LogRhythm NextGen SIEM Review

The dashboard puts things at our fingertips, but it's a challenge to pull out all the info we need


What is our primary use case?

The primary use is monitoring logs, to see what's going on.

How has it helped my organization?

It's head and shoulders above what we were using, which was SolarWinds LEM.

What is most valuable?

Alarms are the most valuable feature. We also like the dashboard and how things are at your fingertips. The fact that we can now edit the report templates is going to be a great thing.

What needs improvement?

My installation has some unique problems, apparently, because of our network architecture, and that's why we're looking at other solutions, and possibly a replacement. 

We're looking at user-based analysis. Granted, we haven't enabled the UEBA module, but we're forwarding all our proxy logs to LogRhythm and we have a really hard time pulling those proxy logs back out of LogRhythm. However, when we take LogRhythm and forward the same logs into somebody else's user-based analytics software, we get the majority of what we were missing. So we know the logs are making it to LogRhythm, but we still can't pull them out. If we've got all our proxy logs and I go out to Google or Facebook or the like, we should be able to go in and pull that information out ten minutes later, but it's a big challenge to do that.

What do I think about the stability of the solution?

As long as you don't overfeed it, it's fairly stable.

What do I think about the scalability of the solution?

The scalability has been fairly decent so far, as long as you don't overfeed it.

How is customer service and technical support?

Tech support is hit-or-miss. Some of the tech support agents are just wonderful and I've learned a lot from interfacing with them. Some of the tech support agents seem like they are metrics-based: How many tickets they can close in a short amount of time? I usually express my feelings in the ticket notes, so these are not unheard-of comments.

How was the initial setup?

The initial setup was fairly straightforward.

What other advice do I have?

My advice would be to definitely look into it. I've used other SIEMs that were a whole lot easier to program and I've used other SIEMs that were vastly oversold and cost way too much money. LogRhythm is a good product for what it is.

We have more than 500 and less than 1,000 log sources. In terms of messages per second, therein lies the rub. We bounce anywhere from 2,500 to, on certain days, a peak of over 12,000.

We are not using the full-spectrum analytics features. We don't use any automated playbooks. In terms of the number of staff for deployment and maintenance, the latter is me. I've got two other analysts that work with me.

Regarding our security program maturity, we've grown a whole lot in the last three years. LogRhythm, fortunately, was a part of that. Our previous SIEM had to be rebooted two or three times a day. Unfortunately, now that we're trying to leverage it to get more data out of it, we don't seem to to be able to do that.

I can't say I have seen any measurable decrease in the meantime to detect and respond to threats because I can't watch it all the time.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Add a Comment
Guest
Sign Up with Email