LogRhythm SIEM Reviews

Our customers are financial institutions, basically banks, and others in the financial sector. They have a lot of web-facing applications and technologies for which they need to have a complete trail of logs and audits. Whether they log in through their mobile devices and do mobile banking or internet banking, or do some queries, or are working on their systems, we need to have security logs for future audits and compliances. One use case is on the data protection side, because we are a data protection tech company, which determines if we need to activate security. The second is for audit trails, compliance, and if there are any issues. We need to have logs of all events and these logs are stored in the central bank. These logs have to be maintained for 10 years.

The user interface is good.

We are still implementing and have not yet completed the LogRhythm implementation for one particular customer. We haven't faced any issues right now. Once we've completed and we are doing the log analysis and the correlation and audits, at that point in time, if we find challenges, I can update you. Right now, it's okay.

Let us see once we finish the website we are working on. Then we'll understand better more of what we need. We'll probably need an improved user experience in terms of reporting and analytics. If the reports are very easy to configure and generate what we require, that will be the best thing. At the end of the day, it is just logging, correlating and reporting.

I have been using LogRhythm NextGen SIEM for the last four years. We are using the latest version.

The stability is there, it is good.

As of November we have four customers in the field of info, security, officers, managers, and risk and compliance. Generally, these are all risk and compliance teams at the financial institutions or in the government. The implementation is done by the IT security team but the reports and everything are part of the risk and compliance team.

It is scalable.

One person is more than enough to operate it. We have a specialist, one engineer who does it.

The support is quite good. We haven't had any challenges. Initially, there was something that they requested, so we logged a call and they were able to respond immediately. We had no challenges. They are quite responsive.

The initial setup is not so easy because it is quite a process. Nevertheless, from my experience in implementing SIEM, Splunk is the easiest, and LogRhythm comes next.

LogRhythm is okay, we never had any challenges.

The installation is per site. Because these are all government customers, public sector government customers, we generally take anywhere between four to six weeks for installation. We have five people doing it.

When they buy the license, whether on-prem or cloud licenses, I don't think that's all they pay. We do charge them for implementation and installation, but that's about it. Subscription is year on year.

We have tried many other products. But if you want to look for a mature product in the SIEM market - Gartner Quadrant, LogRhythm and Splunk are all leaders and are well placed products. The rest are yet to come up.

When I say LogRhythm is a mature product, I mean it covers all 360 degrees for SIEM requirements which is not there in the other products. Only a few products have this kind of totality of integration, especially in the reporting. It has very good machine learning and AI techniques. It is very good.

I of course would recommend LogRhythm NextGen SIEM to others.

On a scale of one to ten, I would give LogRhythm NextGen SIEM definitely a nine.

We really appreciate the new cloud functionality. The cloud is really showing its dominance. 

Technical support is very helpful and responsive.

The product has a lot of useful features.

There aren't really any missing features. It's quite a complete solution.

Most of the clients using the on-prem are using customized applications. In the customized applications, we are facing parsing issues and a minimum of two days is required by the LogRhythm team for parsing logs. 

Parsing is totally controlled by LogRhythm and they do not allow any partner or any third-party to handle this part and this is a key challenge on my end. This is a huge cost impact -at least on the Pakistani market. It needs to be addressed.

The solution should be less expensive.

It would be very helpful if there was Kashif a package to help users migrate from QRadar to LogRhythm.

In Pakistan, the government is in the process of developing its final recommendation of cybersecurity and data protection process. We hope this solution will prove to be compliant and will meet the requirements in the future.

I've been using the solution for approximately one and a half years at this point. It hasn't been too long just yet.

We have four or five people using the solution in our organization. They are managing the LogRhythm infrastructure.

We are in touch with their support. It's government support, and they're quite supportive, and they are quite responsive. They have a divisional team is quite responsive. 

The initial setup is complex with LogRhythm. In that Pakistan market, with LogRhythm, the climate is very limited at this point. For the on-prem, there may be only two customers, for example. One is a bank and one is serving as an MSSP.

We've added four customers to a pay-as-you-go model. You apply Windows 2000 MPS or a cloud environment. The initial setup is quite difficult, however, after making certifications we are able to provide the initial setup and got it working with the LogRhythm support team.

For maintenance, I have five engineers that are part of my security team, including me and my sales and operations. Approximately we have 14 to 15 people that can handle maintenance.

We had some assistance from the LogRhythm support team. We did not entirely do it ourselves.

The cost of the solution should be reduced. In the Pakistan market, they have competition from IBM QRadar. They have quite a significant core difference. While the quality of this product is better, IBM has a stronger penetration in the market base don price. 90% of financial institutions are doing the QRadar in Pakistan. The Central Bank is using QRadar and simply due to the cost differences.

Initially, we tested out the QRadar, however, due to some delay and due to some market awareness tests, we did not continue.

We are using the solution for our own infrastructure and we are also offering it as a service. We are the largest service provider, cloud service provider, in Pakistan. However, we use a variety of deployment models - including cloud and hybrid.

We have an ISO position for government-certified infrastructure. We have a PCI-certified infrastructure as well as a GDPI compliant infrastructure.

We work closely with this product in particular. We have a lot of hands-on experience.

I'd rate the solution eight out of ten. If it weren't for some parsing limitations in the product, I would rate it even higher.

We use it for log ingestion and monitoring activity in our environment.

It is a simpler system than what we had before. We had IBM QRadar, which used to give us everything, and we had to dig through, figure out, and piece it all together. LogRhythm lights up when an event occurs. As opposed to just giving us everything, it will piece things together for you and let you know that you probably should look at this. It also provides the evidence. 

It is easy to find what you're looking for. It is not like a needle in the haystack like QRadar was. It is not a mystery why something popped or why you're being alerted. It provides you the details or the evidence as to why it alerted or alarmed on something, making qualifying or investigations a little bit quicker and also allowing us to close down on remediation times.

Automations are very valuable. It provides the ability to automate some of our small use cases. 

The ability to integrate with other products that use an API is also very useful. LogRhythm has a plugin for it that we can connect and start to move down towards the path of a single pane of glass instead of having multiple or different tools.

Their ticketing system for managing cases can be improved. They can either do that or adopt some of the open-source ticket systems into theirs. The current system works and gets the job done, but it is very bare-bones and basic. There are some things that could be improved there. 

They should also bring in more threat intelligence into the product and also probably start to look into the integration of more cloud or SAS products for ingesting logs. They're doing the work, but with the explosion of COVID, a lot of businesses have started to move towards more cloud applications or SAS applications. There is a whole diverse suite of SAS products out there, which is a challenge for them and I get it. They seem to be focusing on the big ones, but it'll be nice to be able to, for example, pull in Microsoft logs from Office 365. They are working towards a better way of doing that, and they have a product in the pipeline to pull logs in from other SAS applications.

The biggest thing for them is going to be moving away from a Windows Server infrastructure into a straight-up Linux, which is more stable in my eyes. For the backend, they can maybe move into more of an up-to-date Elastic search engine and use less of Microsoft products.

I have been using this solution for three years.

Bugs are there. We've encountered quite a few, but support is pretty quick at picking up and working with us through those and then escalating through their different peers until we get a solution. Now, the bugs are becoming less and less. Initially, they were rolling out features pretty quickly, and maybe some use cases weren't considered. We ran into those bugs because it was a unique use case.

It is easy to scale. We run different appliances. So, for us scaling is not an issue. Each appliance does a different piece of the function, so scalability is not a problem. We started off doing say 10,000 logs per second or MPS event, and then we quickly upgraded. Now, we're sitting at a cool 15,000. There is no need to upgrade hardware or anything. You just update the license. That is it.

We have multiple users in there. We have a security team, operations teams, server team, and network team for operations. We also have our research team, HBC team, and support desk staff. We have security teams from other universities in the States. We're sitting at a cool 50 users.

Their technical support is good. They are pretty quick at working with us. I would give them an eight out of ten. I don't know what they see on their end when a customer calls in and whether they are able to see previous tickets. It always feels like you're starting fresh every time. They could maybe improve on that end.

We had IBM QRadar for what seemed to be almost a decade. So, we just needed something different. There was a loss of knowledge transfer, as you can imagine, over a decade with different people coming in and out of security teams, and the transfer of knowledge was very limited. At the time I got on board, I had to figure out how to use it and how to maintain it and keep it going. We had some difficulties or challenges with IBM in getting a grasp on how we can keep getting support. It was a challenge just figuring out who our account rep was. After I figured that out, it was somewhat smooth sailing, and then we just decided it was time for something different, just a break-off because products change in ten years. You can either stay with it and deal with issues, or you do a break-off and get what's best for the organization.

It was complex simply because we had different products. 

We did have professional services to help us, which made the installation a little bit smoother. Onboarding of logs and having somebody with whom you can bounce ideas and who can go find an answer for you if they didn't have one readily available made the transition from one product to the other pretty straightforward.

We did a five-year agreement. We pay close to a quarter of a million dollars for our solution.

I would definitely advise giving it a look. If you're able to deal with it in your environment and just give it a chance, it'll grow on you. It is not Splunk, but it's getting there. They're gaining visibility with other vendors. The integration with third parties is starting to light up a little bit for them, unlike IBM QRadar that has already created that bond with third parties to bring in their services into the product. LogRhythm is definitely getting there, and it is a quick way to leverage in-house talent. So, if you want to do automation and you have someone who is good at Python scripting or PowerShell, you can easily build something in-house to automate some of those use cases that you may want to do. 

I would rate LogRhythm NextGen SIEM an eight out of ten. 

We use multiple instances as dark sites. We have roughly 350-400 hosts per site consisting of 4K to 5K log sources.

It has not only helped us meet requirements on a development program, but it has also allowed us to focus on insider threats as well as provide forensics capabilities to identify potential security risks.

I have found the Advanced Intelligence Engine has provided the most value to us because we can customize alarms based on our requirements and have created hundreds of alarms that notify different people for different scenarios.

There used to be the ability to create alarms based on message text that was included in LR Version 6.x that has been removed in LogRhythm 7.x, and on that, I would like to see it added back. I was told that this was due to processor overhead but with the amount of CPU and memory suggested, I don't see why this would be an issue.

I have been using LogRhythm NextGen SIEM for six years.

It is stable when all the resource recommendations are met.

Scalability is endless with this product.

Technical support has been great.

We did not use another product prior to this one.

The initial setup is pretty straight forward.

Our in-house team handled deployment.

I don't get involved with pricing.

We did not evaluate other options.

I use the solution for logistics and metrics. We use LogRhythm SIEM for our company and our clients. The solution is deployed on separate machines.

The log correlation is the most valuable feature.

Our clients enjoy having one dashboard to monitor their environments in real time.

The coordination and load bussing has room for improvement. 

There is room for improvement with separate running sources or better integration.

I would like to have a better way to investigate the logs by adding correlations to the dashboard.

I have been using the solution for one and a half years.

The solution is stable.

The solution is scalable.

The technical support is responsive and always resolves our issues.

I previously used IBM Security QRadar and switched to LogRhythm SIEM because it is the best in the market.

The initial setup is straightforward. The deployment takes between nine to twelve hours.

I give the solution an eight out of ten.

The solution is for medium and large organizations.

Our company manages the solution as a threat hunting platform for a semi-government client in the Hong Kong insurance industry. We collect logs for video, active directories, antivirus, and firewalls to consolidate them in the solution. 

From the central log collector, we build detection policies to identify threats or possible breaches. The solution also serves as a data storage platform to troubleshoot issues and find root causes.

In addition, logs that include performance data are created for devices such as routers and switches to monitor the availability of the office network. 

We also perform ongoing maintenance of the solution and all components to ensure everything runs smoothly. 

The correlation engine is extremely valuable because it uses machine learning to process information from the central manager and identifies issues in the network. 

The engine accurately and quickly identifies problem areas as it correlates events from various devices. 

Without this engine, logs would have to be built individually for each device. 

The security playbook could be pre-defined and available to other analysts with similar security issues. Currently, playbooks are individually written for various actions and threats. 

It would be faster and easier to react to issues if pre-defined playbooks were accessible to all analysts. 

I have been using the solution for seventeen years. 

The solution is stable. 

The solution is scalable. 

I have escalated issues to technical support and rate the assistance I received an eight out of ten. 

Positive

The initial setup is complex and I rate it a six out of ten. 

We implement the solution for our customers. 

The solution remains a top choice for our customers because of its performance, indexing rate, and coalition engine speed. Customers trying to use SIEM to collect logs and identify threats require a solution that responds quickly. 

The solution's correlation engine is very important because it uses machine learning to automatically collect and analyze quite a bit of data. 

When choosing a solution, it is important to determine what you want to achieve instead of how the solution works. Most solutions have a method for collecting logs, relaying information, and identifying issues so selection is more about the speed and accuracy of end results.

I rate the solution an eight out of ten. 

Mostly, the use cases involve detecting lateral movements, malware infections, and insider threats.

We serve small, medium, and large companies, mostly in the finance sector, here in Sri Lanka.

It's very easy to create the correlation rules with LogRhythm, and there are some advanced features like SIEM and UEBA, which are also very valuable.

LogRhythm NextGen SIEM is currently based only on the Windows platform. This means that some of our customers have to purchase a Windows license elsewhere. If LogRhythm can move to a Linux platform or a proprietary platform, it would be very helpful.

I've been working with LogRhythm NextGen SIEM for around five years now.

We have deployed both to the cloud and on-premies, but we've mostly deployed on-premises.

It's very stable, unless something happens on the Windows storage side.

The performance is good, and we don't often get any complaints from our customers.

LogRhythm NextGen SIEM is horizontally and vertically scalable, so scalability is not an issue.

We have six people working with LogRhythm directly in our organization.

The technical support has been very good. They are very supportive, and I'd give them a rating of ten out of ten.

Positive

When compared to other SIEM solutions, LogRhythm is very easy to use, and I like the correlation rule building.

The initial setup is a bit complex because we need to be certified first. Otherwise, we have to get their PS for the deployment process. Even if you're certified, they shadow us. There are some processes for which we need to obtain their advice.

The initial setup and configuration can take around half a day. That is, a single box deployment can take 6 hours.

If I were to rate my deployment experience, I would give it a four out of five.

LogRhythm's licensing is based on MPS. There are some add-on features like advanced UEBA, the cloud component for advanced UEBA, and SIEM.

When you implement, you need to know LogRhythm's architecture because it is quite difficult and different from that of other SIEM solutions. So, you need to know the architecture, how the processes work, and how the logs are processed.

Overall, I would rate LogRhythm at eight on a scale from one to ten.

LogRhythm NextGen SIEM is great. We use it for log management for security purposes.

The security operation center is excellent, and we can pick logs from any system, not only the IPS or firewall. In addition, it has the capacity to accept logs and provide smart dashboards and analysis.

The most valuable feature is the SOC Security Operations Center feature. This solution has two types of systems, virtualization and the appliance. The appliance is ready and configured, so we use the IP addresses and trigger the endpoint. It's very user-friendly, and whenever anyone deploys a virtualization system, they can experience it.

The customer support system is time-consuming and needs to be improved because it is not very good. For other solutions, you can deliver whenever you have a customer problem. All you need to do is open a ticket, log into the system, and the issue is resolved. However, for LogRhytm, we have to flag the problem and then send the log, and we never know if we will receive a response in one hour or one week.

In addition, LogRhythm NextGen SIEM has one of the best analysis features, but it can still be improved. However, I believe they plan to make improvements since they're only selling the product for two systems currently.

We have been using this solution for three years.

It is a very stable solution.

It is a scalable solution.

I rate the customer support a four out of ten.

Neutral

The setup was very easy. I rate the setup a ten out of ten.

The price is very good, and it is very cheap compared to other solutions. If we compare it to SolarWind, SolarWind is not as advanced as LogRhythm NextGen SIEM.

I rate the price a nine out of ten. We always consider the features and quality before the price, but the cost is still very good. We get about 98% of the features we want.

I rate LogRhythm NextGen SIEM a nine out of ten.