LogRhythm NextGen SIEM Review

Searches can be performed using any known value, IP address, hostname, username, or event, though report-building is limited by its use of Crystal Reports.


Valuable Features

The Web UI is perhaps the most valuable feature in the solution.

Improvements to My Organization

LogRhythm allows our IT/IS teams to quickly identify issues across the enterprise. Searches can be performed using any known value, IP address, hostname, username, event. The results are then used to "open a case". The case is assigned to an analyst, who can add additional info during the research and remediation efforts.

Room for Improvement

Report-building is in Crystal Reports and has a limitation. A non-editable template must be created, then the report is created against the template. OFI is this. The template needs a preview option, as well as an edit option.

Use of Solution

8 months

Deployment Issues

None that were not easily overcome.

Stability Issues

None

Scalability Issues

No, we right sized the deployment and also deployed as a high-availability environment.

Customer Service and Technical Support

Customer Service:

I have been very pleased with customer service. I have only had to contact my CS a couple of times, and he has done a great job of followup to insure my company's needs were met in a timely fashion.

Technical Support:

Great support team. Average call pickup time has been less than 1/2 hour. I have had a couple of "scheduled" appointments get delayed when the agent's previous call ran over.

Previous Solutions

We previously used Juniper STRM, rebranded QRadar. We faced 1. Log processing could not keep up with collection, so events were being dropped. 2. Support was poor. 3. When a ($45 at Bestbuy) disk drive went out, we were sent an entirely new system. 4. When faced with upgrading to support our log collection demands, the estimated cost was several times greater than the LR deployment.

Initial Setup

Depending on the size and complexity of the deployment, i recommend paying for the Professional Services team to assist. All work was done in a remote session.

I also recommend not attending the training sessions until a few weeks of bake-in have occurred. Too many topics were covered to fully absorb all the information that was disseminated.

Implementation Team

Our internal security team performed the majority of the installation, again working with the PS group at LogRhythm.

ROI

We immediately saw benefit on our first investigation.

Pricing, Setup Cost and Licensing

Depending on the size, number of logs, I recommend deploying VM (or physical) collectors, and have the logs forwarded to the appliance. We are collecting logs from 2500+ systems, and did not want to impact the appliance with collection, but rather, analyzing logs. This solution has worked very well so far.

Other Solutions Considered

We reviewed several solutions including Alien Vault (not large enough for our needs), Splunk (would need a full time programmer to write queries), QRADAR (since we already had a previous version. We did a month long POC on Correlog, attempted to POC EIQ Networks.

Other Advice

We are very pleased with the LR solution and are looking forward to the upcoming update.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Add a Comment
Guest

Sign Up with Email