We performed a comparison between Graylog, LogRhythm SIEM, and Splunk Enterprise Security based on real PeerSpot user reviews.
Find out what your peers are saying about Splunk, Datadog, Wazuh and others in Log Management."Storing logs in Elasticsearch means log retrieval is extremely fast, and full text search is available by default."
"One of the most valuable features is that you are able to do a very detailed search through the log messages in the overview."
"It is used as a log manager/SIEM. It provides visibility into the infrastructure and security related events."
"What I like about Graylog is that it's real-time and you have access to the raw data. So, you ingest it, and you have access to every message and every data item you ingest. You can then build analytics on top of that. You can look at the raw data, and you can do some volumetric estimations, such as how big traffic you have, how many messages of data of a type you have, etc."
"We run a containerized microservices environment. Being able to set up streams and search for errors and anomalies across hundreds of containers is why a log aggregation platform like Graylog is valuable to us."
"Graylog's search functionality, alerting functionality, user management, and dashboards are useful."
"I like the correlation and the alerting."
"The solution's most valuable feature is its new interface."
"I find LogRhythm's log management capabilities to be beneficial."
"The log analysis feature is valuable."
"We have to be able to show the evidence, and LogRhythm does a great job of putting it forward and making it easy to create reports with nice looking dashboards, which show off what we are doing as a security program."
"I would say the most valuable feature of LogRhythm is that it has built-in UEBA functionality, among other basic Windows packages."
"Compliance reporting is another great feature of this product. It has built in reports right out of the box."
"SOAR is integrated with the dashboard that we use for threat management. Because it's all integrated, it is useful for us when we deploy something on-prem."
"It's positively affected our overall rate of efficiency."
"We take in around 750 million logs a day. We have a lot of products and that would be a lot of different panes of glass that we would have to look through otherwise. By centralizing, we can triage and take steps much more quickly than if we tried to man that many interfaces that come with the products."
"The ability to view all of these different logs, then drilling down into specific times or into specific data sources, has proved to be the greatest aspect in decreasing our troubleshooting overhead time."
"I have also been able to take advantage of some of the more complex statistical capabilities when analyzing logs."
"The SIEM is the most valuable feature of the product."
"The solution helped reduce our alert volume."
"It helped us consolidate all our solutions into an easy tool to use for various employees."
"The ability to ingest any data and display it in a way that anyone can understand."
"The most valuable feature is the incident dashboard, and the extensive use of correlation searches, which isn't available with a standard Splunk search package. This feature is important to me because it enables SOC analysts to do their job more efficiently and be able to investigate or mediate incidents at a faster pace."
"Splunk provides immediate visibility into key business metrics and new business insights that deliver immediate value."
"Over six months, I had two similar issues where searches were performed on field "messages". It exhausted all the memory of the ES node causing an ES crash and a Graylog halt."
"I would like to see a date and time in the Graylog Grok patterns so that I can save time when searching for a log. I like how the streams and the search query work, but adding a date and time will allow me to pull out a log in a milli-second."
"Lacks sufficient documentation."
"Dashboards, stream alerts and parsing could be improved."
"The biggest problem is the collector application, as we wanted to avoid using Graylog Collector Sidecar due to its architecture."
"Elasticsearch recommendations for tuning could be better. Graylog doesn't have direct support for running the system inside of Kubernetes, so it can be challenging to fill in the gaps and set up containers in a way that is both performant and stable."
"More customization is always useful."
"I hope to see improvements in Graylog for more interactivity, user-friendliness, and creating alerts. The initial setup is complex."
"It should have some more message monitoring features. It can also have some free message monitoring tools."
"We're still struggling to get a real return on it and finding something that isn't false noise."
"We need to get better training for things like creating code and playlists. The way it's done now takes a long time."
"I would probably look for more things to go into the web console that is currently on the fat client."
"We would like to see more things out of the console into the web UI. I guess this is what they are doing in 7.4."
"I would like to see more integration with more products that are out there within the same security field."
"More detail in the alerts given to avoid additional searches, as often the source or destination associated with the alert is not evidenced."
"We do about 750 million a day and some days we do 715 million. Some days we do 820 million or 1.2 billion. But there's no way to drill in and find out: "Where did I get 400,000 extra logs today?" What was going on in my environment that I was able to absorb that peak? I have no way to identify it without running reports, which will produce a long-running PDF that I have to somehow compare to another long-running PDF... I would like to see like profiling behavior awareness around systems like they've been gunned to do around users with UEBA."
"Splunk does not build apps. They only go back and validate the apps that somebody has already built. They should have remote consulting support. They have a wonderful solution. They have 24/7 security. Nobody needs to depend on any third party and will therefore just buy Splunk on the cloud."
"Some of the search functions can be better. There has been a lot of talk at the conference about the update of SPL before each iteration. That will be a lot of help."
"For on-premise, it's more about optimization. With such a heavy byte scale of data that we are operating on, the search for disparate data sometimes takes about a minute. This is understandable considering the amount of data that we are pumping into it. The only optimization that I recommend is better sharding, when it comes to Splunk, so that data retrieval can be faster."
"The only improvement I am expecting is the cost of the licensing. Clients are going to other solutions just because of the cost."
"I'd like to see more integration with more antivirus systems."
"Splunk Enterprise Security could improve in automation, flexibility, and providing more content out of the box."
"It currently has limited default rules and customizations. If they can concentrate more on the compliance part and the security information part, it would be helpful. The platform part is good, but it requires many features from the security aspect."
"Search head clustering is often temperamental in its current state and should be improved, replaced by something better, or be reverted to search head pooling."