LogRhythm Network Monitor Review

Log aggregation gives us all our logs in one place, we can get the analytics from a single dashboard

What is most valuable?

Definitely the log aggregation. We enjoy having all of our logs in one place, where we can get the analytics from a single dashboard. Really, that is the goal. That's why we purchased, really just to aggregate.

How has it helped my organization?

We're running a single XM appliance, LogRhythm side. We're just under 2000 events a second. Our entire stack is VMware ESXi. We're completely virtual. We have two datacenters, about 300 VMs. We're also aggregating logs from all of our network equipment. We have 200 remote sites that all push their logs back to our data center.

We're very young in our deployment, out six months. We have yet to really derive substantial benefit from it. What we've seen so far has been, when we see events we can go back and drill into it, and see the path, see the kill chain. But we haven't made it to the point where we have tuned our alarms, yet. I expect it to do all of these things, we just haven't made it there yet.

The goal is to protect our users, certainly. Our environment is set up much like a retail environment. We have the vast majority of my users directly interfaced with the public. Their computers or their devices exist in the wild, not behind my corporate firewall. The overriding goal is to protect that equipment, protect those users, and then of course protect myself from anything that would happen if one of those devices or users is compromised. The challenges are really the same. All of these devices exist in the wild. They're not behind my firewall, they are out on the open internet daily, on a regular basis. That is the biggest challenge, making sure that those devices are visible to us, and that we can collect data, collect logs from those devices.

Again, we're so young in our deployment, that the perception is that there is a lot of potential there. We know that we have a long way to go to tune it, to onboard all of the log sources. The impression so far is very, very good. We were sold on the product based on the fairly narrow use cases that the sales reps gave us. What we're seeing during our usage is that we can get there. Again, we're so young in the deployment that we haven't made it to that point yet. But we definitely see the potential, we're very excited about the potential.

What needs improvement?

This is one where we're so young that it's almost impossible for me to answer the question, because I haven't explored everything that's available today.

One thing that surprised me was the current version of LogRhythm does not natively support Windows 2016. We're diving in feet-first. We are deploying only Windows 2016 now. During the deployment, there was a lag time between the time that Windows 2016 became generally available, and when LogRhythm was going to support it. During this period we had to trick LogRhythm into believing that these 2016 machines were 2012 machines. That was a bit surprising because of all of the automatic updates that we get, the threat feeds, everything that LogRhythm puts into the system automatically. To not have support for a very, very big new release was a bit surprising.

For how long have I used the solution?

Six months.

What do I think about the scalability of the solution?

So far - and I hate to keep going back to the fact that we've only been doing it for a few months - but so far we've been very impressed with scalability. We have a single appliance, and we have several collectors that run against that appliance. We really love how easy it is to just add another collector. I have data sources, I have log sources that exist in my DR facility. I can stand up a collector in that facility, and then push it back across the wire, and it's very easy. It's a couple of clicks, done. We're very excited about, again, the potential for scalability without having to re-architect the entire solution.

How is customer service and technical support?

We haven't used them. We went with the partner that sold it to us.

Which solutions did we use previously?

We did not have a SIEM solution previously.

Our CEO was phished several times. After the third time in a month that we had to go change his password, and counsel him again on not connecting to open WiFi, we realized that...

We have on-premise Active Directory that's federated against Office 365. We have three very different log sources. We have our local AD, we have our federation service that authenticates, and then we have Office that contains all of the logs. It was very, very difficult for us to follow that chain. Time stamps are slightly different. One's in this timezone, one's in that timezone. Really, it was born out of this frustration of: I need to figure out what happened. "What did he click on? Where was he? Where did he log in from?" to establish the chain of events. I just couldn't, because I didn't have one single repository to go to.

How was the initial setup?

Complex in the sense that I don't have much experience with SIEMs. We came from nothing. As an organization, we don't even have any experience behind the scenes. It felt very overwhelming, but the partner was able to lead us through it. From that perspective, having that person there leading us through it was relatively simple.

Which other solutions did I evaluate?

IBM's QRadar was there, and Splunk was the other.

What really sold us beyond everything that we've talked about, was the single pane of glass that LogRhythm gave us. Candidly, it was the Web UI Dashboard. The executive dashboard that I could put in front of my VP, I could put in front of my C-level to say, "Here. You can log into this, you can look at it. It gives you all of the high level rolled up information." That was incredibly difficult to come by with some of the other products.

What other advice do I have?

When selecting a vendor, for us the most important thing is the trust of their user base, really. We did a lot of due diligence when we were looking. Everything that we heard from LogRhythm's user base was that they love the product. They were very fanatical about it, that it could do so many things that really were time and effort on our part to implement. That was basically it. Everything was built-in. Really, it was more the user base. It was everything, all SIEMs do all things, and so it was more the support of the product. We knew the product would do what we wanted it to do, we were concerned about support, we were concerned about the way that the community reacted to it.

In terms of a solution being unified end-to-end platform, it's not critical, but definitely important. We are a very small shop. We support a lot of people, but our IT staff is incredibly small. I think there are five of us and two in the security aspect. An end-to-end platform was important to us, simply because it was a single vendor at that point. I could go to a single source, "one throat to choke," as it were. Wasn't critical, but definitely it was high up on the list.

Honestly, that rating of eight out of 10 is because we haven't used it very long.

I would advise anyone looking at this or similar solutions to define your use cases very well. That is what is going to separate a LogRhythm from a QRadar, from a Splunk. Everything can collect data, but pulling the data back out of the system, analyzing that data is the critical component. Definitely define those use cases and present those to the sales reps, and see how they respond.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Add a Comment

Sign Up with Email