The nice thing about LogRhythm is that they continue to innovate and come up with new capabilities like their NDR solution that we recently invested in. They continue to stay relevant. 

I would rate LogRhythm a nine out of ten. The on-prem version of the solution is fantastic and is the core of my SOC. It's our daily tool for all of our investigations. 

If you are one who thinks that SIEM is an outdated security tool, I would be very curious to know what other solution would be better than a SIEM to accomplish the same goals. A SIEM tool gives you such an open perspective into what is going on in your network and gives you the ability to dig in if you really need to. Whereas if you have a completely managed solution or one that uses AI and does everything for you but doesn't provide you the logs, you might know what's wrong but won't know what else is going on out there. With a SIEM tool, you can dig in as far as you want to, and specifically with LogRhythm, you can be as hands-free as you want to be. It'll tell you what's wrong, and you can address those problems. You have a lot more flexibility with LogRhythm SIEM.

Overall, I'd rate LogRhythm SIEM a nine out of ten. I really enjoyed the solution. If you have to program anything yourself, there is a little bit of a learning curve. They've got lots of guides that you can use, and depending on your skill set, you may be able to figure it out sooner rather than later. The resources are all there, and the community is there to help you, which makes the product really great and easy to use.

My advice for someone considering implementing LogRhythm SIEM would be to start with proper controls and understand the value it provides.

Before installing the solution, users should consider factors like EPS calculations and endpoint support to ensure proper sizing, especially if not going for an appliance.

Overall, I'd rate this product an 8 and would recommend it to others due to its cost-effectiveness, value for money, and user-friendly nature.

To those planning to use the solution, I suggest they get trained before starting the use and deployment of the solution.

I rate the overall solution a nine out of ten.

People using the solution should make sure that they have all their processes prepared in advance and there is proper planning before starting the implementation. I would rated 8 out of 10.

We are a gold partner. 

I'd recommend the solution to others. It has a lot of new features and offers AI and ML. There is good support, scalability, and flexibility on offer. 

I'd rate the solution seven out of ten. 

LogRhythm SIEM is a good product for a small SOC. Overall, I rate the solution an eight out of ten.

I'd rate the solution ten out of ten. 

Those that say SIEM is an outdated security system, don't understand cyber security. SIEM is what allows analysts like myself to be successful. Without a SIEM, how can we see everything? We can't.

Honestly, I don't like this solution so much. I'm actually a Splunk Certified Architect and so I know Splunk pretty well, and when I compare them, I really don't like this product. The best advice that I can give is not to install this product unless you have a use case that matches its capabilities.

The use case for this product, the LogRhythm SIEM, is in a regulatory environment such as HIPAA, SOC, PCI, or banking. These are heavily audited environments where you have precise requirements for reporting. They have pre-configured lots of different types of inputs but it's a very rigid environment. You can only collect information from certain types of sources and it's very complex as to how to instruct the product to obtain a certain type of log message.

Once you configure a new log message source, you'll have to go on to the LogRhythm platform and conduct a variety of clicks and actions to vet or verify that log source and allow LogRhythm to start collecting logs. Not only that, but there's one more annoying thing. I'd say for these highly audited environments, regulatory environments that I mentioned, they have many, many pre-configured reports.

So, it's designed very rigidly. In other words, they have done a lot of work in pre-identifying what the fields are in every type of log message. If you're getting log messages from Active Directory or the firewall then they know exactly what every field is. But, they have their own particular naming convention for fields and with the rigidity, you can't change that so easily.

I'm in the networking team and we're using it to monitor log messages from our networking equipment. For that, it's not such a good product. For example, consider a jet engine with a lot of sensors such as temperature, pressure, rotational speed, wind speed, fuel flow, etc, they have lots and lots of sensors in them that are all connected by ethernet. If you want to use Splunk to monitor a jet engine you can do it, easily. Forget about doing with LogRhythm, that's not happening.

The bottom line is that for highly regulated industries it may work well, but you cannot use LogRhythm to monitor equipment. You also have to make sure that everybody who uses the product has full training and certification. If you're not willing to commit to the full training then don't even consider it.

I would rate this solution a five out of ten.

I would rate this solution 8 out of 10.

My advice is that if the requirement is to have someone on-prem, for example, someone that is working in a financial entity, it is a requirement to have all the information in their own data centers and using specific connections. If you have that case, you can use it. It is convenient. And you can use it if you have a case where the evolution of the environment is not going to change for the next three years. Otherwise, if you have a lot of changes during the time that you are going to be using this solution, you need to include different components that will probably be complicated to architect.

My advice:

1. Get a SIEM.
2. Which SIEM I would suggest really depends on what your key use cases are. There are other SIEMs that do other things better. As an example, Splunk brings in logs wonderfully. But if you're not going to hire a Hadoop engineer who absolutely specializes in it, you're going to bring in a lot of logs that you're not going to be able to do anything with. You really have to look at everything that every piece does. 

In terms of the full-spectrum analytics capabilities, we're not using NetMon, we're not using FIM. We're just collecting logs from every device that we can collect them from. I'm in the process of onboarding hundreds of application logs. We feed them all to our SOC and Instant Response and Compliance teams.

Playbooks, for me, are "N/A." I have an associate that handles all the analytics and reporting and alerting. I'm more of the architect.

We have somewhere around 90,000 log sources. Do remember that Windows takes three log sources each. We're running about 5.5 billion logs a day. We're running a sustained 55,000 logs per second. Our database is somewhere in the neighborhood of 4.5 terabytes in size, over two tables. It's a large installation.

When it comes to our security program maturity, we have built a very strong security team. Since LogRhythm was implemented, the team has exploded, not only because of LogRhythm. We're now implementing many other vendors, cloud and other things.

For deployment and maintenance of the solution, we have three staff. That being said, being Marsh & McLennan Companies, we're running a very big installation where we have several teams that have input. This is my first time being part of that kind of team. I've been in SIEM for 15 years, but until now, every time I've ever done it, I've been the sole "SIEM guy," the one who handled everything. But now, I'm an architect. We have a SIEM analyst. I work directly with one of the heads of the server teams, so when we need to do upgrades we use that team. We also have a SOC, we have an IR team, all in-house. We have a lot of teams that have input into the SIEM.

When selecting a vendor, the most important thing to me is that the product does what it says it's going to do; that and the support.

I've worked with many other SIEMs. I was Professional Services for ArcSight for a year-and-a-half. I've worked with enVision, I've worked with RSA Security Analytics. We were their first customer when they rolled out the analytics and it took a year to get through all the bugs. There are some things that some of the other pieces do better. There are some things that I think that LogRhythm has missed. But all in all, it's one of the best SIEMs, as a total package, that I've worked with. When I hit an issue, the support teams and other teams are there to help.

Because my installation is not stable, I rate the solution at six out of ten. Once I become stable it will be a nine.

I have seen the features that are coming in 7.3, and they look incredible.

It has far exceeded what I thought it was going to do for me in my job role. With the Web UI, over like a Splunk solution, it has actually become a tool that is used outside of security. I do not have to have people who have Lucene SQL Query Syntax memorized in order to get a value out of the system. They can jump in, log in as themselves, point and click, build themselves a query, and everything's great, then they love it.

People who want to use the solution must not do any big searches. Overall, I rate the product a six out of ten.

I would definitely recommend LogRhythm, based on my experience with it. LogRhythm is always trying to change and improve its product which is always a good thing. Other SIEMS are in development to upgrade and better their SIEMs but LogRhythm, across the board, has a great team. They look an inch deep but a mile wide, whereas other companies will look a mile deep and an inch wide. I think it's a lot better to do "across the horizon," instead of a small, six-foot-deep hole.

We are not using the full-spectrum analytics capabilities at this time. We are thinking about it, but there's a process for getting those changes into our baseline, being a development program. We have no playbooks at this time.

We have about 5,000 to 7,000 log sources per environment and there are 20 environments. In terms of logs per second, it all depends. We're in development. Some of our environments are not ramped up and they're all at different stages of development. Where we only get 100,000 to 150,0000 logs a day in some environments, in others we'll get close to 1 billion logs a day.

When it comes to what's important in selecting a vendor, price, names, and support are all great and dandy. Obviously, the big names of the world have a track record. LogRhythm hasn't been huge for a lot of time but they're starting to grow. They were one of the ones recommended by industry reviews in the SIEM world, but they were a relatively small company at the time. When you have industry reviewers recommending a small company, it says a lot for that small company. I know that they are growing now, but back when LogRhythm was first talked about by the industry they weren't very big, compared to the Arclights and IBMs of the world.

I rate it an eight out of ten because I don't have a lot of experience across the board with different SIEMs. I've worked with ArcSight but ArcSight is very expensive. And I've worked a little bit with QRadar. I actually like QRadar as much as LogRhythm.

Our security program is not real mature. The security group just got a CISO within the last year or two, so that has been the focus. The company is bringing up that side of the business. They recognize that it is something that needs to be invested in, along with their investment in LogRhythm.

I don't have playbooks right now. We are still on 7.2. I don't think playbooks are in there yet. It makes sense that we use that functionality, and we're looking to go to 7.4 as soon as the .3 release comes out.

We have about 1800 log sources. 

We are right at 5000 messages per second, and the system is scaled for 10,000.

I would rate this solution 7 out of 10.

When you integrate a log source by default, you have to know what the customer needs or the process that is wanted, because we did the reconfiguration multiple times for log sources.

So, they have to also follow the MITRE ATT&CK Framework, because by default LogRhythm collects the common logs, so you have to enable this.

To estimate it in the licensing sizing exercise, it must be done correctly. Sometimes I see customers sizing away from the current situation. Customers sometimes buy a license that is not enough for their implementation, because they didn't expect what they would be adding in the future during the implementation.

Sometimes the implementation takes one year, and the customer adds more devices, so it exceeds their license. I think it's the presales' job to do the sizing correctly. And the customer must be aware of how or what to implement during, so that implementation doesn't take long.

It took some customers two years to implement a SIEM solution. I don't remember the solution, but it was a waste of two years' time.

We do have quite a few log sources. Currently we've got around 30 or 40 completely different kinds of log sources and roughly six or 7,000 different devices currently reporting in. We set it around 20,000 events per second sustained for our new infrastructure. That's kind of a lot for us. We've gotten that up relatively quick, up and running. So the stability for that has been great. And as far as parsing goes, we have generally stuck to platforms that we know would parse out of the box. And now, we're just starting to get our feet wet with, okay, what are some platforms where maybe it doesn't have out of the box support for the parsing messages" Or we might want to write our own parser or something along those lines.

We know that it supports things like common event format. And so generally, I'm pretty confident that we'll be able to get everything in there that we want. I wish we had that information. Unfortunately we don't have mean time to detect or any of those soft things. Prior to LogRhythm, it wasn't even an option for us to get those sorts of things. Now with playbooks coming out and some of the new tagging features and case management features that are going to be in seven point four for LogRhythm, that's our first target is to start actually putting numbers around that. And we just haven't had LogRhythm in house long enough to stand up a program around getting those metrics.

As far as the rest of 2018 and 2019 goes, that's one of our number one goals is to get those metrics in place. And certainly, the case management features and seven four are what we're looking to get us there. 

I can tell you for sure that that saves at least an hour of analyst time every single time that occurs and that might happen three or four times a day even for just potentially unwanted software and things like that. So we know that we're saving a lot of time. I have no idea how much exactly we're saving just yet, but I know it's going to be a lot more in the future because we're really starting to get sped up with smart response options and automation, especially when it comes to playbooks. So we'll see a lot of that in the future and that's another one of the big reasons that we've looked to LogRhythm to say, "Okay, we know that we still have yet to see some of what we've invested in here, but we're confident that we're seeing it already."

I give it a nine out of ten right now. The only only minus being for documentation, that's it. But I think that they can get there. So I have faith in them. The advice I would give to somebody looking for a new SIEM or to invest in SIEM technology would be obviously they have to keep in mind the price. We always have to work within that constraint. As a technology person, I hate to think from that perspective, but it's our reality and so things like Splunk really work against that in terms of being able to have to pay for ingestion of data. LogRhythm is great in that area. And that's one of the reasons why we've definitely looked towards LogRhythm for that. A couple of the other things that I look at for them is automation capabilities and API's. 

Everything these days has to have an API. So how good is your SIEMs API? And LogRhythm definitely seems committed to continuing developing their API out, particularly with playbooks and automation. And so, generally, I'm going to say that's where you should be looking for SIEM right now is automation. Most of the SIEM software solutions can do 99 percent of what's out there. Can It parse a message? Can it store it? Can it index it? All of those things, they all generally check that box somewhere along the lines. But how closes is that ecosystem? How available is the API? How good is the support gonna be and things like that, that not necessarily every SIEM does equally? I would say that's where they need to look to find their value.

Work closely with your sales and engineering team for your setup and give them all your requirements and use cases.

I would rate LogRhythm an eight out of ten.

I'm a senior security analyst. I work at a government organization that employs between 500 and 1000 people.

We are on-prem with high availability, so we have two self-contained systems, sequel logs, and everything, and they can run either box.

In terms of helping us manage workflows and cybersecurity exposure, we haven't leveraged smart responses in the SIEM. It looks like a powerful asset. We have some automated responses with a different tool for ransomware detection and prevention. However, the workflow ability in the SIEM is actually quite powerful. We just haven't leveraged it since we haven't felt that the right use case presented itself to us yet.

When it comes to affecting our rate of efficiency, we don't measure those metrics, so it's kind of hard to say there's a measurable amount or how much it's improved. It has given us a threat-hunting tool previously unavailable to us. We are very happy to have the SIEM be our primary threat-hunting tool.

Those who say SIEM is an outdated security solution should note that SIEM technology has been around for a very long time. It's still relevant thanks to the continual development that companies have done to bring more usability to extracting threats from logs. That's timeless. That's not something that's going to go away over time. The LogRhythm SIEM continues to add features, and improvements and makes finding and presenting data from raw logs easier. Digging through logs before we had a SIEM was tedious and very time-consuming. It's made it a big-time saver. To have the way it presents the logs in a usable manner has been a tremendous help for us.

I'd rate it a solid nine out of ten.

I'd give LogRhythm a nine out of ten because of the ease of use, especially as an analyst, being able to twist and turn all that data, drill down on it, really get an easy understand of what's going on in the environment.

From the administration side as well, it's a lot easier to use than other products that I've had and it has all the built in knowledge, whereas with some tools you dump all your data into it and it's up to you to do that classification and indexing and understanding of that data, where the value that LogRhythm's gonna provide for you is that prebuilt classification for all the data sources in your environment.

If I had a friend that was looking to implement a new SIEM solution, I would have them understand what log sources they're trying to bring into their SIEM solution and make sure that the one they chose supported those log sources. On top of that, understand your use cases that you're gonna use this SIEM for, have those ready in hand and be ready to start billing those out as you get that data in the environment.

Know what you want it to do. If you buy a SIEM because its called a SIEM or someone says it's a SIEM, you're gonna end up with what someone else believes they need. Figure out what you need beforehand and make sure that those bullet points are covered because there are a lot of options.

We're currently using the built-in manual playbooks. So far, the features are very good. They are growing. I am looking forward to seeing how they expand upon it.

The automation is coming. The API access and everything else we're looking for to be able to deeply automate a lot of common tasks is still being built-in. Right now, we can do automation on simple tasks. E.g., if it sees something bad, it can take it off the network and put it in our remediation subnet. However, it does not have the capability for complex investigative actions yet.

Right now, we have about 3000 log sources and 3000 messages per second.

It does what we want, but there is so much you can do with it. It is like buying the biggest tool set you can find, then you are trying to find out, "Okay, what am I going to do with all of these tools?" Trying to tune your system with the tools that you have available is a little daunting. It was for me because I did not have the security background. If you are new, it will be a little bit daunting. The training is a big help, though.

Understand what your scope is. What are you really trying to do with this tool? If all you want to do is collect logs and pile them up somewhere on a server, this is not going to help you, and it will defeat your security goals, probably. If you are looking for something, talk to the LogRhythm rep to find out, "Okay, we are really operationally-focused. Or, we are really security-focused."

Most important criteria when selecting a vendor:

• Vendor access, which is what LogRhythm is very good at. We have got the engineers coming to us saying, "Hey, we are coming to town, is there something we can talk to you about? Do you want us to visit?"
• Very flexible.
• Really good communication is important because if something is happening, I need to be able to get it taken care of quickly, and that is what's going on.
• Scalability: It looks like it is wonderfully scalable.
• Integration: I have been interested with what I have seen with the carbon block and the endpoint stuff.

Go ahead and do the evaluation with their other competitors out there. Understand each of the SIEMs capabilities by sitting down with them. I think you will find that LogRhythm will win out.

A unified end-to-end platform is extremely important, because as we get going to this more holistic security model, we will be looking at minimizing the number of tools that we have to have in our environment, and trying to centralize a lot of that work into one platform, which LogRhythm is definitely one of those platforms that does that.

Most important criteria when selecting a vendor: Selecting a vendor is pretty important. We go through a lot of things, a lot of due diligence. We like to put them up against their main competitors in the market. That is generally a step we take when evaluating different vendors for a solution.

I rate LogRythm Siem at 10 out of 10. 

Don't do it without managed services, but I would say that for any SIEM. In SIEM technology, the setup and maintenance side is different from the monitoring and alerting side. I recommend all of our customers to always go with a managed service provider to take care of the monitoring and alerting side, or at the very least, to fill in for off hours because you only have so many people on your staff. Small and medium-sized customers are our bread and butter, and most of our customers don't have the staffing for this. 

If you don't have the expertise to set it up, manage it, or the time to learn it, a managed service can help you get it set up. For most SIEMs, LogRhythm included, for the first six months, you probably need one to one half of an FTE for doing the setup, getting it operationalized, and doing all the tuning. You're going to need one-quarter of an FTE for ongoing operations, maintenance, and support. That doesn't include monitoring of alerts and the response to the alerts. If you've got it well tuned, you don't need a lot of staff to do the monitoring and the alerting during the regular daytime hours. That's where having a managed service provider during off hours and weekends is handy. It is beneficial to have a managed service to do the operational work for maintenance.

It is good, but there is room for improvement. There are plenty of solutions on the market that do a lot of what it does. It is not a huge product differentiator or market differentiator.

I would rate it an eight out of ten. 

LogRhythm gives us the ability to automate. We do have some smart response plugins that we're using. Unfortunately with healthcare you end up using more contextual smart response plugins then you do actionable ones. I can't go and shut down a system 'cause unless I have absolute 100 percent confidence in the fact that it's not actually touching a person because a biomed is a computerized medical device that connects to a person. So in our environment with a half dozen hospitals, 130 clinics. We can't just go around shutting things down or even necessarily quarantining them because it might be a client server type of situation where we can't interrupt this if maybe they're giving a radiation treatment to someone. We have a lot of different enclaves and things. But LogRhythm allows me to see things that I may want to take action on via a human resource. I can send a desktop tech out there to make sure that whatever it is I'm concerned about is not in fact taking place.

If I had to rate LogRhythm I would say I give it an eight out of ten. I think that I like the direction that they're going as a company. I like their philosophy and their milestones that they lay out at these conferences. I do like them also from a product standpoint because some of the competitors are just not, they're price prohibitive as far as volume especially when you look at SIEM tools like Splunk. Small shops can afford Splunk, but big shops you got to really need Splunk to really afford it. The same with Qradar that's what we had previously where we were at and they just became price prohibitive. So I like LogRhythm, they have the full package. I like where they're going with network monitor. I like the UEBA stuff. We're not currently using that. I like the playbook integration. It seems like they're really thoughtfully maturing their product line and I think that gives me confidence for even if I have a pain point now they're going to address that going forward.

It helps that the product is fully realized and ready to go as soon as you get it installed. You can immediately see results and immediately see the data coming in. You're able to collate and correlate it, obtaining your data in a quick and easy manner. 

Do a demo. See what they're offering. Just know that their support is the best.

I haven't used any of the automated playbooks yet. Our engineers are leery about having the automatic stuff go off, which I can understand. We also have separation of duties. I don't have a lot of their credentials to work with it on my own, so we would have to go back and forth with the engineers, and that is something that they don't really want to do. However, we do have our own playbooks and security team, but it's more manual. I am interested in the playbooks feature, so I will attend one of the events here to learn more about it and figure it out, then take it back to the team to get buy in on it, so we can then use it.

We have about 2500 log sources sending logs to LogRhythm right now. We have about 20 firewalls, with a lot of Windows PCs. 

It's the best solution that I've ever used. We're expanding its use, not only in our corporate network, but out to the cloud environment where we host customer data stuff, too.

I'd highly recommend going with the product.

Our security program is pretty much in its infancy. We're always looking to improve things. Just as IT, in general, constantly changes on a daily basis, LogRhythm is always evolving and coming out with different things, helping with innovation. It's been great.

Right now we have roughly 70 to 80 different log sources. We have about 5,000 to 6,000 events per second, and we're looking at expanding that.

I rate it at eight out of ten. It's up there, top-of-the-line, but just like with any other application or program, as you grow, there are going to be some small hiccups. They're very minor.

In terms of a solution being unified, end-to-end, for us it's huge. We have a ton of different security controls. I'm sure we're not any different than any other organization. Being able to bring it all in and put it on a single pane of glass is awesome.

My rating of eight out of 10 for LogRhythm is because, while I think the support is great, the solution is a little rough around the edges. Like I said, I'd like to see the web UI built out more, and be able to jam more data into it. The fat client console feels a little rough around the edges to me, even though I use it every day. But overall, not a ton of complaints.

Definitely check out LogRhythm. That's one of the things that I've noticed in talking to other people, it seems like people really focus on other top 10 SIEM tools like ArcSight and such. I don't hear LogRhythm talked about that much, so usually I'll bring it up and say, "Hey, go check out Logger."

I work in the enterprise security department or the SOC, and I just have to deal with the logs. The tool being used within the organization for log management is LogRhythm NextGen SIEM, particularly the N-1 version.

My organization uses the on-premise version of the tool, and it's been applied to the data center.

I belong to a very small organization with a data center that has sixty people using LogRhythm NextGen SIEM. In terms of maintenance, the tool isn't difficult to maintain.

The only advice I have for anyone who'd like to start using LogRhythm NextGen SIEM is that it's a very good tool, with good features and functions.

My rating for LogRhythm NextGen SIEM is seven out of ten. I didn't give it a ten because it's Windows-based, plus I also don't like its UI that much. LogRhythm NextGen SIEM is also not as good as IBM QRadar.

We are using the solution for our own infrastructure and we are also offering it as a service. We are the largest service provider, cloud service provider, in Pakistan. However, we use a variety of deployment models - including cloud and hybrid.

We have an ISO position for government-certified infrastructure. We have a PCI-certified infrastructure as well as a GDPI compliant infrastructure.

We work closely with this product in particular. We have a lot of hands-on experience.

I'd rate the solution eight out of ten. If it weren't for some parsing limitations in the product, I would rate it even higher.

Everyone needs a SIEM. Go with LogRhythm.

We are not using the full-spectrum analytic capabilities yet, as we are brand new.

We have not used any of the playbooks. We do have them. We find them to be very detailed and organized. We just need to find a way to implement them.

I run in about 45 log sources with 12 of them being domain controllers, aka DNS.

Messages per second are fluctuating between 3000 and 9000. We are still trying to figure out why. We think it is our very chatty domain controllers, as we do deal with the Hard Rock and Seminole tribe, but I would say that we average about 5000.

Most important criteria when selecting a vendor: customer service. Do they care about our business as much as we care about our business? Also know as, do they care about our data as much as we care about our data?

I give the solution an eight out of ten.

The solution can meet the most mature customer's requirements.

I'd recommend LogRhythm SIEM to others. I'd rate it an eight out of ten.

We are an integrator and service provider. 

We are not currently using the latest update.

I'm not sure if I would recommend the solution to others as they still need to improve a few things. For example, support, at least on the local level, is lacking. 

I'd rate the solution five out of ten.

I'm going to give them an eight. It's a fantastic solution and I totally support what they're doing and I like where it's going. But there is room for improvement, and there are some pain points and honestly I've had a rough year. That kind of influences it too. It's been a lot of time on the phone with support this year.

I will tell them what I wished I have known the day I started onboarding logs, and that is when you're looking for a SIEM, put all the features and everything to the side. Go talk to your business people and find out what's important to them because that's how you're going to know what to bring on initially. And once you know those things that are critical and the things you have to do, then you can evaluate the different solutions to see who has the native support because we didn't do that.

We bought it simply because it was awesome and fast and less expensive than Splunk. And then I onboarded 1,500 log sources in a week and brought the system to its knees. And I'm even now today still cleaning up and removing log sources that just bring no value. It's just noise.

Take the time and plan that out before you even go talk to vendors. Figure out what logs are out there, which ones are meaningful to you and the business and then find the solution that fits best with that.

We do not use any of the playbooks currently. We'd definitely like to. It's a feature that we're planning to implement pretty soon.

Regarding our log sources, it's in the high hundreds, probably not in the thousands. When it comes to messages per second that we are processing, looking at the average, we're at about 1,000, but we peak somewhere north of 1,500.

I rate the solution an eight out of ten. It's a great platform, but I don't want to give them too much confidence, there's always room to improve.

It was pretty significant for our solution to be a unified end-to-end platform because we did have a wide range of systems out there; trying to make sure that it was able to bring in the sources and correlate the events.

The only thing that surprised me was the logs filling up for some of the indexing jobs. Other than that, there was nothing that support wasn't able to go ahead and help us with and get resolved.

My advice to a colleague at another company who is researching a similar solution would be: Make sure you do your research. Understand what it is you're looking for in a SIEM. Have a plan of attack on what it is that you're looking for, and what do you want to get out of the tool.

You would be wrong to think that LogRhythm SIEM is an outdated solution. I use it every day, and it has helped me fix or see vulnerabilities or compromises in our network that I wouldn't have seen before. It's still definitely around.

On a scale from one to ten, I'd rate LogRhythm SIEM an eight.

The unified, end-to-end solution is very key here. We have a lot of various tools, and trying to get them all into one is very key.

Be sure to size it properly. Don't try to boil the ocean. Get your key log sources and let it start paying for itself immediately; it will.

I of course would recommend LogRhythm NextGen SIEM to others.

On a scale of one to ten, I would give LogRhythm NextGen SIEM definitely a nine.

I just found out about the playbooks at the conference. I plan on using them as soon as I get back.

We have about 2500 messages per second coming in.

I'm not sure that we're hands-on yet with the full-spectrum analytics capabilities and we don't use any of the built-in playbooks. We have plans to use them in the future. We want to integrate everything into it and make it more automated.

We're at about 6,000 logs per second. In terms of a measurable decrease in the meantime to detect and respond to threats, we haven't gotten there yet. We are still implementing, still learning. We have to get to all our logs correlated.

So far we're pretty happy with the overall functionality of the system. It's going to meet everything we're looking for.

Things that are important: the first time you get a SIEM in your hands you think it's great to gather everything. Then you find out within a couple of days, gathering hundreds of millions of records and trying to make heads and tails... 

Begin slowly, focus on various systems, understand what they mean. 

A lot of people go, show me the perimeters, show me the firewall, show me the network. Pull that data in and when you've got it then turn around, look at all of your Windows servers, your domains, those environments. 

Moving slowly and classifying your data, so you can make the rules you design really specific. It helps you if you've got control on it, you can throttle volume, but also when you have anomalies pop up they don't pop up because you forgot something in a rule. They pop up because there really is something new.

Just from the simplicity standpoint, it's met all of our expectations now. Like I said, you always have that little thing here and there that you still have to tweak, but other than that, we've really liked the product. 

The biggest thing in this product is not everybody on our security team is well versed in SIEM or analytics, but we found that LogRhythm - the Web Console UI - really simplified, especially with the metadata parsing out. It allowed those people to read those type of events much quicker, because it was right there, and it was pretty easily translated. So "user" is username, "host" is the host, and so it's very easy. You're not having to dig through this big long raw log file to actually figure it out. Then if it needs to go there, it goes to an advanced person.

We are really happy with the product. We've been a customer for a number of years now and really haven't had any issues. It's done just about everything we ask it to do.

Smaller, medium-sized companies, I would actually steer them towards LogRhythm and have them look into it, then I would share my lessons learned.

It is important to have a unified end-to-end platform, but you also do not want to get vendor locked in. Its from a value perspective and a productivity perspective, that is where it is very important.

You do not want to be stuck with one product that then changes course or evolves. You always want to be with the leader in the market that is innovating. You want to be able to maintain that flexibility and be nimble to switch up when needed but having a real good go-to vendor, and LogRhythm seems like they are developing into that.

There are a lot of different firewalls out there. There are a lot of different network devices and different servers. They fit their niches, and it is important from a staffing and training perspective to have fewer products and technologies to support, because it is just hard to find people that are experienced.

You have to balance it out with having the best tools to do your job, because the challenges we face and all the security threats that are out there, you got to take advantage of what's available. If you're using multiple vendors, then so be it, but it is a balance.

Most important criteria when selecting a vendor:

• Interoperability with our partners and the rest of our stack that we have.
• Usability and access to support and documentation are really key.
• Being able to get the value out of your investment in a security product.

There are so many security products out there and so many tools. To be successful, you have to understand how the product works, have the documentation, and training available. That is really key. LogRhythm does a pretty good job.

The driving factor for our company is compliance. And next, for our security team to make sure that there's no occurrence of anything that we don't know about, besides operational issues.

My key challenge is to make sure that LogRhythm stays relevant on our day-to-day stuff, making sure that we can have a quick analysis of what's happening in our network, what's going on, and what our security posture is at a given time. For my needs, I'm looking more for it to bring a more comprehensive picture of our security, for the whole network, since I'm routing all the logs to it.

The most important criteria when selecting a vendor is technical support. At the end of the day, when all is said, price and pricing and so on, you will have to deal with technical support one way or the other.

In terms of a solution being a unified end-to-end platform, it's one of the top 10 SIEM tools on my list right now. A lot of our auditors are saying, "We need to track to a one flat form where we could see a dashboard, where we could see how everything is going on in our network."

I rate LogRhythm NextGen SIEM a nine out of ten.

So, we are in the current five-year security maturity program. We're on year one, and LogRhythm is gonna be the center point for the first two years in terms of aggregating all the different log source types within the organization. We still find that there are log source types that are not coming in, which we plan to integrate within LogRhythm and use its analytics tools to help us get more mature and establish us forward in maturity of our security for the industry.

I rate LogRhythm 10. It's very easy to use. It's very user friendly. The product is very innovative with SmartResponse and AI Engine, so it takes half the work from myself and my analysts, so I love that product for that reason.

I love the potential of this solution. It sounds like a "set it and forget" type of solution. Let it deal with all the problems. It is good at doing that.

On the day-to-day, I haven't had a huge amount of time to work with the full-spectrum analytics. I have been focusing on getting it updated and up-and-running.

Currently, we have a Windows agent. Therefore, we technically have just two log sources, because the Windows agent is picking up all the domain logs onto one box and forwarding them on. It is taking all the Windows Servers and single-sourcing them. Then, currently, the only other thing that we have actively logging is our Sonic logs and CIS logs. We only have two individual sources listed, but it is more logs than that.

My advice, when they first implement the solution, they should make sure that they know what data source or log sources that they want to give to LogRhythm to do the correlations, because they cannot just simply dump all the log sources to LogRhythm. It will impact performance, so they will need to carefully choose the log sources first. Then, after that, they can move away to the correlation, the engine rules, and so on.

It is important for us to have a unified internal platform.

The most important criteria when selecting a vendor:

The most critical thing for us is in term of the correlations, because without the correct correlation, or alarms, then there will be no meaningful events. So what our priority is to give many people events that we can trigger our teams to do the mitigation and remediation action.

Make sure that what data you are collecting is usable. That is probably the biggest advice. Because the first product we used, we had problems just understanding the data presented in the SIEM console.

It's nice if the solution is a unified end-to-end platform, but it is not a deal breaker.

Most important criteria when selecting a vendor: Support after implementation is probably the biggest.

I rate LogRhythm SIEM an eight out of ten. In comparison, IBM has more features that are essential at the moment. However, it costs three times more than LogRhythm SIEM.

My advice to others is for the initial deployment it should be done by certified engineers or the authorized vendor.

I rate LogRhythm NextGen SIEM a nine out of ten.

I would rate this product an eight out of ten, just because there's always room for improvement and there's always room we can work on. So there's always benefits, but it's been really good with what we needed and it's been very stable for our implementation.

My advice to somebody who's looking to stand-up a SIEM solution is to do your research, look at the white papers, look at their documentation they have available on how other people have responded and how many people have stood it up on their own. Get this information and then start playing with it before you start doing implementation. Gives you a lot of foundation and makes the implementation part a lot easier.

On a scale of one to ten, I rate LogRhythm as a nine because it is a wonderful tool that definitely helps with identifying different threats within the organization. I would definitely recommend this tool. It's a very, I would say beasty application, you always will be on top of things when it comes to LogRhythm because it's always changing, but that's a good thing because the environment, the threat environment is always changing. So I'd definitely highly recommend it.

The target I would give to an individual that's looking for the best SIEM tools to put in their environment would be definitely look at one that's growing, that's not stagnant and LogRhythm is definitely one of those too that look for ways to improve it, user friendly and the different things that's out there in the environment to be able to catch the types of the bad guys or the different threats. They always try to stay on top of things. So I definitely recommend LogRhythm in that case.

I would rate LogRhythm a nine out of 10, primarily because of the current functionality within the system and the direction that the company is going. I feel it's appropriately aligned with security today and being prepared for tomorrow.

Figure out what you need it for before just getting everything you can into it. That's probably the main thing. We recently brought in an external firewall and it has everything enabled. So make sure it can do what you want and don't try to do more than what you need.

We have made a few playbooks, but we haven't done too much with them yet. For deployment and maintenance of the solution, it's just me doing the administration.

We're at 60 or 70 log sources right now. With some of the newer ones, we've had to open up tickets for them, like the newer Cisco Wireless. We've had issues with Windows Firewall and AdBlocker. We've had to get those fixed. We process about 600 messages per second.

In terms of the maturity of our security program, we got this solution right after we started up, so it has been growing with us. We're now at a point where we're happy with it and getting good value out of it.

From a performance standpoint, I have no problems recommending LogRhythm because it allows me to get in under the hood and tweak some things. It also comes with stuff out-of-the-box that is usable. I think it's a good product. Things like this RhythmWorld 2018 User Conference help me understand the company's philosophy and intentions and its roadmap, which gives me a little more confidence in the product as well.

Regarding playbooks, we have Demisto which is a security orchestration automation tool, and we're on LogRhythm 7.3. Version 7.4 is not available yet because of the Microsoft patch that took it down. We're looking to go to 7.4 in our test environment and to deploy up to that. I'm not quite sure how its automation, or the playbook piece, will compare with Demisto, which is primarily built around that area and is a mature product. However, from a price point, it is probably going to be very competitive.

In terms of the full-spectrum analytics, some of the visualizations that we have available via the web console are, as others have expressed, short-lived, since they're just a snapshot in time. Whereas, deploying Kibana will, perhaps, give us a trend over time, which we also find to be valuable. We're exploiting what is native to the product, but we're looking to improve that with either going with the Kibana or the ELK Stack to enrich our visualizations and depict greater time periods.

We have somewhere north of 22,000 log sources and we average a little over 12,000 messages per second.

The staff for deployment and maintenance is myself - I'm the primary owner of this product - and I have one guy as a backup. The rest of my team will use it in an analysis role. However, they're owning and managing other products. It's a very hectic environment. We're probably short a few FTEs.

One thing that we've yet to implement very well is the use of cases and metrics. Because oftentimes, if we see something that we know - we glance at it, it's a false positive - we're not going to make a case out of it. We might not close it for a day or two because we know it's nothing, and because we're busy with other things since we are a little bit short on staff.

In terms of our security program maturity we have a fairly mature environment with a lot of in-depth coverage. The biggest plus of LogRhythm is that we can custom-write the rules based on the logs and then speed up time to awareness, the meantime to detect. I can create an alarm for virtually anything I can log.

Definitely consider LogRhythm. There are a lot of players in the market, but LogRhythm is a solid solution.

We don't have the playbooks. They are on version 7.4. We just upgraded to version 7.3.4. We are going to wait before we upgrade again due to performance issues.

We have around 22,000 log sources and average 5000 messages per second.

It's one of the top 10 SIEM solutions. What I really like about LogRhythm is that they're always innovating, new ideas. They're consistently trying to improve. I think that's really great about them. 

It's effective, it's like a Ferrari. You have to have a lot of mechanics, and you have to fine tune it, and when it's running well it runs very well, but there are a lot of things that can go wrong too. I'm pretty much a one-man shop, and it's difficult for me, but that goes back to having good support and good communication with them. It's a struggle, but the product is strong and we just need to continue growing with it, in our understanding, in our use of it, so we'll get where we want to go. But it's a partnership, so we appreciate that.

I already mentioned some of the most important criteria when selecting a vendor, but the main ones for us were

• local presence: so we have a door to kick down when we need help
• support: LogRhythm has very strong support features
• scalability and cost: LogRhythm had a higher initial cost, but it had almost everything built in that we needed, there were no additional or hidden costs later, so it was much easier for us to plan ahead.

Also, our company likes to spend capital dollars, so the hardware option was more attractive to us. I like the VM and cloud, and I'd like to move in that direction, but having the multitude of options that they have was a big plus for us.

It's very important for us to have a unified end-to-end platform because we have so many different locations and we have such a small team. Having 50 different products and 50 different interfaces doesn't help anyone, even if they're good products. Having one single product that can do a lot of things is very important.

It's a 10 our of 10 for sure. Even 11. I love it.

Don't just look at cost because, as I said, LogRhythm was a little bit higher in the beginning, but look at the features that they have and the support, everything, especially in this field. It's a complicated business, so everybody's going to have problems. Can they fix those problems, and will they work with you to grow? Look at the big picture. Long term.

My advice is to take a look at the account directly with the account manager of LogRhythm and find a value-added distributor to support you with the sizing, consulting, use case discovery, and building up the operation maturity roadmap, in order to be truly aligned with the LogRhythm deployment in the long term.

I would rate LogRhythm NextGen SIEM a nine out of ten.

I would definitely advise giving it a look. If you're able to deal with it in your environment and just give it a chance, it'll grow on you. It is not Splunk, but it's getting there. They're gaining visibility with other vendors. The integration with third parties is starting to light up a little bit for them, unlike IBM QRadar that has already created that bond with third parties to bring in their services into the product. LogRhythm is definitely getting there, and it is a quick way to leverage in-house talent. So, if you want to do automation and you have someone who is good at Python scripting or PowerShell, you can easily build something in-house to automate some of those use cases that you may want to do. 

I would rate LogRhythm NextGen SIEM an eight out of ten. 

I would rate it a six and a half out of ten. Sometimes I have to rerun scans and look into why the scan didn't complete and why it crashed. All of that stuff has to do with the initial set up. For the most part, it does what we want, but there can definitely be improvement. 

I would advise someone considering this solution to look beyond LogRhythm. LogRhythm is one of the top solutions. I would say Splunk is overrated. Look into IBM QRadar and then McAfee as well.

If I had to rate LogRhythm and CloudAI out of 10, I think I'd give it an eight. There's still room for LogRhythm to improve, and they've laid out a pretty great roadmap for what they want to do in the future. I think if they continued to innovate and continue to implement the things that they've talked about, that they'll continue to grow in my eyes. There is some room for improvement, but overall, if you want a very solid platform with stability and scalability, LogRhythm is definitely the way to go.

I would say LogRhythm, on a scale of 1 to 10, it'd be a nine. I think it's a really solid solution. I think one of the things that they could probably improve on, as I mentioned, was being kind of a little more proactive when it comes to things like cloud and things like that, so I think that they are getting better, but I'd say a nine right now.

In terms of the criteria for selecting a vendor, it always comes down to cost.

And usability. I like to make sure that my analysts are hands-on when we look at these tools. What's the interface like? How easy is it to use? What's the after-sales like? What's their tech support like? These are all things we need to look at. 

Also, which operating systems do the agents run on? Can you integrate into all the hardware that you've got? What syslog feeds can it take? Can it take SNMP as well?

If colleagues were looking to purchase a similar solution, the guidance that I'd give them is make sure that they draw out what they're looking to get from the solution. Make sure they have an inventory of hosts. Don't go all out, don't put everything on at once. As they said, don't try to boil the ocean at once. What are your critical hosts? Feed that information in first. Build case studies. What do you want to get from it, what are you looking for? And then work your way through it.

What I've done in the past is I've asked them to come over to our office and take a look at our implementation. I'm happy to share that information with others. I'm able to give them some case studies on what we've found with the Windows operating systems and some of the other hardware out there.

Look at all of the factors, including total cost of ownership and your roadmap of where you are going, and compare those to the needs that you have going forward. There are a lot of solutions out there that are either way too complex to manage, don't have a good roadmap, are a secondary solution in a larger company, or are going to just be astronomically expensive when they get to a useful state.

If the solution is a unified end-to-end platform, it helps with the overall management, skill set training, and retention. It does provide some long-term benefits.

Most important criteria when selecting a vendor:

• Usability
• Growth potential based off of cost.
• Architecture.

So, where could we grow the system, because a lot of systems were either too complex, too expensive, or very oriented for that particular network-based solution. I was looking for some kind of compromise in the middle.

As part of your plan for SIEM, identify what you expect the SIEM to be able to do for you / your organization. SIEM is not a silver bullet. SIEM will take a considerable amount of use by a security analyst or similar to get the best out of it. SIEM managed services offered by resellers or system integrators may be good value and should be seriously considered to ensure the best outcomes from the SIEM.

Implementation time, hygene/maintenance time, functionality, and cost make it the clear choice in a competitive market.

I give the solution an eight out of ten.

The solution is for medium and large organizations.

When you implement, you need to know LogRhythm's architecture because it is quite difficult and different from that of other SIEM solutions. So, you need to know the architecture, how the processes work, and how the logs are processed.

Overall, I would rate LogRhythm at eight on a scale from one to ten.

In terms of the most important criteria when selecting a vendor, there isn't any single important criterion. I have a spreadsheet that I use that expresses value.

• Price is one component of value 
• Usability
• Manageability
• How many resources do I have to apply to it? 
• Can I run it with one FTE? Do I need two FTEs? 
• Also, its efficiency. Does it meet all of the use-cases that we're buying it for?

The first thing you do is sit down and think about, "what are going to be my first steps?" This is the kind of thing you have to phase, really, to be successful. "What are my goals out of my first year?" Plan that out, and then plan where I'm going to go from there. Then sit down with somebody that's experienced like the LogRhythm Professional Services, or your SE, or other people you know that have used LogRhythm for a while, and review that plan and make sure that you've got some specific strategic benchmarks in place so that you can guide yourself through that growth.

I would rate it a 10 out of 10. I am very happy.

It's just amazing, that you can get the information, especially the AIE information, where it correlates different logs together. It's just incredible. It's something that in the old days, that you had to use grep and go to multiple servers, versus now you just tap in and drill-down and, bam, you've got all the logs that you need. It's just amazing, the process.

I’m in contact with them on a very frequent basis. I work with my contact a few times per month. I can’t complain about them at all.

My advice would be to definitely look into it. I've used other SIEMs that were a whole lot easier to program and I've used other SIEMs that were vastly oversold and cost way too much money. LogRhythm is a good product for what it is.

We have more than 500 and less than 1,000 log sources. In terms of messages per second, therein lies the rub. We bounce anywhere from 2,500 to, on certain days, a peak of over 12,000.

We are not using the full-spectrum analytics features. We don't use any automated playbooks. In terms of the number of staff for deployment and maintenance, the latter is me. I've got two other analysts that work with me.

Regarding our security program maturity, we've grown a whole lot in the last three years. LogRhythm, fortunately, was a part of that. Our previous SIEM had to be rebooted two or three times a day. Unfortunately, now that we're trying to leverage it to get more data out of it, we don't seem to to be able to do that.

I can't say I have seen any measurable decrease in the meantime to detect and respond to threats because I can't watch it all the time.

We're a big university. We're the 26th largest university. I've got 45,000 students, 10,000 researchers and faculty members, plus staff. Main campus is in Philadelphia, Pennsylvania. A mile down the road we have a Health Science campus that has a medical school, a dental school, a pharmacy school, and it's kind of attached to the hospital, which is separate from us. We also have campuses in Harrisburg and Center City that are small adjunct campuses. We also have a campus in Japan and a campus in Rome. We have a big international presence, that's the size and the scope.

Our key challenge is that the drivers of the university have been notoriously open, but with the threat landscape of today we have to be mindful that the openness that the faculty wants has to be balanced with the needs of protecting all of the data information that we have, like any business has.

When it comes to the most important criteria when selecting a vendor, a unified, end-to-end platform is really important, but it's one of the key features. We look at the overall value that a platform has. Cost comes in, but also leadership in the field, manageability, how many FTEs it's going to take to run this solution. All of those things are factors.

I've been around this field for 25 years. I've used many solutions. LogRhythm is scalable, it's robust, they're constantly growing it, their tech support is good, their Professional Services are good. We just went through a massive upgrade to double our capacity. They give us training credits on our old solution. They want customer happiness and customer success.

Definitely do your homework. Understand what logs are important to you and really evaluate what scope you need to do, and take your time. This is a big project, you can't do it all at once. You really have got to do it in phases.

When choosing a solution, it is important to determine what you want to achieve instead of how the solution works. Most solutions have a method for collecting logs, relaying information, and identifying issues so selection is more about the speed and accuracy of end results.

I rate the solution an eight out of ten. 

The most important criterion, when selecting a vendor, is how easy it is to adapt to the solutions we have in house. Every organization, I understand, is different, but based on what we required, for the most part I'd say about 85% of our needs were met with LogRhythm, compared to all other competitors.

It's very important for our solution to be a unified, end-to-end platform because the organization might adapt new technologies. Our security architect needs to have the ability to integrate them. If it's a challenge then, definitely, that's going to be a downside for us.

If a colleague at another company was doing a SIEM solution comparison with this and similar solutions, I would say to give LogRhythm a shot and, if the possibilities are there, to implement a PoC to understand how the solution can help them.

We are very pleased with the LR solution and are looking forward to the upcoming update.

I would rate the product a ten out of ten. The solution is very user-friendly and straightforward. The tool's report customization is interesting. 

I rate LogRhythm eight out of 10. With any solution, you need to deploy the use cases correctly, so the customer should understand the use cases for a SIEM. An SIEM solution only collects and centralizes logs instead of detecting unknown malware. There are no use cases that are customized to fit the customers' context. 

We are a distributor and we have around 15 to 20 partners who are working with LogRhythm in this region. We work for the end-user and we implement it and handle presentations for the customer.

We are working with the latest version of the solution. I can't speak to the exact version number, however.

I'd rate the solution at a ten out of ten. It's a very good product overall. Clients have been very happy with it. In terms of the feedback we've received from the end-user and our own experience with the deployment process and manageability, everything is great.

Make sure you size the appliance correctly.

We use Ansible and Terraform for infrastructure, so the same concept as the playbooks. We are looking to use the playbooks going forward.

We have about 1500 log sources. We do about a 25 million logs a day. Obviously, they're not all events.

I am very happy with the solution right now. I would absolutely recommend it and have.

Most of the basics have been tended to, and as we discover other things that we need to get more data on, and they are brought up, the company addresses them.

The most important criteria when selecting a vendor: It is very important for it to be unified.

It's very important to our organization that the solution be a unified end-to-end solution.

I don't think any company is perfect, but I know that they're striving, and that's why I give them such a high score.

I understand that whatever you're buying with LogRhythm, it is not going to be static. It's a very dynamic company and a lot of new technologies emerge, so ensuring that you get the proper level of training upfront, as well as continued training for your staff, is important for being able to wrap your hands around what LogRhythm is actually doing and where they're going.

You start to talk about some things like blockchain and quantum, I'm sure that LogRhythm is already researching some of those new computer technologies. I didn't know what to expect back in 2015 when we bought the product, but it's showing to be agile, scalable, and the people are very knowledgeable.

Right now our focus is on user behavior, and that's part of why we joined the cloud Beta, they are our biggest risk. We don't know what they're going to do when and why, and so we've rolled out some security awareness training, we've rolled out some phishing exercises, and really trying to figure out how we can stop them being their biggest risks. Learning about what we learned today at the conference, with LogRhythm doing their phishing intelligence engine, it's going to be nice to see how we can implement that into the SIEM as well.

Security solution, number one is FTE; being a small shop and how much FTE does it take to run that? If that's a challenge for somebody, so they have co-piloting that you can do. We were able to absorb that in with two different FTEs splitting the duties, and they probably spend 45% of the time doing that. Might be different for a bigger shop, but that's our focus.

The most important criteria when selecting a vendor:

• reputation
• have they delivered on what they say they can do
• are there customers out there that we can talk to, that can validate what they're saying is actually true?

Regarding a solution being a unified end-to-end platform, it's not necessarily so important. Going forward, as we mature, more maybe, but we're really just tacking on the stuff that we go after. It's addressing certain needs, it's a little bit siloed right now, so it's not a huge need for us.

I gave it a nine out of 10 because I hesitate to rate anything a 10, that's perfect. But I think they do a great job, and I think it's more on us to really engage them more. They're always happy to talk to us about where we want to go with it, and it's just us dedicating the time to them.

Talk to people in the industry, make sure it can fit those needs you're buying it for. Proof of concept is huge. Do a proof of concept, especially in a SIEM. You don't want to just buy one and then implement it, and then try to figure out is it going to actually work for me?

Technology's important, but it is the support you get as well. Don't just focus on, necessarily, the features and technology, but also consider the support and the engagement you get with the organization.

Most important criteria when selecting a vendor: the relationship. I would not want to work with an organization that just sells you the technology, then disappears or only ever speak to when there is a problem. It is starting to look a little bit more like a partnership now with LogRhythm, that's exactly what we want to maintain.

If implementing a SIEM for the first time, it is very important to have members of the network and server teams involved from the beginning. Also, strong change management policies are necessary to keep the SIEM implemented properly.

I would recommend LogRhythm. I am really impressed with it, though we haven't start using it yet.

We are just in the middle of deployment of the full-spectrum analytics capabilities. We haven't finished the configuration of the product yet.

We do plan to use the built-in playbooks.

We have approximately 931 log sources at this point.

Most important criteria when selecting a vendor: 

1. The reputation of the vendor. 
2. The quality of the product. 
3. The integration into the environment that we have right now.

Very happy. Yes.

As a guidance and recommendation, I would ask them, what is your level of comfort in configuring LogRhythm? If they say to me, "Not so much," I would say, "Well, then you have to budget not just for the product, but for the Co-Pilot solution as well." If, however, they say, "No, I'm very happy. I have the skills already in-house," then I would say obviously to buy the product with the Professional Service hours.

The driving factor in searching for a security solution would be, in this day and age, the threats that are out there are incredible. I think LogRhythm addresses a lot of the issues that are out there. Again, it's on us to make sure LogRhythm is a solution. It's a tool. If we don't use it properly it's pretty useless at that point. It's on us.

I would say it's very important that a solution be a unified, end-to-end platform, especially in a higher-end environment.

My nine out of 10 rating is based on what they offer, and what I saw yesterday at the conference, what they're coming out with. They seem to be on top of things.

Among the different SIEMs that are out there, the companies, I would definitely recommend LogRhythm.

On average, I process around 1200 messages per second.

So measurable results for mean time to detect and mean time to respond. I don't have measurable results because there wasn't anything there beforehand. But now, we've responded within hours to events that could have been breach incidents, or in some cases within minutes and stopping attacks in their tracks.

My security program's maturity is still in its infancy. I'm basically starting it from scratch. LogRhythm has been a major step with giving me file integrity monitoring, the SIEM capabilities, log collection, a lot of things that we didn't have before. User behavior has been amazing for helping me keep track of what's going on in my network. So it's been a major stepping stone. It's the first in many.

I would rate LogRhythm as an eight out of ten because of the compliance factor. The modules for compliance are fantastic. The UEBA and CloudAI are solid for user behavior, and the SIEM itself is very powerful. I work very heavily in the customization aspect of it. Writing my own alarms, my own rules to try and track down events and alarms, stuff going on inside of my network. My only complaint really is just the lack of API support and how much work it takes to bring in cloud. That definitely needs some work. And just the time to set up is very time-intensive.

If I had a friend or a colleague that was looking to implement a SIEM, I would definitely recommend LogRhythm, and I would pretty much give them the same answers that I gave here where cloud support is still growing, but the tools that it has are very powerful. The behavior analytics are fantastic. It definitely would have to be on their list at least to look at.

I would definitely recommend LogRhythm. Work with the LogRhythm team to help learn how your environment works. Use as much help as LogRhythm can provide in your initial setup, so you can understand your environment best.

We have more than 20 log sources. We average around 3,000 messages per second. We have hit 8,000 in the past, but not since the new upgrade in which we got more room. In terms of staff for deployment and maintenance, there are just two of us who share it. But when we're on-call, all of us use it. There are nine of us who use it every day when on-call.

I rate the solution at seven out of ten. I'm very happy with it. I love how powerful it is. However, the customer service is where the points come off. I know they're working on it.

It's been pretty great. For us, the use case is all about generating actionable alerts and alarms and seeing how much we can reduce manual operations, so that's what I would compare: time saved.

We don't use the full-spectrum analytics capabilities. In terms of playbooks, we're still on 7.26 so we don't have the playbooks yet, but we're upgrading as a high priority right now. For deployment and maintenance of the solution, we use two staff members.

In terms of log sources, we have a couple of thousand and our MPS is 3,800.

When selecting a vendor, what's important for us is support. Support is huge.

From how we use it, I would rate it a 10 out of 10; not knowing exactly where we could go with it, I'd have to give it a nine, because I don't know if there are any challenges inside it. What we're doing is very limited. I would like to, as we continue to grow with the product, see if there are any ceilings on that.

I would highly recommend taking a look at the FTE requirements. They're not all the same. That's huge, depending on the size of your staff, and budget constraints too. There are other SIEM software solutions that have a lot of add-ons that continue to add cost. You need to look at the big picture of what you want it to accomplish. Ours was pretty straightforward with compliance, we didn't have a lot of additional costs. I think those are the two big takeaways I could give somebody.

I don't think any application can truly be a 10 out of 10, especially one of LogRhythm's size; that would be very difficult to achieve. But an eight, in my mind, is perfect. That means there is room for improvement, there is room for me to work with the vendor, and talk back and forth about what my needs are specifically so they can work that into a feature request down the line.

In terms of criteria for choosing a vendor, when you go through an RFP process there are always weighted criteria. We went through that whole process and started out with eight vendors, got it down to two and then selected LogRhythm. For me it's relationship, I want to feel that the product that we're buying is going to be supported, and that we have almost a team behind us that is there. When we did purchase LogRhythm we felt that. We bought a lot of Professional Services time to help us implement. 

It's not like the sales guy says, "Okay bye," and never talks to you again, and just takes in the money for the license renewal every year. They have customer boards, the sales engineers will talk to you and will bring things to the table. They'll come and do a health check. I don't feel like we just bought a product with LogRhythm, I felt that we bought a team.

You have to allocate resources, and that's why I've recommended LogRhythm to a few friends and colleagues. To get the best out of LogRhythm you really have to put the time in.

When selecting a vendor, one of the biggest things for us is ease of use. The second is how are they going to be a partner with us?

In terms of advice to someone who is looking into this kind of solution, I would say to look at the long-term costs of any solution that you're looking at.

It is extremely important for our solution to be a unified internal platform.

I would recommend looking into it.

It is very important that our solution to be a unified end-to-end platform. Very important. We wanted a one-stop shop with LogRhythm. We didn't want to use anything else to record our logs and stop threats.

I would give LogRythm a 10 out of 10 just purely on the fact they are very helpful, very knowledgeable. The software is very easy to use. Easy to learn. I came into security with no knowledge of security or how to do anything, and within a year I'm an administer of the software. So it's pretty good.

I would say go with it. Hands down, one of the best security platforms I've seen. Easy to use, ease to scale, huge visibility into your network. You just see everything and you see it easily. You don't have to go search for things.

It is highly important for our solution to be a unified end-to-end platform.

Most important criteria when selecting a vendor:

• Scalability
• The ability to have support.

LogRhythm has their co-pilot, which is absolutely essential, and whilst we do not use co-pilot in our organization, knowing it is there is certainly absolutely valuable.

Do your due diligence. For the most part, you're dealing with the same data depending on who your SIEM is. It is still the same data that's being returned or that you can pull. Definitely do your research because your SIEM itself may not get you what you need out of that data. 

A unified end-to-end platform is very important to us. We don't want to go to 12 different user portals. We want to know in a quick way what we're dealing with. We want to be able to see the data without having to jump all over the place to get it. 

Most important criteria when selecting a vendor: 

1. We are buying a product that is going to succeed for us.
2. We want to know that we are going to have good support and help when we need it as we won't know anything or everything for a long time. But we have experts that we can lean on, that's a definite benefit.

I have been invited to user group meetings and we have had good conversations. They have been very helpful and they understand my needs. They listen to our input and really take it seriously. They really work with us on different issues. 

Everything is fantastic.

I would probably rate it as an eight or a nine, currently, mainly, probably due to the complexity of importing log sources that aren't natively supported.

While we are aware of the playbooks, we still need to look into them.

We are close to a gig of messages a second, so quite a bit of data.

To capture your use cases, understand exactly what you are looking at ingesting. Do the research as far as what the company has done. For example:

• What have they provided at organizations of similar size?
• At peer organizations, how have they implemented the solution and what are some of their pain points?

Understand what everybody else has done previously with the solution.

I am rating the solution a six out of ten, because we have not gotten it to work yet. With all its components, there is such a learning curve. 

I haven't gotten far enough along in the process to know if the solution has a shortcoming or if it is our shortcoming with somehow getting it dialed in.

I gave it an eight out of 10 because of the ease of use, and the support really deserves high marks.

I would definitely tell colleagues to look into it. Again, the support that they provide, they’re there to hold your hand if you need it, or just give you guidance and let you go. They really do take care of their customers.

I gave it an eight out of 10 because you can kind of dig around and find what you need, so it's fairly user friendly. And the support that you get from their tech teams is pretty phenomenal.

I'd say definitely give it a look, and talk with them. I would definitely say that the support that you're going to get is well worth it.

I would recommend them. I think that their product has evolved over time. I think there were a couple of years in the very beginning when I was a little frustrated with them, but now, and especially, we just bought a new box last year, the newer version, it seems to have a lot of the kinks worked out, and so I wouldn't have any problem recommending them.

Definitely do a test run, a proof of concept, so it’s understood how it’s going to work in your environment. Also, take the training that they provide; i t's super valuable.

There were two primary reasons we selected LogRhythm. First was the ease of implementation, which was extremely simple and straight forward. Second, was the integration of file integrity monitoring. LogRhythm at the time, and I believe still today, was the only vendor that provided a solution that included integrated SIEM and FIM.

If I had to rate LogRhythm on a scale of one to 10, I would probably give it a solid eight.

The capabilities of playbooks is in 7.4, which we are not able to utilize yet. Therefore, we have built outside of the solution playbooks. However, we are looking forward to the integration of playbooks in 7.4, or even version 8. 

We were shown today a couple of things where playbooks will be enhanced, even having SMARTResponse coming right out of the playbooks, so hopefully advanced SOAR capabilities.

We run two independent LogRhythms. On one, we have about 33,000 different log sources, which include endpoints and now IoT devices. On the other, we have a very small footprint. It somewhere around 3000 log sources.

On one of my LogRhythms, I have a message per second around 2400 to 2500. That spikes depending on the time of day. Sometimes, it goes up to 17,000. On average, it comes back down to about 2300. On the other LogRhythm, there are very few messages per second. It is around 600. 

Do your homework first. See what pie in the sky solution is supposed to be for your SIEM. Do not just check a box. LogRhythm will more than likely suit your needs.

We're really happy with it.

The solution, one to 10 at this time, would probably be a strong seven. Right now there is the concern about being able to gather all of the data into the system. That's key. It's one of those things, pre-sales versus post-sales, what is said can be done, and then what actually is fruition. There is only so much you can do in a proof of value, or what they sometimes call proof of concepts - in those bake-offs - because you only have a limited amount of time with it to do that connectivity, and analyze. It really is that integration and some of the customization that we've had to do from parsing rules, not only for SQL Server, but also for ingesting NetFlow data from our Gigamons - which is the core of all of the network activity that happens within our environment.

With this or any technologies, that pre-sales process is key. Really asking the intricate questions, try to get them to talk in-depth about the capabilities. Just saying that, "We have integration with this technology or the other," is not sufficient. You really need to have a good understanding of the capabilities that you are looking for, what your systems are capable of, and what you need that integration to be. The last thing that you want is to get in there and say, "Well, it works. But it only works 30% with that." You want it to be 80% at a minimum or better.

It's very important for a solution to be a unified, end-to-end platform for us.

It's a really good solution. It's been very stable. At the same time, we have had some issues, some false positives.

And that issue I told you with tech support, there have been some challenges getting it to be where we wanted it to be, for a solution, like LogRhythm, that is supposedly best in the industry. I just thought it was kind of poor that they would take a common exploit that's been in use for years and say we can't get it to work when, obviously, they could get it work. It was kind of lazy.

Still, I would say go with LogRhythm.

It's not perfect, but no solution is going to be perfect. If you have one person that you can dedicate forty hours a week to the SIEM it will be fine.

Regarding a solution being a unified, end-to-end platfrom, it helps, but it's not completely necessary.

For what it does, LogRhythm works pretty well.

If I were to advise a colleague who is looking into a this solution, I would say train someone, as their full-time, job to use it. It's not an easy product to get around.

Really understand what's important to you as far as what are you hoping to gain out of the product, what threats are you looking at, and what are your critical logs sources. Just have a fundamental foundation before you start looking into it.

Having a unified end-to-end platform is really important to me, because I am the only security professional at the college. If I can avoid having systems all over the place, that is only going to be beneficial.

Most important criteria when selecting a vendor:

• It is the problem that they are solving and solving effectively.
• Being able to rely on really good support.

We've got around 2500 logs per second, and primarily a Windows-based environment. We have around 300 Windows-based servers, and we are also collecting a lot of logs from the end-user devices, which are primarily on the Windows base. We also have some Lynux-based servers and also some network component firewall proxies.

Over a period of time, LogRythm has improved a lot and the future, the road map of the product, really looks nice.

The most important criteria when selecting a vendor is the scope you have defined for the business objective you want to solve, whether it will meet that objective or not. Also, for us, feedback from industry peers matters a lot, and the people who are really using a product help us a lot. It needs to suit the budget as well. So financial, commercial and meeting the business objectives.

It is quiet important that a solution be a unified, end-to-end platform
because we have limited resources. It's very difficult if we have to scale and train on all the different platforms or security tools; and once someone leaves the organization it is difficult to hire a new resource. So having something unified under one platform means that scalability. We can have someone and utilize their skills to fulfill our requirements.

I would definitely recommend LogRhythm to someone looking for this kind of solution.

I rate LogRhythm NextGen SIEM nine out of 10. People should consider LogRhythm. Take a close look and try it. It's one of the best SIEM solutions in the world.

We're partners with LogRhythm.

We don't technically use the solution typically. We consult with clients and advise on products. We also provide services on the solutions we offer. In this case, we do use the product as we log issues.

We use the latest version of the solution.

For our customers, the pricing will scare off many. However, if users are concerned more with the security of their account, they'll find this is a good option.

I would recommend the product. On a scale from one to ten, I'd rate it at an eight.

I am pretty impressed with it. I have seen a it grow, just in the short time that we have had it.

It is very important for us that a solution be a unified, end-to-end platform. That is one of the biggest driving factors, having a single place that I can do network monitoring if we wanted to. We could do log correlation out of different security tools that we have.

Make sure you give it enough resources in terms of users. Somebody to manage it, whether that be a MSSP or in-house resource.

It is important solution be a unified end-to-end platform, especially because we are a small security group. If we can have it in one place, that would be a big plus for us.

Most important criteria when selecting a vendor: support.

A unified end-to-end platform solution is important but I understand that there will be different tools for different jobs. LogRhythm, that is their sweet spot and I hope they stay there because they do it really well.

Most important criteria when selecting a vendor: It is about the integrations with all the different products that we are using. LogRhythm seem to have most of those boxes checked. Therefore, it was a good fit for us.

I would say for us, being an MSSB, when selecting a vendor, scalability is paramount. And the support ability. If we're going to drop a lot of money on a solution, it needs to be easy for our analysts to get up to speed with it. That's worth a little bit extra, versus going with something that requires months of training just to do the basic running of the system.

If I were to advise a colleague looking at this or a similar solution, I would say take a look at all the options, figure out what you need out of a solution first, and then just make sure you evaluate it. If possible, test drive it. See what it can do, not in a sales presentation. Don't just look at a PowerPoint, actually test drive it.

I highly recommend LogRythm for SIEM.

The most important factor, for me, when selecting a solution is that it needs to be lightweight.

Advice I would give to a colleague at another company who is researching this sort of solution: Talk to me first.

We have LogRhythm in place and it's been working well for us.

It's a great solution but training will be a big key on the implementation. We can troubleshoot it and get the technical support, but it always being very good to have technical training on LogRhythm.

It is a really good product with good support.

If someone is reaching the solution, I would advise them to reach out to users and try to visit LogRhythm's online presence to see what they have. The LogRhythm community has been a pretty good resource.

Having a unified end-to-end platform is very important.

Most important criteria when selecting a vendor: support for the product.

It is a great product. We brought it in initially as a central event log for PCI compliance. It's been really good for PCI compliance, but then we leveraged it for security across the network, so it has been really good that way. It really requires somebody to be able to dedicate a lot of time to getting sources into it. It's hard if you're a partial user of it. It takes a lot longer to really understand the product, because it's big. There's a lot to it.

We're migrating to a dumb-terminal type of environment. That's the end goal that we have, because we have noticed that there's no way for us to secure everything. There's really no way. So having the users centralized into one location, it makes a big, big difference.

So far it's working fine. Like I said, we had some little things here and there but we've revised the architecture and now it's good.

For selecting a vendor we had a matrix. There were a bunch of points that we were trying to cover. How easy is it to use? For Roger's group, for example, to see how easy it was to adapt from the GUI base to the console.

In terms of a unified, end-to-end platform, I'd say we're not married to specific vendors or companies, that's the nature of our business, at least how we run. But it's good to have everything in one solution.

If I had a colleague at another company researching this and other SIEM security tools, I would give him my matrix.

We recommend that people implementing it choose to log everything, including logs from desktops, laptops, servers, switches and routers.

When selecting a vendor, for us, the platform has to be a unified, end-to-end solution. We've got so many unique platforms around our business that it has to be.

All SIEMs suck, but LogRhythm is the best.

Being at this conference I learned a lot. For example, I haven't been using the Web Console to the extent that I should be using it, and I think going back I'll be using that a lot more.

It's extremely important for a solution to be a unified, end-to-end platform. In terms of criteria when selecting a vendor, we look at it as a relationship between our organization and LogRhythm. We want them to work with us and we're willing to work with them to fit what's best for our environment.

I gave it seven out of 10 because we've only used the product for about a year and a half and it's still a building process, and I think it will always be a building process. You're always tweaking things. I can't imagine the company being the best at one specific thing, and then if you're the best at it, then there's no room for improvement. But I know as an organization, we are extremely happy, with LogRhythm.

I would definitely tell colleagues to at least PoC LogRhythm, and see for themselves what their getting in their environment and what other vendors might be missing.

It's fairly important that a solution be end-to-end unified. The fact that LogRhythm is, is working out very well for us.

I gave it eight out of 10 because of some of the issues we've had with the system actually going down but, again, that might be entirely on us. We're still in the defining phase of that.

One thing that surprised me over the course of our deployment is the amount of logs that I didn't realize we had, different log sources that we're seeing pop up, pending, being brought into the system and we haven't even seen them before. People are standing them up left and right and I'm thinking, "Guys, stop it."

Make sure that your operations guys, your network guys can actively search through it well. Get them training. Don't do half a job with it.

We're about 1200 seats, 10 locations roughly, totally a Cisco shop, from perimeter ASAs to IDS, Sourcefire, to web filtering, it's a big Cisco shop that I stepped into.

Our key security goals revolve around maturation and pulling more information into the SIEM. We started off with the low hanging fruit, the Active Directory, the SOCKS servers, things like that. But now we need to get more - all our security controls as well - security systems. We need more from executive PCs, from application servers, we need more visibility I think.

In terms of meeting these goals, this solution, on a scale of one to 10, is an eight, at least in terms of how we've been able to adopt it.

The most important criterion when selecting a vendor interoperability, the ability to pull logs, and the ease of customizing parsing logs. By far.

In terms of advice to a colleague, if they're looking at this and similar solutions: I've dealt with ArcSight before, they're a magnitude higher in terms of operationally managing the software. I haven't used QRadar, but from the surface, looking at it form 10,000 feet, I would say and Logarithm and it are probably much easier to mange, much easier to use.

LogRhythm has been really a good partner, they've reached out, they're always wanting information, "How we can improve? How can we do this or that?" Our SE and sales guy are really great. Keep in touch, so I feel like there's someone I can always reach out to if there's a problem.

In terms of a solution being a unified, end-to-end platform, that would be nice. It's not something that I think about. I just use what's there.

I would tell a colleague at another company who is researching this or a similar solution to try it out. That's the only way you're going to know whether you like it. Don't trust the marketing materials. Ever.

I like the direction they're going with the AICloud stuff. They're talking about the playbooks. LogRhythm seems to be on top of things and always looking to improve, I like that.

You should consult with LogRhythm experts because there are lots of features and customizations, and you need to figure out what's needed for your specific environment, for example, regulatory compliance issues. They do great job of making clear what's needed.

I would definitely recommend this solution for compliance requirements, such as PCI DSS compliance. It does cost a great amount, but its pricing is competitive with some of the other vendors. If it is a necessity to have a SIEM solution, I would definitely recommend LogRhythm.

I would rate LogRhythm NextGen SIEM a nine out of ten. It has been really good. So far, my experience has been seamless. They should keep doing what they're doing.

I would definitely recommend this solution if you can afford it. 

We get customized reports and we get reports including all the details, but when we start using them we couldn't start with the Outlook editor. We can customize a document and we can write a report. The dashboards are very user-friendly and very attractive. But when it comes to the reporting part, I think that could use improvement in the next release. 

I would rate it a seven out of ten. 

Really figure out what you want it to do for you, because it is very flexible and can be used for many different purposes. Determine what you want to use it for, and then get the assistance from LogRhythm to help implement it in that way. Then you can always expand it and take in other areas. But your primary goals need to be met right up front.

We are very happy with it.

It is a big project, but very worthwhile, and LogRhythm has plenty of documentation, support people, professional services, and classes that can help get a business implemented and push them all the way to completion. I definitely think it is worthwhile.

It is very important for me that the solution be a unified end-to-end platform.

My relationship has been very good. When we updated our software we set up weekly meetings which really helped us with reporting. We don’t directly get in touch with support but when we do they solve our problems.

I would recommend NextGen SIEM to those considering implementing it and would rate it eight out of ten.

I would recommend NextGen SIEM to other users as it is a leading solution with new features at a better price than competitors like Splunk and QRadar.

Overall, on a scale from one to ten, I would give LogRhythm NextGen SIEM a rating of eight. 

I would definitely recommend this solution; my only concern is with the price — it should be lower.

The criteria that we look when selecting a vendor are usually support, and being and end-to-end solution, that is very important too.

I gave it a nine out of 10 overall because we have had some support issues that haven't been resolved quickly enough but, other than that, I've been very happy with the product.

If a colleague was researching this and other popular SIEM tools, I would say for the most part I'm very happy with it. I would advise them to schedule a demo and see if it meets their needs.

It will take time for fine tuning, expect for four months to fine tune it to exclude the false positives.

Take advantage of the feature set that LogRhythm has to offer. It has more features than a lot of their competitors. You will be further in the end.