LogRhythm NextGen SIEM Review

Searches can be performed using any known value, IP address, hostname, username, or event, though report-building is limited by its use of Crystal Reports.


What is most valuable?

The Web UI is perhaps the most valuable feature in the solution.

How has it helped my organization?

LogRhythm allows our IT/IS teams to quickly identify issues across the enterprise. Searches can be performed using any known value, IP address, hostname, username, event. The results are then used to "open a case". The case is assigned to an analyst, who can add additional info during the research and remediation efforts.

What needs improvement?

Report-building is in Crystal Reports and has a limitation. A non-editable template must be created, then the report is created against the template. OFI is this. The template needs a preview option, as well as an edit option.

For how long have I used the solution?

8 months

What was my experience with deployment of the solution?

None that were not easily overcome.

What do I think about the stability of the solution?

None

What do I think about the scalability of the solution?

No, we right sized the deployment and also deployed as a high-availability environment.

How are customer service and technical support?

Customer Service:

I have been very pleased with customer service. I have only had to contact my CS a couple of times, and he has done a great job of followup to insure my company's needs were met in a timely fashion.

Technical Support:

Great support team. Average call pickup time has been less than 1/2 hour. I have had a couple of "scheduled" appointments get delayed when the agent's previous call ran over.

Which solution did I use previously and why did I switch?

We previously used Juniper STRM, rebranded QRadar. We faced 1. Log processing could not keep up with collection, so events were being dropped. 2. Support was poor. 3. When a ($45 at Bestbuy) disk drive went out, we were sent an entirely new system. 4. When faced with upgrading to support our log collection demands, the estimated cost was several times greater than the LR deployment.

How was the initial setup?

Depending on the size and complexity of the deployment, i recommend paying for the Professional Services team to assist. All work was done in a remote session.

I also recommend not attending the training sessions until a few weeks of bake-in have occurred. Too many topics were covered to fully absorb all the information that was disseminated.

What about the implementation team?

Our internal security team performed the majority of the installation, again working with the PS group at LogRhythm.

What was our ROI?

We immediately saw benefit on our first investigation.

What's my experience with pricing, setup cost, and licensing?

Depending on the size, number of logs, I recommend deploying VM (or physical) collectors, and have the logs forwarded to the appliance. We are collecting logs from 2500+ systems, and did not want to impact the appliance with collection, but rather, analyzing logs. This solution has worked very well so far.

Which other solutions did I evaluate?

We reviewed several solutions including Alien Vault (not large enough for our needs), Splunk (would need a full time programmer to write queries), QRADAR (since we already had a previous version. We did a month long POC on Correlog, attempted to POC EIQ Networks.

What other advice do I have?

We are very pleased with the LR solution and are looking forward to the upcoming update.


Disclosure: I am a real user, and this review is based on my own experience and opinions.

Add a Comment
Guest