There are multiple sources, like Windows and Unix, and we need connectors to get the logs. The solution must provide readymade connectors for different applications. Otherwise, we have to build connectors ourselves.

It would be better if the product is cheaper.

I had some latency issues for two months. I had to increase our storage capacity significantly to reduce the latency. 

We encounter challenges when onboarding logs from cloud sources, so we are considering transitioning to a cloud-based solution. Additionally, we find that the search and access functionality is quite slow. It is not a scalable product, so we have to create and manage storage.

Additionally, they could include case management functionality. It would be beneficial to have both the Logger and the ESM (Enterprise Security Manager) accessible from a single interface.

The platform is quite expensive. They should reduce its cost.

The next release should have AI capabilities. 

The graphics and dashboard could be improved.

The console in older versions is not user-friendly.

At one point, we experienced an RMA. However, they sent an expert to do an SDN check. Someone came to the company to verify the hardware and try to access the log just to verify what the root cause of the incident was. The hardware was replaced without incident for us.

The solution could benefit from adding in machine learning.

It is really difficult to work in ArcSight Logger, as it is very slow. I have worked three times on these logs due to their slow functioning.

If it changes completely, I think there will be two issues. Firstly, if they are using big data, then it will be very costly, and it will be enhanced with service protocol. Secondly, I see a lot of customers in Saudi Arabia coming overseas to vendors to get the ArcSight Logger version which uses big data for searching.

The speed of Logger indexing and searching for certain bugs for some queries that we provide could be improved. It can handle a huge number of logs but it can be improved.

They should improve the speed of the indexing and queries being dumped. Technical support's response time could also be slightly improved. Although these two issues are not something bad, it's just the only things that I think have any possibility to improve, but they're not necessarily something that is bad.

The product's connectors should work better and the user manuals need an update. 

The only thing I did not particularly like about the product was its speed on the web interface. It took very long for it to populate and perform the queries.

Using the ArcSight Logger dashboard is not particularly intuitive or efficient, so it is important to be trained in its use. Unless you have experience with the dashboard, it is not something you can easily figure out. For optimal use, it is recommended to seek out training before attempting to use the dashboard. The dashboard has room for improvement, by making it more user-friendly with fewer commands. Maintenance and troubleshooting can be complicated and complex.

The support structure is not very good.

They are not 100% up to date with the current technology.

ArcSight does not provide the advanced details that we require.

AI and analytics are one of the major things that are needed for better analysis.

The integration with other systems could be improved.

The interface could be improved with a better GUI.

ArcSight Logger is an outdated product. It hasn't been changed in the last ten years. I think that it's a product that will disappear and there are better platforms that you can use.

You have limited reporting capabilities and I wouldn't choose ArcSight Logger for this purpose. I would prefer to go with Elastic or Splunk.

You can do reporting but it's not up to date in terms of interactive reports that are presented well.

I was looking for a SIEM solution. ArcSight has ArcSight VSM, which is a pretty good product, but what I see on the market now is that is it being caught up by newer, more intuitive applications like Splunk. I wanted to have some deep technical insight in comparison of the two platforms.

If you have a product that hasn't evolved in 10 to 12 years then you have to start looking at other products. Many solutions were implemented and were useful at the time, but are outdated now.

In terms of features such as anomaly detection, or machine learning, or building apps on top of it, it's either not there or it's very limited.

With technical support, in the past when it was ArcSight, it was very good. However, when it moved to HP, then Micro Focus, the quality deteriorated. You could see that the knowledge was disappearing in the company.

They would benefit from having real clustering with some kind of high availability setup, but it's not clustering as it is in Elastic, where you put in a node and cluster and it all works together. It needs improvement and it should be much better. Also, the user interface is outdated, the search could be faster, and the integration with big data solutions isn't great for input and output.

They should enhance and improve everything related to the graphical user interface. It needs to be more fluid and easy to use. Many think that ArcSight is complex and difficult. This is not something that my team feels but that's because we have acquired experience and expertise over time.

The solution should make it possible to integrate network analysis features.

It's not a new product and is a bit complex. So, it requires a person dedicated to working on it and to know about it in and out. It is a huge product, and the search operation is a bit complicated for a new user or someone who has not used it for long. So for that person, it becomes a bit difficult.

There is a storage problem, and some improvement can be made at the search mechanism.

If you want to do a search, then you have to obtain a couple of criteria to get the exact amount of data. Let's say you have hundreds and thousands of servers in your environment, which will ultimately populate billions of events in a single day, especially the network devices. In this case, if you want to search a specific event, you have to be very, very specific with that query. That's something that can be generalized a bit.

Apart from that, it's a very complex tool and is not easy to implement and maintain. It requires a dedicated team.

Another thing that I think can be improved is the performance issue. When you are ingesting data in ArcSight and also you are forwarding the data from ArcSight to some other products, I have seen some performance issues.

ArcSight, does not perform well in this case. It takes time to process the data. The load is too much. At times, the logger crashes.

The UI can be improved as well.

I'd like to see more pre-built smart connector supported applications, although the list today is voluminous.

I would say that the consolidation should be done only by using ArcSight. We need to use the ESM module to create complex rules and reports as we can only do limited reports with ArcSight.

The solution could be improved in maintenance settings.

Some of the additional features I would like to see in the next release is an automated dashboard of the logs that has information that is more detailed. 

With the connectors, there were some legacy devices that had some problems since support was dropped for those.

SmartConnector vendor support will always be a battle, but most major vendors and products seem to be supported.

Clicking on a log source on the main page should not pull all stored logs as this is too slow and way excessive. It should default to a recent and smaller sample.

I think the ArcSight team should try to simplify legacy products for the customers, because that product is not easy to use or to work with. It needs more more competency or appeal to use. We hope Micro Focus is trying to resolve this.

A lot of people that compare this solution with QRadar or McAfee say that the other products in the market are more easier to use than ArcSight. After customers do the training to see how they can use it, they change their minds a little bit, but it still seems that Micro Focus should take some time to reduce the complexity in using Arcsight.

ArcSight should give each customer more visibility or a more useful presentation on the web product. There are a lot of customers that want to use the product in the web, especially to use the dashboard, but the dashboard is not so beautiful.

We have issues with connecting standard HP network devices as they appear to not be supported by HP ArcSight. One company/product is not aligned and apparently it is expected that all the network data is in CEF format, which is impossible for the HP network sources to deliver. Instead, HP ArcSight should be able to handle any file format.

We have had problems with archiving.

The license for ArcSight Logger has given us problems.

I would like to see better integration with ArcSight ESM.

It would be helpful if this solution had some of the features from the ArcSight Command Center.

A concern is that after their merger with Micro Focus I have some doubts. I don't see much development of the road map on ArcSight itself. The reason why I'm saying this is because we had a situation here in Sri Lanka which concerned us, where Arcsight suddenly decided to discontinue IBM as installation platform for the connectors. So in case of the road map and the technical improvements, I see the direction has changed somehow and now the customers and the distributors who are trying to implement it don't have as much visibility about the direction.

Arcsight should focus on inbuilt features like SOAR and UBEA features.

I would like to see better scheduling in the next release of this solution.

It would improve the solution if some of the features available in the console were implemented within the search. More things can be done in the console, while the logger is restricted to just a few of them.

In the next release, I want to see more intelligence. 

I wouldn’t mind adding a few features such as grouping of events based on the “name”, “source address”, etc. in real-time rather than requiring the running of reports every time. A few competitors allow this functionality already.

ArcSight Logger needs to improve in the area of threat analytics as security is vitally important to us. It also needs to provide some "upper-hand" features on some functionalities, as they're somewhat no so easy to use.