how this plays out in the years to come.

Look closely at the cost of licensing of other products. This should include setups and the need for support services. I did a RFQ to 2 other vendors before choosing this product.

One major issue for me was a product that you can't use if you go over on logs collected. Where I work it can take forever to get funding to fix a overage issue. This is one product that use a true up at the end of the year to address this issue.

Yes we evaluated and used a few other products.

ArcSight, Solarwinds LEM, Splunk, and IQ radar. Splunk and IQ radar where the products we evaluated with LogRhythm. The other two products are products we used before.

Work closely with your sales and engineering team for your setup and give them all your requirements and use cases.

The reporting feature is valuable.

We used it primarily for security logging of events. We created reports based on traffic awareness for security.

We would like to see a better base templates for reporting.

I've used it for six months.

The only issue we had was getting the Net Flow incorporated. However, that was issue was because of our implementation. Once we made a change it worked.

There were no issues with the stability.

We had no issues scaling it for our needs.

I'd rate customer service a 10/10.

I'd rate technical support a 10/10.

I've also used QRadar.

It was fairly straightforward.

LogRhythm's vendor team helped us set it up. The box was delivered and they helped us get the licensing in and the initial setup.

I would make sure you have Events Per Second set high enough for all of the events. This will cost a little more.

It will take time for fine tuning, expect for four months to fine tune it to exclude the false positives.

The web interface, especially since the move to the open source storage system in v7, allows almost instant access to detailed log data from across the platform.

I work in the IT Security channel, reselling LogRhythm and associated consultancy services. The improvements from implementation of LogRhythm are to my clients' organizations.

The reporting engine is poor in comparison to other areas. It should be moved to the web interface to improve its functionality and usability.

I've been using it for over four years, since v3.

We have had no issues with the deployment.

We have had no issues with the stability. We haven't experienced instability.

The scalability before v7 was sometimes difficult due to the hardware performance required. Since v7 was released, the clustering and scalability options have improved significantly.

The UK-based technical support is good, and the engineering and lab teams based in the US are great.

I have experience with Splunk and ArcSight. LogRhythm's correlation capabilities (part of the AIE component) is much better than Splunk's, and the solution as a whole is generally cheaper and easier to implement than ArcSight.

The initial setup is straightforward. Follow the initial setup guide and the solution works within hours. Easy to use configuration tools are included.

I work for a reseller and consultancy firm in the IT security channel. I would recommend using a vendor or reseller to assist in the deployment, as although the basic build and set up is easy, on-boarding log sources and setting up the system to report and alarm on events requires experience and expertise.

As part of your plan for SIEM, identify what you expect the SIEM to be able to do for you / your organization. SIEM is not a silver bullet. SIEM will take a considerable amount of use by a security analyst or similar to get the best out of it. SIEM managed services offered by resellers or system integrators may be good value and should be seriously considered to ensure the best outcomes from the SIEM.

It allows me, through the reporting functions, to take a quick scan of what's happened in the prior 24 hours.

Also, it's essential for our compliance. We're audited frequently and this is the piece that's essentially mandated by the State.

It creates a good feedback loop whereby I'm able to scan through and see what off-limits activities users have been doing. I think it improves the organization by letting them know that everything that they're doing is not invisible. It's a demonstration to them that they need to do what they say they're going to do and follow the policies that are in place here.

I'd like to see a real-time dashboard of events. I know it's available, but it needs work. I haven't been able to put in the 20 or 30 hours that it would take to really become an expert with it. I rely on the PDF reports which guide my day, but having the information in real time in the dashboard would be nice.

To me, the best additional feature would be, much like you see with a firewall or with an antivirus scan or intrusion prevention, a real-time console for activity and almost sort of automatic updates for certain features. That would be helpful.

We got our first unit here in 2009.

We've had no issues with deployment.

Stability has been fine. There were some problems in earlier versions, but I wouldn't put that all on LogRhythm. Part of it was that we needed and equipment upgrade and it was literally a year and a half or two years where it was optimally built for that we had to continue using the old version, the old appliance, and it took us a long time to get upgraded. So we were dealing with some rather clunky situations, running out of disk space, that kind of thing.

I really can't comment on scalability because we're a rather small organization. We only have 50 or 60 staff members and no plans to really grow or extend the use of it out to another organization. From the beginning, it's handled all of our work and again, without any real big plans to grow, it's hard for me to comment on that.

Their support team is very good. As IT organizations go, I can only think of maybe one time when I had to request a second person to look at a problem. They provide timely responses, and they provide really good training. I have no complaints.

The setup requires an agent to be installed on all the machines and we have an in-house intrusion prevention system server base. We did a fair amount of finagling with that. I would say in an organization without those types of software running, it would be a piece of cake. I think it would be excellent. With us, we had a few extra hurdles to jump through just because of the fact that we had to be so secure in-house here.

LogRhythm sent the appliance, we hooked it up, and we plugged it in. From there, they gave us 10-15 hours of time with a setup team via WebEx. They took control of the machine and taught us the basics. Then we took it from there.

We've maintained the same base of licenses since we began, and it was sized properly. I would say they gave us good advice on how much to spend on licensing. We've been able to collect all the logs we really need here for that issue.

We evaluated the freeware alternatives, but we needed a turnkey solution and we just didn't have hundreds of hours to put into a starter box, so we went with a commercial buy.

We didn't perform an exhaustive search, but the result was somewhat fortuitous. I began the search and found someone at LogRhythm I felt I got along with. This person was very knowledgeable beyond the salesman-type of knowledge. He was able to relate with our needs here.

I would recommend them. I think that their product has evolved over time. I think there were a couple of years in the very beginning when I was a little frustrated with them, but now, and especially, we just bought a new box last year, the newer version, it seems to have a lot of the kinks worked out, and so I wouldn't have any problem recommending them.

The most valuable feature is the AI engine, as well as the usual SIEM product stuff. The ability to have all of our logs in one place is a big thing for me.

It’s brought all of our devices into one area, so I am able to understand and manage all of our devices and understand what is going on with an individual device.

The reporting aspect is difficult to use and very difficult to get your own reports. So far this is it; they have a web UI and we had a recent update which fixed a lot of bugs and added a lot of great features. But the reporting is lackluster.

I've used it for 10 months.

We've had no issues with deployment.

Since we purchased one of their boxes, we've had 99% uptime. The only downtime has been for updates and upgrades. So we've had no issues with instability.

We foresee that it's scalable for our future developments. At the moment, we are using half of what it’s able to do.

I've been happy with the support in the initial setup. The support in our environment was well done. For any issues, we have had someone on the phone on that day, so there have been no downtime issue. They are super nice.

We didn’t have a solution before. It's usable out-of-the-box and it covers a lot of holes. It's done its job.

We looked at AlienVault and Qradar.

Definitely do a test run, a proof of concept, so it’s understood how it’s going to work in your environment. Also, take the training that they provide; i t's super valuable.

The AI engine is what I like the most. It’s all in how LogRhythm correlates the events that it is receiving. It takes a lot of guesswork away from the analyst. We don’t have to reinvent the wheel. Out of the box, it's very easy and intuitive to get started. It’s easy to see the impact of the event in which you are receiving.

For me right now, I have not used it long enough to give an evaluation of what the product is lacking. As far as room for improvement, I would like to see the solution be a more hardened operating system other than Windows. I’d prefer that they didn’t use the Microsoft Windows platform. I think that they lose a lot of efficiency and performance that way.

When I first deployed the product, I did find some issues with log consumption. The appliance we had was rated at 25,000 messages per second and we run an average of 1,204 messages per second. We are seeing performance issues with the appliance. It appears that there are some inconsistencies that are running with the hardware of the solution.

It seems pretty good, but they do seem to be plagued with what a lot of new companies are plagued with -- their internal staff are still learning the product as well. Some of the sessions I’ve had were with technical support, not professional services. We have discovered some answers together instead of the technical support person knowing it off-hand. Some things we stumbled on by accident, some things I had to point out to the agent. Seeing as I have only used the product for two months, that person should know more than I do.

I previously used McAfee ESM, QRadar, and ArcSight. McAfee is by far my favorite SIEM to utilize. It is very robust, very quick. The ability to query is much faster than all other popular SIEM tools. Now that it requires a lot more hardware investment, it almost requires a developer mentality to massage the tool to make it do exactly what you want. This is where LogRhythm really outshines McAfee.

It was done in-house. A person from a different state logged on and helped me via web conference and helped me through the initial configuration.

I foresee a ROI. You need to understand what an ROI is. We are trying to buy peace of mind. It’s almost an insurance policy. It’s really measured in soft dollars.

The speed at which I can get into forensic data is the most useful thing.

It’s very easy to overwhelm the system. I have some of the beefiest data that they provide, and I can still overrun the system.

The native ability to identify the correct time of logs and data also needs work, e.g. if I bring in a system log data stream, LogRhythm's ability to natively say it's a Cisco firewall or a Palo Alto firewall -- sometimes it struggles to identify the device.

I've used it for 18 months.

I love the tech support people. Everyone I have worked with knows their stuff, which is great. I have worked with other SIEM products before and it was hard to find a knowledgeable person. At LogRhythm, everyone I have talked to has been incredibly good.

We were a RSA Envision customer. Our platform was going away, so that’s one of the reasons we switched. We weren’t really impressed with the security analytics platform that they wanted us to move to. We didn’t want to make the investment they wanted. For our industry they were lacking.

I had seen LogRhythm before, and back then a few years ago, they weren’t a player in the market. Since then they have moved to a much better security analytics platform. For what we need, LogRhythm is a perfect fit.

It was very straightforward.

We did it in-house.

We have had the production environment up now for over a year. I foresee a ROI. The thing about a SIEM, is that it allows you to get a visibility quicker. It’s hard to quantify that soft cost. I’d say we are there or about to be there.

I'm not a fan of the big names in the space. I recommend it as a solution for medium to large business.

I’m in contact with them on a very frequent basis. I work with my contact a few times per month. I can’t complain about them at all.

The advanced intelligence engine -- in fact, the whole suit -- is very powerful. It depends how you use it. Security management is what it's best at. As far I’m concerned, it’s one of the best.

This product is in general for medium-sized companies. For bigger companies with millions of logs coming in, it just cannot support them. The solution is not robust. It depends on the size of the companies and the size of the firewalls you have which will determine if it will work for you. Thus product is really good and easy to use for medium sized companies.

I've used it for three years.

Initially we had a lot of issues. Today it has improved dramatically, and it has no issues in deployment.

It is very stable, but we have to work with it and identify which logs we need. If we don’t, it doesn't handle the traffic well. 

Every tool is different, and you just have to work with it.

It’s one of the best customer services you could find. Everyone is very knowledgeable and helpful. You aren’t waiting around for tickets to be resolved. If they can’t resolve it, they escalate and resolve quickly.

Absolutely we have made a ROI. It resolves a lot of issues. It helps a lot of our infrastructure and everyone is benefiting. It’s absolutely worth the money spent.

They are very transparent about the licensing. They are upfront. They tell you what can handle what. They are honest people.

I have been invited to user group meetings and we have had good conversations. They have been very helpful and they understand my needs. They listen to our input and really take it seriously. They really work with us on different issues. 

Everything is fantastic.