LogRhythm SIEM Reviews

Mostly in Indonesia, LogRhythm SIEM is used by government agencies that must use the on-prem solution because of the significant requirements for SIEM solutions. It sells products as a one-time solution rather than a subscription model. Many customers sometimes forget to renew their subscription. If someone doesn’t renew the subscription, the only options that could still operate are LockSystem and Elastic. If you don’t renew the subscription, it becomes basic and loses most functions, but you can still operate the system with limited functionality. It allows full access until the last bill is paid.

Secondly, LogRhythm offers more than SIEM; it has an EDR, MDR, and XDR. Compared to its competitors, it is the most complete solution. The downside of LogRhythm is that it is slow.

LogRhythm SIEM works well, but the biggest pain point is retrieving logs using multiple filters. Even though they use Logstash from the ELK stack, it becomes very slow. LogRhythm's system uses Logstash, and while it's very fast in Elastic, it's not as quick in LogRhythm.

I have been using LogRhythm SIEM since 2022, and I worked with this solution from 2012 to 2014.

LogRhythm is very stable. The big four for SIEM—LogRhythm, Splunk, and Elastic—are all very stable. They don't have many critical incidents while performing their tasks, and almost no test incidents exist. LogRhythm’s query processing is slow.

They will provide the results, but sometimes the data takes 15 to 20 minutes, or even an hour, to display. 

Scalability depends on the two types of products. One uses virtual software, and the other is an appliance system. The virtual server is very easy to scale. We can add processing power, memory, and storage, allowing it to scale up easily since it is virtual. It’s not as scalable for the appliance because they sell appliances designed for a certain number of users and capacity. LogRhythm uses EPS, which limits the scalability of the appliance systems.

LogRhythm measures throughput in Messages Per Second, not gigabytes per second. Scaling is determined by the number of messages processed per second. While storage capacity can be increased, the appliance's performance is optimized for a specific MPS range, making it challenging to scale beyond its designed capacity. 

It is for mid-sized organizations because they don't need to scale significantly. For example, if they only need 10,000 MPS or 5,000 MPS, the appliance is sufficient for their requirements without further scaling.

I rate the solution an eight out of ten.

LogRhythm had a strong presence in Indonesia between 2012 and 2014, with excellent support. From 2022 until now, their regional office has been in Singapore. If support is needed, it typically goes through a distributor. For more complex issues, we must contact Singapore for assistance. Getting LogRhythm personnel to come to Indonesia can be challenging, and arranging an on-site visit usually requires significant effort.

Positive

The initial setup is easy because LogRhythm has the most out-of-the-box integrations with Penitin. If I have a firewall, they have an out-of-the-box connection with it. If I have a switch, router, or another system, they also have out-of-the-box connections with those. It's very easy to use LogRhythm's system.

IBM QRadar is the most expensive SIEM solution, followed by LogRhythm and Splunk, which are also on the higher end in pricing. LogRhythm and Elastic are more affordable options. Elastic is open-source, making it a cost-effective choice.

LogRhythm stands out because it offers a perpetual license, meaning renewing it annually is unnecessary. Over a long period, such as five years, this makes it a cheaper option since the license does not need renewal.

LogRhythm's AI engine assist is good enough. Everyone talking about threat hunting mostly mentions continuous virtual assessment or vulnerability management. The guard will allow some people in and stop others based on their knowledge. If the SIEM determines that a person is eligible to enter, they will allow it; if not, they will stop them. 

Overall, I rate the solution a seven out of ten.

We primarily use the solution to reducing insider threats. We also use the product to deal with some aspects of banking security. For example, with its product, we are able to lower the threat of being attacked by malware.

I appreciate the fact that I can do everything from one dashboard. That is the main aspect of LogRhythm so far that I find extremely useful. We don't need a different dashboard or other solution for managing things.

The initial setup is simple. 

The solution is stable.

The product is great for medium to large-scale organizations.

The product can scale. 

Technical support is reportedly quite good.

What I would suggest is for the product to make the consoles more user-friendly. The integration module should be simpler. That way, that the end-customer himself can do the integration and they are not always dependent on our site. The integration with other vendors should be easy.

The solution is likely not the best option for a smaller organization.

One of the features I like to recommend is a LogRhythm queuing ticket for a level-one tier system so that clients are not dependent on a third party.

We've been working with the product since 2018. It's been almost three years at this point.

The solution is very stable and reliable. There are no bugs or glitches. It doesn't crash or freeze. It's reliable. 

In terms of scaling, the solution is best for medium to large companies. Smaller companies likely do not want to invest in IT security products, however, for medium to large organizations, especially banks, LogRhythm works well.

It's easy to scale. What we do for scalability is we always put the hardware capability higher than the license. For example, if a customer wants a 3,000 MPS license, we always provide 6,000 MPS hardware. If they want to scale the license to 4,000 or 5,000, we just put the license in, and then it works as the size capacity is there. It's easy. It's not that difficult.

We are not an end-user and therefore do not directly deal with technical support. In terms of the support, the end-user would get a response from the technical team, and, so far, from the feedback I've gotten, they are good. Clients seem satisfied with the level of service they receive.

I also work with Oracle. 

The initial setup is simple for us, basically. It's not that challenging. The main challenge we face for integration is from the different vendors as we have to do different tasks. However,  the deployment of LogRhythm is very easy.

It takes 12 to 15 days for a full deployment.

We have two phases that are five to seven days each. The second phase involves integration and tuning stuff and that can usually take six or seven days for that part alone.

It's on a Windows server. Windows is very convenient for everyone. Users can just follow the process as per LogRhythm and it's easy to deploy everything.

In our distribution model, we don't provide end-user support directly. We have another partner company that provides maintenance and support for the end-user. For the partner side, many of the engineers are LogRhythm certified and they do the maintenance and other tasks.

As an implementor, we can handle the setup for our clients. 

LogRhythm pricing is based on the MPS. They always quote the pricing per unit of MPS. The number of MPS which the customer needs is what we provide with the unit price and we get a good discount on it, as per LogRhythm.

The price is in USD. For that reason, when we convert from USD to our currency, the pricing seems quite high.  

Everything is included. We get the data processing license as well as the sole license and the filing, ticketing, monitoring licenses, and the collector license as well. We get everything in one package.

We are a distributor and we have around 15 to 20 partners who are working with LogRhythm in this region. We work for the end-user and we implement it and handle presentations for the customer.

We are working with the latest version of the solution. I can't speak to the exact version number, however.

I'd rate the solution at a ten out of ten. It's a very good product overall. Clients have been very happy with it. In terms of the feedback we've received from the end-user and our own experience with the deployment process and manageability, everything is great.

Our primary use case is for general log monitoring. We do not use it as a SIEM.

The feature that makes it usable is the web interface.

One nice feature about the product is the log message field extraction, where they try to fit every field into a field name. A log message is a string of ASCII text and its value depends on how the vendor formats it. Fields within log messages, such as a time stamp or source IP address, are delimited by spaces. Depending on the type of device, the information varies because if it's a temperature sensor you'll get temperature, or if it's a pressure sensor you'll get pressure, but if it's an active directory server you'll get an active directory message. The problem comes about because in some cases, the fields are not labeled.

Rather than an identifier for a source IP address (e.g. "SRCIP="), it will just have the address, and you have to determine what it is based on its location within the message. Of course, even though the field name is not in the log message itself, the field will still have a name. Extracting it correctly requires that you understand how the vendor formatted it. With LogRhythm, it does a better job than some products at slotting every field into a field name.

The biggest complaint I have is about their support. There is no free instructional advice available on their website. An example is with their field names inside log messages, where they have one named "Common event". That is something that LogRhythm has created, and you can't figure out what it means unless you pay a large sum of money for LogRhythm training. Compare this to Splunk, where I can go to their website and download twenty articles on field names right now. There is no documentation that we can afford to buy for this product, so we just have to wing it.

Their product has issues when it comes to hard drive management. Again, their support is not one hundred percent. We are using their hardware, and one time the product just spontaneously stopped collecting logs for about a month and nobody knew it. We called them, and it took a week or two of troubleshooting before they found the issue. To make it worse, the issue was not a misconfiguration. Rather, it was related to how they were storing temporary logs on the hard drive. The drive was shutting down and the logs were not being accepted. It took them weeks to figure this out and it shouldn't have happened in the first place, which suggests a bad design.

It is a product that is very hard to use. You have to set a wide variety of parameters before you can even start to search. The highly structured nature of it does provide some guidance, but with a lack of documentation for things like field names, I don't know what I'm looking for. 

We don't get much use out of this product because people around here consider it to be unreliable, and it's hard to do searches. The main reason for it being here is that there are audit requirements for collecting logs and maintaining them. We have been able to solve problems with it, but searching is kind of clunky.

Three years.

With respect to stability, I can only speak to our environment, but we have had issues with the hardware. It's a Windows product. We have seen the system spontaneously seizing, and we have experienced complete failure.

When an incoming log message is processed there are a lot of operations that have to take place. These include analyzing the time, identifying fields to see which are present, naming the fields, and indexing the information. We have seen this process fail quite a few times. With the recent purchase of new hardware, however, I don't think that we have had this problem lately. It may be related to an older version of the hardware, but I don't know.

I think scalability would be more difficult. Unlike Splunk, where the licensing is based on the volume of incoming gigabytes, you have to buy additional hardware to handle an increase in data. These boxes are then added to a cluster, and it is expensive.

We have four or five people who use this product, and we're all network engineers.

I don't like their support.

If you go on their website and you want to get a training video for how to do X then forget about it. They're not going to give it to you until you pay. They don't give you any information unless you pay for it. I think that stinks about the product.

Let's say that I am using Splunk, and I need to know how to write a regex (regular expression), or if I need to know how to configure an index or something, then I go on to the website, find an instructional article, read it, and finish what I'm doing. With LogRhythm it's "Where's the money?"

I understand that you have to pay for training courses, and I understand that you have to pay for certification, but it is the same with Splunk. With LogRhythm, it doesn't give you anything without paying first.

LogRhythm came in and deployed the product, and there is no maintenance required that I know of.

This is a solution for people who have cash to spend. Everything is expensive with LogRhythm, and you don't get anything for free.

I suggest that everybody who uses this product receive the full training and certification, and can also afford to pay for the high-level engineering support. If you don't have the money for the training, then it's not for you. It costs approximately $5,000, but if you don't get it then you won't be an efficient user. It is a very complicated product, so the training has to be a commitment that you're willing to make. The training cannot be for a single person, but everybody who will be using the product.

LogRhythm sells you a box that has a certain capacity for incoming log messages. Once you exceed that capacity, you have to buy another box and cluster it. It's expensive. It is for environments where the money is not a barrier.

The solution was already in place when I arrived, so I was not involved in the decision.

Honestly, I don't like this solution so much. I'm actually a Splunk Certified Architect and so I know Splunk pretty well, and when I compare them, I really don't like this product. The best advice that I can give is not to install this product unless you have a use case that matches its capabilities.

The use case for this product, the LogRhythm SIEM, is in a regulatory environment such as HIPAA, SOC, PCI, or banking. These are heavily audited environments where you have precise requirements for reporting. They have pre-configured lots of different types of inputs but it's a very rigid environment. You can only collect information from certain types of sources and it's very complex as to how to instruct the product to obtain a certain type of log message.

Once you configure a new log message source, you'll have to go on to the LogRhythm platform and conduct a variety of clicks and actions to vet or verify that log source and allow LogRhythm to start collecting logs. Not only that, but there's one more annoying thing. I'd say for these highly audited environments, regulatory environments that I mentioned, they have many, many pre-configured reports.

So, it's designed very rigidly. In other words, they have done a lot of work in pre-identifying what the fields are in every type of log message. If you're getting log messages from Active Directory or the firewall then they know exactly what every field is. But, they have their own particular naming convention for fields and with the rigidity, you can't change that so easily.

I'm in the networking team and we're using it to monitor log messages from our networking equipment. For that, it's not such a good product. For example, consider a jet engine with a lot of sensors such as temperature, pressure, rotational speed, wind speed, fuel flow, etc, they have lots and lots of sensors in them that are all connected by ethernet. If you want to use Splunk to monitor a jet engine you can do it, easily. Forget about doing with LogRhythm, that's not happening.

The bottom line is that for highly regulated industries it may work well, but you cannot use LogRhythm to monitor equipment. You also have to make sure that everybody who uses the product has full training and certification. If you're not willing to commit to the full training then don't even consider it.

I would rate this solution a five out of ten.

We use it for centralized log management and for alerting. It's been working pretty well. We're on the beta program so what we're on right now has not been working quite as well lately. We're helping them find the bugs, but before this we didn't have any really major issues with it.

It makes everything quicker when it's all centralized. Anything we need to find, it brings to our attention. Even other products we have that feed into it, instead of having to watch all of them we only have to watch one. For example, we have CrowdStrike, so instead of having to pay attention that solution - because its dashboard doesn't really pop when an alarm comes up - we can see issues with the red on the LogRhythm alarm. That is very nice.

We have seen a measurable decrease in the mean time to detect and respond to threats.

Being able to find everything in one place is really nice when you're doing your searches.

One thing we have mentioned to them before is that we'd like to be able to do searches, or drill-downs, directly from an alarm. When you click it and the Inspector tab slides out, that might be a good place to be able to click the host to search for the last 24 hours. I know the search is right there but it would be even nicer to just click that and then have an option to search something there.

Going into the beta, stability was very good, but in the beta its not been as great for us lately.

There was a known bug where, after about five minutes it would duplicate alarms, up to about 10,000. After 10,000 alarms in five minutes, everything is shutting down. Also, some of the maintenance jobs get deleted when upgrading, so our database was filling up without deleting the old backups. Those are the two major issues so far.

I just took it over recently but we got it built to last. It's been the same since we put it up.

I open tickets frequently, especially in the beta program. To get the first response is usually a little slow, but once they're talking to you it's very good.

Figure out what you need it for before just getting everything you can into it. That's probably the main thing. We recently brought in an external firewall and it has everything enabled. So make sure it can do what you want and don't try to do more than what you need.

We have made a few playbooks, but we haven't done too much with them yet. For deployment and maintenance of the solution, it's just me doing the administration.

We're at 60 or 70 log sources right now. With some of the newer ones, we've had to open up tickets for them, like the newer Cisco Wireless. We've had issues with Windows Firewall and AdBlocker. We've had to get those fixed. We process about 600 messages per second.

In terms of the maturity of our security program, we got this solution right after we started up, so it has been growing with us. We're now at a point where we're happy with it and getting good value out of it.

LogRhythm SIEM is used for monitoring events. Analysts can click on events, drill down, analyze source IP, destination IP, time, country, and other details.

LogRhythm decreases breaches and monitors all activities inside the organization. It allows for monitoring 100 assets integrated with LogRhythm, enabling efficient security operations.

The first valuable feature is the dashboard. LogRhythm's dashboard is very good compared to other SIEM solutions since it shows many details. The operation is also very smooth, allowing easy drill-down into events and effective analysis.

The integration is slightly difficult with other assets, like EDR technologies or firewalls. Also, the back end is not as user-friendly as other solutions like IBM QRadar. The technical support is also not as good compared to some other products.

LogRhythm is a new technology. I have been using the IBM SIEM solution for almost ten years, and LogRhythm for almost three years.

LogRhythm is stable once integrated. It requires very little maintenance post-deployment, needing just monitoring.

LogRhythm is scalable and covers many endpoints, possibly more than 100.

Technical support for LogRhythm is not strong, rated five out of ten.

Neutral

IBM QRadar was used previously. LogRhythm's dashboard and ease of analysis are seen as benefits compared to QRadar, though QRadar offers better integration.

Setting up LogRhythm is complex, especially for integration. The setup itself, without integration, could take one or two days.

I was part of the deployment team and faced some complexities.

Pricing depends on the number of modules you want to purchase.

Other solutions considered include IBM QRadar.

If there is no competitor, LogRhythm would be rated one hundred as there is no choice then.

I'd rate the solution eight out of ten.

I am a security architect, so I don't develop the use cases with the customers if they deliver a team who is in charge of these activities. Depending on the case of the customer, we define something with the customers, according to the technical sessions that we have with them. I prepare all the documentation for the delivery team and present the project.

LogRhythm is deployed on-prem. There are about 60 people using this solution in my organization.

SOAR is integrated with the dashboard that we use for threat management. Because it's all integrated, it is useful for us when we deploy something on-prem.

I don't think the cloud model in LogRhythm is developed enough. This is one of the reasons they changed the position in a negative way in the Magic Quadrant Gartner for SIEM in the recent report. The cost of UBA is also high when you compare it with Securonix.

I would like to have a different cost model for cloud. If that happens, I think LogRhythm could be competitive in other cases with the customers.

The virtual machines require a high computer power, and sometimes customers say it's expensive. There are specific requirements from this solution. LogRhythm has a specific requirement when implementing in virtual machines, which is a very complicated issue. The best solution is in the cloud, most of the time.

I've been using this solution for more than five years.

It's stable.

When we are using LogRhythm in the cloud, it is scalable, but it's more expensive than other solutions. When we are on-prem, it's a little complicated and has a lot of challenges that the customer doesn't want.

It is scalable in the cloud, but not on-prem. It is not easy. It takes more time and money. I would rate it 3 out of 5.

I would rate the presale support 3 out of 5. They could be in contact more and give more information. It's average. I have heard that post-sale support is good.

It's simple because you only need to consider one component and that's it. But if you have a customer with different companies and each company has different subsidiaries and all of them want one only service, all of them will be sending the logs into one single SIEM, so you need a distributed architecture. You need to think about how to include new components and how that will be impacting the architecture in the near future, because we don't know the cost. In some cases, it's complicated if we don't know the new versions or the changes that the vendor will be publishing.

Deployment commonly takes three months but can take up to six months.

We use about six people for maintenance.

We deploy the solutions on our own.

I would rate the pricing 4 out of 5. There are no additional costs to the standard licensing fees.

The customers commonly want to know what is the price for the service in different bands. So we work on a banded price model, and it is something that is complicated. We include the UEBA, which is sized and quoted in terms of the number of users and entities. So we need to make a price banded model for the SIEM and a price banded model for the UEBA. We need two of them and they are related. 

If you increase the number of users, you are increasing the cost of the service of the SIEM. Sometimes we don't know the exact relationship between these two components. In the case of other solutions in the cloud, like Securonix, you just need to say to the customer, "This is the price of the different bands."

I've evaluated solutions that can be deployed in the cloud and have other features or components, like the UEBA. In the case of Securonix, it is included. We need to decide if we are going to propose something that is on-prem or in the cloud, depending on the requirements of the customer. The architecture is more complicated when you deploy something on-prem, so you want to increase the number of EPS, the events per second. You need to consider the architecture.

With Securonix or Splunk, we just need to go to the partner and say, we need an increase in the number of EPS. We also don't have to provide maintenance to the solution because it is in the cloud. Our specialist is more focused on the security aspects instead of providing maintenance to the components.

I would rate this solution 8 out of 10.

My advice is that if the requirement is to have someone on-prem, for example, someone that is working in a financial entity, it is a requirement to have all the information in their own data centers and using specific connections. If you have that case, you can use it. It is convenient. And you can use it if you have a case where the evolution of the environment is not going to change for the next three years. Otherwise, if you have a lot of changes during the time that you are going to be using this solution, you need to include different components that will probably be complicated to architect.

Our primary use case is for fraud detection and infrastructure, so we use the SIEM to detect frauds in the banking side of the house as well as infrastructure. I use it for security and UEBA purposes. 

We have seen a lot of improvement. When I first got into LogRhythm, we were just doing the fraud side of the house. Afterwards, we started doing the infrastructure side, where we're seeing a lot of events coming in. We were getting a lot of ransomware attacks that are happening or a lot of malicious actors coming in, trying to hack ours, which we can see in the SIEM right away and use the SmartResponses to block it at the firewall level.We stop them at the edge level, and we don't have to worry about them coming in.

We do have an MSSP that does our 24 hours ops, when we're not there during normal business hours.

The playbooks will come in handy for them to go through and meet our expectations, so I can design the playbooks of what I expect and what the organization expects during certain events triggering and the process that they need to take place for them to call us up at night and say, "Hey, this is something that needs your attention."

I have plenty of log sources. Roughly, I have about 500 plus different types of log sources coming into my LogRhythm, and the support's been great. The out of the box solutions with their log message processing has majority of what I need. There are some that I had to create, because obviously the products are new, and I made LogRhythm aware of it, and they're creating custom parsers for it.

We are rated for 10,000 MPSs because we have two data processors and data indexers, but I'm only using about 3,5000 combined.

The solutions have been great for us. We use the SmartResponse to do most of our automation work for us, to block attacks, and to kick off users if they're doing anything malicious. It's saved us a lot of man hours. Based on MTT and MTRs for us, we've saved a lot of considerable time.

I did see it decrease in time to detect and response by a day, because there is myself during work hours and MSSP, which we combined, and we've reduced it to about 24 hours, mean time to detect.

Some of the valuable features, I find it's very easy for me to integrate new log source types within the SIEM. The MPEs, there's plenty out of the box solutions that we can integrate new appliances with. We're constantly buying and upgrading our appliances, so it makes it easy for me to ingest logs and run correlations in the AI Engines. 

Currently, we don't have full spectrum capabilities. We're using AI Engine mostly to run correlations, and then we obviously have our dashboards and stuff, but apart from that, we're working on the UEBA implementation for users to run more correlations. We do have our net monitors that we use to run packet monitors, packet captures, and even traces.

I think where I see room for improvement for LogRhythm is probably granularization of log source types. So, if that were to happen, I think it'd be a lot more better for the product. So, we are in the current five-year security maturity program.

I've never had any issues with my SIEM. We just upgraded from physical to virtual, and it was a seamless process. Everything worked well.

LogRhythm is very scalabe. We increased our MPEs from 2,500 to 10,000 right now, and we're very happy. We have room for plenty of growth. We're only using less than half of what we have.

Tech support's always been great. Every time I had an issue, I'd go in, open up a support ticket. I usually get an engineer calling me back within the first half an hour, and they'll help me troubleshoot within a day.

The product was already set up when I first jumped on with the organization. My only process is the movement from physical to virtual and then the upgradation to 7.3 and 7.4.

So, we are in the current five-year security maturity program. We're on year one, and LogRhythm is gonna be the center point for the first two years in terms of aggregating all the different log source types within the organization. We still find that there are log source types that are not coming in, which we plan to integrate within LogRhythm and use its analytics tools to help us get more mature and establish us forward in maturity of our security for the industry.

I rate LogRhythm 10. It's very easy to use. It's very user friendly. The product is very innovative with SmartResponse and AI Engine, so it takes half the work from myself and my analysts, so I love that product for that reason.

It takes good log sources. We have investments in endpoint protection and Mail Gateway, and our firewalls are going to be catching up soon. To have all the logs centralized, we haven't had that before across the enterprise. We had it logging at one or two locations, but this is the first time this year that we actually had all the logs go to one spot and be able to have alerts and alarms set up.

We use CrowdStrike as our endpoint, so we are in the process of getting those logs into the SIEM and we haven't got that done yet, but that's going to be a real big win for half our logs are on the endpoints that the employees have. To have that visibility is really important.

Provides visibility into the network. We got it for PCI compliance for the most part, and we also do SOC 1 and SOC 2 compliance, so we can show that we're secure to our clients. We have a lot of financial and other customers that care about security with the kind of business that we do. But we're looking at it to do SOC Light, not 24/7, but we want have a visibility into everything that is going on in our network, be able to respond, and do incident response using LogRhythm as our main console.

Our key challenge is working with disparate IT groups. We are a brand new security team within our organization. It's a pretty small company. They have grown their infrastructure by acquisitions, so they have a lot of separate naming conventions at each location, different staff, different log sources, and firewalls, which are different at each location.

It is has been a challenge. This has been one of the first applications that we've had. This and a couple others that security teams brought in recently that works across the enterprise. So, we've had a lot of challenges just getting AD or DNS to work, real basic stuff.

Then, also the log sources for the servers, we didn't have a lot of the logging enabled, so we had to kind of go back and then we had to enable a lot of logs using GPOs, working with our IT, and actually doing a lot of the work ourselves, because challenges are resources. There is so much work to do and not enough staff.

I did see a lot of the web console features coming up. I think those dead on, exactly what's needed. A lot of them had to do with better case management and more sorting, going through your alarms, and drilling down in different ways. I think that is really important.

In terms of improvements, I would probably look for more things to go into the web console that is currently on the fat client. I think that is the trend. I think that is what LogRhythm is doing. I find myself going back and forth between the web console and the client console and I probably spend more time in the thick client and it'd be nice to just be in one.

LogRhythm is really on track and they're doing a lot of things very well. In some other areas, particularly with the UI, how things are done administration-wise and a little bit on LogRhythm University, some improvements are needed. There are some challenges with registering for classes and taking them.

I was not completely satisfied. I wasn't really sure what classes to take. I did not feel like I had the direction initially to understand how to deploy LogRhythm. When you get LogRhythm out-of-the-box, there are so many knobs to turn and so many things to configure and set up, that it's almost impossible to do it on your own, as an enterprise senior engineer. I have a lot of experience with a lot of advanced tools and I find LogRhythm very challenging. I do not think we really could have gotten where we are without Optiv coming out for a week and spending time setting up the appliance and optimizing it the way it should.

There are some improvements that could be made to make it easier to use.

We haven't had any issues. I believe we had an alarm for a service restart, it kind of self-corrected itself. Something I noticed, but other than that, it has been rock solid.

I am not even using a quarter of the resources on the appliance today, and that's good, but we still have some log sources that we are still enabling.

We got our biggest ones in there, except for Mimecast and CrowdStrike, so that will add quite a bit. Hopefully, it won't be an issue for us right away. My impression is that there's all sorts of ways to expand and build out.

We have an all-in-one appliance, but I'm fully aware that you can spread out the functionality, so we'll keep an eye on it. I feel like for our size organization, we're growing fast. We had double-digit revenue growth year-over-year for the last seven years. We are growing really fast, so I anticipate it will be a problem eventually, but not in the foreseeable future.

If they're a super, large enterprise company, they might want to weigh having a LogRhythm infrastructure that is spread out.

I am not completely convinced that LogRhythm scales to the highest, largest size enterprises. I really do like IBM QRadar, I think it is one of the best SIEM solutions. If it was a larger enterprise, I would maybe have them go head-to-head.

We have used technical support. The last issue that I opened was because I didn't have the correct parsing support for our Fortinet firewall at our main locations.

The version of firewall we're on, not very new. It's actually a year and a half going on two years, and it wasn't supported. We opened up a ticket, but it was already a known issue, and they did eventually release the parsing. We're seeing all our logs now.

We get pretty much same day response from them. I've opened up a total of two or three tickets, and each time it was right away. Their support is good.

We did buy the XM appliance, the 5GB, I forget the model number. We just got it, the largest one that they would sell us.

We are not using it completely, but it's a single appliance for the LogRhythm. We have a mixture of Microsoft clients, Linux, and Mac on the PC, the laptop side. We also have a lot of 12U servers, which is a little bit of a challenge getting support.

The other change that we made recently was upgrading to Mimecast. They don't have the integration with LogRhythm yet but it's coming. I just talked to the Mimecast SE a couple times in the last few days, and it's not here yet, but it'll be here soon.

I had a little bit of experience with QRadar and a customized SIEM solution at my last job where we had used an MSSP environment, so really a lot different scenario, and you didn't really get to work with the clients directly upfront and control the log sources. Now, I work an enterprise that is slowly gaining control of everything, and that is a lot better.

We chose LogRhythm because in the Minneapolis area, the security community is pretty close and there are a lot of other customers and associates, like my manager and myself, who know a lot of people using LogRhythm. So, we got a lot of good feedback.

I was involved in the initial deployment and setup.

We had some challenges. The problem that we ran into is that without doing a lot of due diligence was management decided that let's deploy LogRhythm on the cloud on AWS because we're going in that direction for a lot of things, so we had Optiv come out and do the installation and setting it up for us, letting us drive, control the mouse, the keyboard, and so on. We ended up discovering that it would be $100,000 a year to have the virtual appliance in AWS just for the spec requirements and we pulled back on that. It was cheaper just to buy an appliance basically. The cost for one year almost paid for the appliance that we got.

We lost a few days of consulting time. Because of that, we had to delay the project a little bit and start over. Then we realized that once we did start getting all of the agents and logs coming in, we were not seeing all the logs that we needed. Then a lot of the log sources that we really needed weren't there yet because of our infrastructure challenges.

That was a learning experience, knowing what it takes to install a SIEM from scratch:

1. Have your inventory down.
2. Understand your network infrastructure challenges upfront.
3. Having the appliance versus the cloud and really understanding the pros and cons of that.

I know when we spoke to our sales engineer (SE) that there were very few cloud implementations. It is still pretty new. They tried steering us away from it and we didn't listen. We probably should have listened a lot better.

We use Optiv, and I understand its LogRhythm's largest partner for third party support, and we have had good experiences working with Optiv.

LogRhythm is successfully employed in a lot of organizations. We tried using another large SIEM, I won't name it, but we weren't able to even get it deployed. It was just too complex, and this was at CenturyLink.

QRadar, it's really easy to use, but for our size organization, we only have about 270 employees. That is not a whole lot of log sources, so it seemed like LogRhythm fit into that profile a lot better for our needs.

When it comes to the SIEM, LogRhythm was pretty much our go-to. We really wanted to go with LogRhythm and we were hoping that there wasn't any reason not to. Because my manager and myself had some experience with some other SIEMs and knowing what the success rate of those, and then just knowing people who use LogRhythm and who have said good things about it. At that point it turns into, "Is the financial investment going to work out for us?" It turned out that it did. We wanted to go with LogRhythm and we're glad that we're able to make it work out.

Smaller, medium-sized companies, I would actually steer them towards LogRhythm and have them look into it, then I would share my lessons learned.

It is important to have a unified end-to-end platform, but you also do not want to get vendor locked in. Its from a value perspective and a productivity perspective, that is where it is very important.

You do not want to be stuck with one product that then changes course or evolves. You always want to be with the leader in the market that is innovating. You want to be able to maintain that flexibility and be nimble to switch up when needed but having a real good go-to vendor, and LogRhythm seems like they are developing into that.

There are a lot of different firewalls out there. There are a lot of different network devices and different servers. They fit their niches, and it is important from a staffing and training perspective to have fewer products and technologies to support, because it is just hard to find people that are experienced.

You have to balance it out with having the best tools to do your job, because the challenges we face and all the security threats that are out there, you got to take advantage of what's available. If you're using multiple vendors, then so be it, but it is a balance.

Most important criteria when selecting a vendor:

• Interoperability with our partners and the rest of our stack that we have.
• Usability and access to support and documentation are really key.
• Being able to get the value out of your investment in a security product.

There are so many security products out there and so many tools. To be successful, you have to understand how the product works, have the documentation, and training available. That is really key. LogRhythm does a pretty good job.