LogRhythm NextGen SIEM Platform vs. Splunk Enterprise Security

LogRhythm is good for providing a comprehensive view of the environment. It gives a great outline of whatever is going on in our servers and systems regarding security malfunctions. The SIEM sends real-time notifications when there are some occurrences; like creating a new user and inappropriate login attempts. It also avails a good use case that meets our HIPAA compliance.

Incentivized

Well-Suited Scenarios:

Real-Time Threat Response: ES excels in swiftly detecting and responding to security threats through data correlation.

Compliance Management: ES streamlines compliance with detailed logs and reports, ideal for regulated industries.

User Behavior Analytics: Effective in monitoring user and entity behavior, particularly for insider threat detection.

Large-Scale Environments: Valuable for organizations with diverse data sources and high volumes of data.

Incident Investigation: ES aids in post-incident analysis, reconstructing events to understand root causes.

Less Appropriate Scenarios:

Smaller Organizations: For simpler setups, ES may be complex and costly.

Static Environments: In low-risk settings, ES's advanced features may be unnecessary.

Limited Resources: Tight budgets or sparse IT resources may hinder effective ES use.

Lack of In-House Expertise: Without security experts, optimizing ES can be challenging.

Budget Constraints: ES may be cost-prohibitive for budget-conscious organizations, prompting consideration of more affordable alternatives.

Incentivized

• LogRhythm is a great SIEM to learn content on because the building blocks are very intuitive and easy to implement. All of the concepts relevant to content development are literally represented as drag and drop building blocks that can be easily manipulated.
• The statistical building blocks contain powerful anomaly detection capabilities that are extremely difficult to implement in other SIEMs or not possible at all.
• LogRhythm does better event classification than any other SIEM by far. My team typically drops all classification schemes from default installations of SIEMs and rebuilds them from scratch. I can actually use LogRhythms event classifications in rules without worrying about excessive partial matches or correlating unwanted events.

Incentivized

• Its best feature is its user interface, which is easy to navigate and understand. All you need is a little tutorial on how to use the Splunk query language and you're done.
• Logs can be easily uploaded or shared across multiple platforms and display a highly insightful graphical representations of data using graphs, tables, and many other formats.

Incentivized

• While searching for log events is quick, the interface isn't as user-friendly as other SIEM products.
• Many of the administrative/management functions are only available through the full LogRhythm desktop console, not through the web console.
• The LogRhythm agent, when used for FIM and RIM, is very memory intensive.

Incentivized

• To identify User Behaviour analysis is lacking component which we get in Splunk UBA.
• The documentation part is hard to work on because if the new user tries to learn ES then the documentation is not user-friendly.
• ES must ass more Knowledge objects by default to make security-related aspects more reliable and enhance the details.

Incentivized

LogRhythm is focused on SIEM. That is their core business. Cost of operations, feature set and ease of use. The Log Rhythm support team is outstanding. Overall reliability is good. Reporting module needs some improvement and LR is promising that there will be significant improvements in future releases.

Incentivized

We are very happy with Splunk and would advise anyone to take a serious look at it. It might look pricey but the rewards Splunk offers seem endless.

Incentivized

LogRhythm does a rather decent job of making the functionality advanced (allowing for advanced keyword & field searching, use of "AND" as well as "OR" statements in the search bar) while keeping it accessible (by not requiring a specific syntax to do quick searches). This combined with a user interface that has headings and labels that are intuitive is very helpful.

Incentivized

You definitely need to learn how to use Splunk to get the most of the tool. There are many courses available for free to get up to speed on the usability of the tool but it's not that simple. It will take time to digest all the data and to understand how to query for what you are looking for.

Incentivized

I'm not an ES user, but, in my implementation I usually try to prevent all service stops to guarantee High availability to the final customers.

Incentivized

ES requires a very performant infrastructure: if it has it's performant, otherwise not. I had situation with a very performant infrastructure and I didn't notized that it was a distributed architecture, it seemed that there ware few data on my PC, othewise I experienced less performant infrastructures with less performaces.

Incentivized

Support has always been fantastic for this product compared to many other support providers I've worked with. They are always very friendly and seem to be well trained and knowledgeable and never have to wait long for a solution. We usually get the issue fixed in the first call, but also we really haven't had to use support a ton so that's also a plus

Incentivized

It's good when it's responsive, but I've had times where I had to wait quite a while for a response. But these are typically the exceptions rather than the rule. When you do get a response it is always well-informed and appropriate. I would say they've been trending better over time with this.

Incentivized

I experienced only on-line training, but the trainers were very professional and competent. Maybe it could be more useful if they also have an experience in projects because sometimes they didn't have a real project experience to communicate to the students. Anyway, it was very interesting and I learned many thing that's very difficoult (or maybe impossible!) to have by myself, aven if I have more than 10 years of Splunk activity experience.

Incentivized

It was very interesting and I learned many thing that's very difficoult (or maybe impossible!) to have by myself. The only problem was that, when I worked with the Splunk Professional Services, I found some difference between the training contents and the information from PS. In addition is required a long experience on Splunk Enterprise for the data ingestion part, in other words I'm able to work with ES because I'm worling on Splunk since 11 years, otherwise I'd some problem.

Incentivized

• Buy professional services.
• Buy and implement the system if possible.
• Remember that the end point log configuration may require other teams in your company to assist you in getting the desired logs from all resources.
• Attend the end user and daily operations training after a period of usage so you are not overwhelmed with information on concepts not yet seen.
• Don't be afraid to call for help during your first months of use.
• Don't close any ticket until you are sure the expected results are verified.
• Use the community forums to discuss issues with your peers.
• Watch the training videos offered by L R University.

Incentivized

It's a fantatic product and it was very useful the presence of Splunk Professional Services for the Design Phase and the final Health Check.

Incentivized

The only thing we chose LogRhythm NextGen SIEM Platform for is to allow the Security Analysts to work on the dashboards which don't know much about programming and query languages but has good intuition about cyber-security. It is easy to get hands-on compared to Splunk, which has an initial learning curve before being able to start harnessing its true power. Also, the ticketing system is quite fancy and somehow shows us the recent tickets that we need to jump on, which is not in Splunk.

Incentivized

LogRhythm is good for a team comprising mostly non-technical IT users. Unlike Splunk, it has a GUI log search and a good ticketing system. Splunk is better than Logrhythm for me as it provides me with the ultimate flexibility to write custom queries. Scalyr is a good tool and quite frankly lot faster than Splunk. However, I prefer Splunk because of its better Dashboards and panel customization abilities. Elastic is another amazing tool. It is hard to choose between the two especially because both have different sets of logs on them. I use both. Elastic for internal server logs, Splunk for everything else.

Incentivized

We have on prem splunk and it’s mostly east to setup, but we have issues keeping data separated between customer splunk deployments while at the same time only having to look at one SIEM to address events in every environment

Incentivized

• We were able to retire a few older log collection platforms that we had in house. There were 2-3 systems doing the job of LogRhythm.
• We were able to bring some part of the analysis of events back in house and not rely on third party MSS.

Incentivized

• We have a 100% success rate on all our ES implementations due to the amazing documentation and Splunk enablement on the subject.
• Our Splunk ES business has grown 100% YoY for the last 3 years.
• In terms of long term management and maintenance, ES has been highly stable and predictable, reducing our overhead on costly services team for ad hoc maintenance work.