Arcsight Logger Review

It has excellent query syntax and response.

Valuable Features

It has excellent query syntax and response. Complex queries of large volumes of data generally take seconds if not minutes.

Improvements to My Organization

ArcSight has improved incident response from days to minutes. It also offered ancillary non-security troubleshooting features, which were surprise benefits to teams such as network and operations.

Room for Improvement

I'd like to see more pre-built smart connector supported applications, although the list today is voluminous.

Use of Solution

We've been using it for two years.

Deployment Issues

We had no issues with the deployment.

Stability Issues

We have had no stability issues.

Scalability Issues

The original Connector Appliance peaked its events-per-second limit much sooner than anticipated and required us to purchase another, and significantly larger, appliance. The issue was self-inflicted as we discovered more use cases when adding new logs and log types.

Customer Service and Technical Support

Technical support is excellent. In fact, that was one of the best "features" of the implementation. I never had to wait to reach specialist help, and all engineers that I spoke with were highly technical and were pleasant.

Previous Solutions

I previously used a significant RSA Envision installation that had extremely poor performance with complex queries. It was routine to wait an hour or more for a more complex query. HP ArcSight was introduced by a CISO with previous experience at a previous employer and the improvement was immediately obvious. It was a wise decision that I took with me to my next organization.

Implementation Team

It can be difficult to set up connectors to ingest and normalize different log types initially.


I would recommend HP professional services for starting up. I used that approach and was able to glean enough through knowledge transfer to hit the ground running from day one in production.

Pricing, Setup Cost and Licensing

Security makes it difficult to quantify ROI, but I can say that we were able to complete incident response in minutes where the same had taken hours or days.

Other Solutions Considered

In terms of pricing, size appropriately, and realistically up front. That said, the product architecture is scalable as needs grow.

Other Advice

ArcSight has a Google-like query syntax with boolean-style operands. That said, there is also a GUI to craft queries. I'd recommend learning the GUI as this is the same GUI used in HP's ESM product, the engine that can correlate disparate log events and turn incident response from reactive to proactive alerting. Getting a head start on learning that syntax would help ease into the highly-recommended ESM or ESM Express products.

Disclosure: My company has a business relationship with this vendor other than being a customer: At the time, I formed a strategic partnership with HP Enterprise Security and co-presented their products at a business vertical relevant technology conference, served as a customer reference and referenced HP ArcSight in a case study about my complementary HP (now TrendMicro) TippingPoint Intrusion Prevention System implementation.
Add a Comment
Sign Up with Email