ELK Elasticsearch Room for Improvement
The solution has quite a steep learning curve. The usability and general user-friendliness could be improved. However, that is kind of typical with products that have a lot of flexibility, or a lot of capabilities. Sometimes having more choices makes things more complex. It makes it difficult to configure it, though. It's kind of a bitter pill that you have to swallow in the beginning and you really have to get through it.
Once you begin to understand the concepts and how to actually look for data it's a very pleasant solution, but the learning curve is very steep in the beginning, to the point that they could improve it to make it a bit less intimidating to start. There needs to be a bit more intuition behind the architecture and the data search.
Enhance the Spaces feature to make it fully multi-tenant by enabling role-based access control (RBAC) at a Space level rather than overall Kibana or stack level like it is currently.
Elastic needs to work on their Machine Learning offering because currently they have been trying to make it a black box which doesn't work for a serious user (a Data Scientist) as it doesn't give any control over the underlying algorithm. It's like a point-and-click camera vs a DSLR. The offering started with a single/ univariate anomaly detection on time-series data. Now, they have a multivariate which is good, but beyond this, we cannot build any other Machine Learning models, like traditional supervised models. Anomaly detection uses mostly unsupervised algorithms and also it is a very broad problem space for a black box to solve it fully.
Make index’s metadata searchable (or referenceable in search queries).View full review »
There are a few things that did not work for us.
When doing a search in a bigger setup, with a huge amount of data where there are several things coming in, it has to be on top of the index that we search.
There could be a way to do a more distributed kind of search. For example, if I have multiple indexes across my applications and if I want to do a correlation between the searches, it is very difficult. From a usage perspective, this is the primary challenge.
I would like to be able to do correlations between multiple indexes. There is a limit on the number of indexes that I can query or do. I can do an all-index search, but it's not theoretically okay on practical terms we cannot do that.
In the next release, I would like to have a correlation between multiple indexes and to be able to save the memory to the disk once we have built the index and it's running.
Once the system is up, it will start building that in memory.
We need to be able to distribute it across or save it to have a faster load time.
We don't make many changes to the data that we are creating, but we would like archived reports and to be able to retrieve those reports to see what is going on. That would be helpful.
Also, if you provide a customer with a report or some archived queries, that the customer is looking at when they are creating, at first it will be slow while putting up their data or subsequently doing it. I want it to be up and running efficiently.
If the memory could be saved and put back into memory as it is, then starts working it would reduce the load time then it will be more efficient from a cost perspective and it will optimize resource usage.View full review »
Its licensing needs to be improved. They don't offer a perpetual license. They want to know how many nodes you will be using, and they ask for an annual subscription. Otherwise, they don't give you permission to use it. Our customers are generally military or police departments or customers without connection to the internet. Therefore, this model is not suitable for us. This subscription-based model is not the best for OEM vendors.
Another annoying thing about Elasticsearch is its roadmap. We are developing something, and then they say, "Okay. We have removed that feature in this release," and when we are adapting to that release, they say, "Okay. We have removed that one as well." We don't know what they will remove in the next version. They are not looking for backward compatibility from the customers' perspective. They just remove a feature and say, "Okay. We've removed this one."
In terms of new features, it should have an ODBC driver so that you can search and integrate this product with existing BI tools and reporting tools. Currently, you need to go for third parties, such as CData, in order to achieve this. ODBC driver is the most important feature required.
Its Community Edition does not have security features. For example, you cannot authenticate with a username and password. It should have security features. They might have put it in the latest release.View full review »
Manager at a tech services company with 11-50 employees
I think the GUI part of the solution has the most room for improvement. Actually, we are using the free version. We do not use the plug-ins so we have to do some additional development ourselves to have the necessary access to the controls.
We are not a heavy user, we just keep the logs and track data in the system. We use it and there is no problem for our current purposes and level of use.
Cyber Security Professional at Defensive Cyber Security Center Germany
I would like to see more open source tools and testing as well as a signature analysis in the solution. I think that a lot of times when we go into a corporate environment where it becomes more add on features or an additional service fee, it typically draws away from that product.
I think it would be cool if they could provide a couple of licenses that would be test bed licenses so that engineers and people with have their hands on the keyboard could test any new development.
Data Scientist at a tech vendor with 51-200 employees
In terms of product improvement, ratio aggregation is not supported in this solution. I can do aggregations, but taking a ratio of two metrics is not supported. That's a common use case that I have come across. And if I want to do bulk coding then that's something that is not very convenient. I would like those things to be included in the next version.
Senior Consultant at sectecs
It should be easier to use. It has been getting better because many functions are pre-defined, but it still needs improvement.
If you have a large enterprise environment, it is costing a lot of money and it's not a full-blown SIEM. It has SIEM features but a lot is missing. You need to involve other products to make a SIEM out of it.
Some of the other products needed were Apache, Kafka, and ticket tools. It was custom made and not what I had expected in the end.
I would like to see them get closer to a full-blown orchestrated SIEM, and create predefined modules to bring you to using it as a SIEM faster, and on the fly instead of having to tweak the Grok filter for weeks.
I would like to see more pre-defined modules.View full review »
Kibana should be more friendly, especially when building dashboards.
Stability needs improvement.
I would like to see the Kibana operating more smoothly, as Grafana does. Also, I would like to see some improvements with the machine learning capability, so that we can rely on it more. It's in the early phases but this would be a great way to start using it.
When it comes to aggregation and calculations, I would like to have to have advanced options in the dashboards to be used in a simplified way, such as building formulas and queries between different fields and indexes.
Alerting feature should be more flexible with advanced options.View full review »
Murex Consultant at a tech services company
This is not a robust system, so in terms of resilience, they have to make some improvements. From time to time the system goes down and we have to start again, after adjusting some configuration parameters.
Technical support can be improved.
The interface would be improved with the inclusion of dashboards to assist in analyzing problems because it is very difficult. Better dashboards or a better configuration system would be very good.View full review »
We run this solution on multiple servers. ELK has three lanes which comprise a single package made up of Elasticsearch, Logstash, and Kibana. To my mind, this is not efficient because we have to individually deploy the different applications. In contrast, we're able to deploy Splunk with a singe application. Implementing the dashboards is also quite difficult. With Splunk and Nagios it's much easier to directly interact with Elasticsearch. I'd like to see some additional features in the front end which currently make it a bit difficult to implement and it should be simplified.View full review »
I have not been using the solution for many years to know exactly the improvements needed. However, they could simplify how the YML files have to be structured properly. If you want to ingest certain logs, you need to edit the YML file and connect it to your modules to start ingesting and parsing the end-user logs. Doing this is sometimes difficult and could be streamlined.View full review »
Associate Software Engineer at a tech services company with 51-200 employees
Technical support should be faster.View full review »
Engineer at IT Specialist LLC
The pricing of this product needs to be more clear because I cannot understand it when I review the website.View full review »