The LogRhythm NextGen SIEM Platform, from LogRhythm in Boulder, Colorado, is security information and event management (SIEM) software which includes SOAR functionality via SmartResponse Automation Plugins (a RespondX feature), the DetectX security analytics module, and AnalytiX as a log management solution that centralizes log data, enriches it with contextual details and applies a consistent schema across all data types.
N/A
Logstash
Score 9.0 out of 10
N/A
N/A
N/A
Sumo Logic
Score 8.8 out of 10
N/A
Sumo Logic is a log management offering from the San Francisco based company of the same name.
$3
Per GB Logs
Pricing
LogRhythm NextGen SIEM Platform
Logstash
Sumo Logic
Editions & Modules
No answers on this topic
No answers on this topic
Essentials
$3.00
Per GB Logs
Enterprise
$4.00
Per GB Logs
Enterprise Security
$4.25
Per GB Logs
Enterprise Suite
$4.75
Per GB Logs
Offerings
Pricing Offerings
LogRhythm NextGen SIEM Platform
Logstash
Sumo Logic
Free Trial
No
No
No
Free/Freemium Version
No
No
No
Premium Consulting/Integration Services
No
No
No
Entry-level Setup Fee
No setup fee
No setup fee
No setup fee
Additional Details
—
—
—
More Pricing Information
Community Pulse
LogRhythm NextGen SIEM Platform
Logstash
Sumo Logic
Considered Multiple Products
LogRhythm NextGen SIEM Platform
No answer on this topic
Logstash
No answer on this topic
Sumo Logic
Verified User
Engineer
Chose Sumo Logic
Comparing them to Logstash and other open source tools, Sumo Logic is a clean, already well built tool that is ready to ingest and analyze data instantly. Other open source tools take a lot of time to build and manage; and their graphs/dashboards are almost always lacking. Sumo …
Sumo Logic works very well out of the gate. For a small business it has given us what we need. I worked at a larger company previously, and we produced so many logs we had to create a custom logging service to handle them all. Cost and availability are big issues when …
Having mostly worked with their on-premises solution, I think it's well-suited for small , medium, and even big organisations. I feel it might be less suited if the customer wants a SIEM with 100% uptime, as it goes down a lot. Or if they want to depend on customer support. I suggest that if you want to go with LR, you have to have your own experienced engineers to work on.
Perfect for projects where Elasticsearch makes sense: if you decide to employ ES in a project, then you will almost inevitably use LogStash, and you should anyways. Such projects would include: 1. Data Science (reading, recording or measure web-based Analytics, Metrics) 2. Web Scraping (which was one of our earlier projects involving LogStash) 3. Syslog-ng Management: While I did point out that it can be a bit of an electric boo-ga-loo in finding an errant configuration item, it is still worth it to implement Syslog-ng management via LogStash: being able to fine-tune your log messages and then pipe them to other sources, depending on the data being read in, is incredibly powerful, and I would say is exemplar of what modern Computer Science looks like: Less Specialization in mathematics, and more specialization in storing and recording data (i.e. Less Engineering, and more Design).
SumoLogic is a fantastic log aggregator and analysis tool, a fine alternative to Splunk. Searching is powerful and mostly intuitive and results come fast. If you have application logs in clusters or Kubernetes pods that lose their logs every time they're restarted, Sumo is the solution for you
LogRhythm NextGen SIEM Platform has an alarm system that generates tickets based on the event and the way it has been configured in the LogRhythm console. Let's say we have a ticket for a malicious email attachment. The ticket will some information like the source of the log, the source IP, destination IP etc. It can be drilled down to obtain specific information like the recipient, source location, file attachment name, SHA hash of the file, source and destination port, time, mac address of the machine that downloaded it etc. This helps the analysts to go to the root of the cause and take actions easily without manually parsing them.
The second good thing about the LogRhythm NextGen SIEM Platform is that it is very easy to use with its well-structured interface. To use LogRhythm, an user barely require any technical skills. A little overview of IP, CIDR, hash, etc. is enough to get your hands on it. It requires no programming or coding skills, as everything is GUI based. It also provides a beautiful visualization dashboard. There is another beautiful feature that it provides for the classification of events, known as cases. Multiple users working on the same platform can create cases and add events to it. They also help to maintain future reference.
The third good feature is the search tool which is very powerful. For example, sometimes it is hard to find the users who downloaded a malware from the guest wireless of the institution and not the private network. The search tool helps us in searching the user by automatically correlating the MAC address from the current network logs and the previous logs as the MAC address is the same. It is highly scalable for parsing a large number of logs from various sources.
I particularly think this is one of the best software available for log parsing in an organization where non-technical users are working on incident response. This tool has a good amount of flexibility. However, it can only be configured with the LogRhythm NextGen SIEM Platform Console.
In terms of usability, as already mentioned, it is a very easy tool to use, with a GUI based interface.
Logstash design is definitely perfect for the use case of ELK. Logstash has "drivers" using which it can inject from virtually any source. This takes the headache from source to implement those "drivers" to store data to ES.
Logstash is fast, very fast. As per my observance, you don't need more than 1 or 2 servers for even big size projects.
Data in different shape, size, and formats? No worries, Logstash can handle it. It lets you write simple rules to programmatically take decisions real-time on data.
You can change your data on the fly! This is the CORE power of Logstash. The concept is similar to Kafka streams, the difference being the source and destination are application and ES respectively.
Sumo Logic allowed for our InfoSec team to ingest logs from our CDN directly, in real-time, instead of massive compressed archives that were sent every two-hours (the only alternative at the time). Sumo Logic had an app for these logs, that allowed us to easily get an immediate payoff from the data, with canned dashboard and saved searches.
Sumo Logic has a fairly extensive REST API when it comes to log sources, source configurations, dashboard data, searches, etc. Their wiki for the API is usually kept up to date.
Sumo Logic, during the period of time I had used their product, had added the ability to configure agents via configuration files. This allowed customers to configure their endpoints, and modify the endpoints, with configuration management tools like Chef / Puppet / Salt. Beforehand, the only option was to always make changes either via the web portal or REST API.
The solutions engineers were extremely helpful, and easily reachable when issues would occur.
Users at our company found it easy to get started, working on new dashboards, scheduled searches, and alerting. The alerting worked well with our third-party paging tool.
LogRhythm absolutely needs to provide back end support for threat intelligence lists. Performing a linear search on massive lists of IPs on incoming web traffic can bring the SIEM to its knees.
LogRhythm should drop its entire code base for implementing lists and simply turn them into hash tables to avoid the excessive cost associated with referencing lists in rules. I haven't seen the code, but the performance suggests O(n).
The reporting feature is the worst of all SIEMs, luckily reports are not my primary service offering. LogRhythm should definitely revamp its reporting to be more intuitive.
LogRhythm is focused on SIEM. That is their core business. Cost of operations, feature set and ease of use. The Log Rhythm support team is outstanding. Overall reliability is good. Reporting module needs some improvement and LR is promising that there will be significant improvements in future releases.
LogRhythm does a rather decent job of making the functionality advanced (allowing for advanced keyword & field searching, use of "AND" as well as "OR" statements in the search bar) while keeping it accessible (by not requiring a specific syntax to do quick searches). This combined with a user interface that has headings and labels that are intuitive is very helpful.
As I said earlier, for a production-grade OpenStack Telco cloud, Logstash brings high value in flexibility, compliance, and troubleshooting efficiency. However, this brings a higher infra & ops cost on resources, but that is not a problem in big datacenters because there is no resource crunch in terms of servers or CPU/RAM
Sumo Logic is very powerful but definitely requires some configuration work to get the most out of it. You can get a certification related to this, but it is definitely not something you can just throw together.
While LogRhythm support is generally quick to respond, the initial response is usually from a first line support engineer with general knowledge of the product. Any advanced or complex issues have always required the assistance of a higher tier of support, directly or indirectly. For a few occasions we actually used our PS hours to work on the issue.
I would give this rating because I attended a free Sumo Logic training at a WeWork in Chicago. I found the training very useful, and I learned a lot of features that I was not aware of before I went to the training. I like the idea that SumoLogic provides free training seminars. I am certified in level1, and I plan on certifying to level2.
I was satisfied with the implementation, as at the time, it was the best way to implement the product with the available feature sets in Sumo Logic. User creation and management became more of an issue during continued use, instead of it being an issue related to deploying the product in our environment.
LogRhythm was simpler to set up and configure as well as extract information from. It also was less intrusive in terms of how many appliances were needed to implement. We were up and running within 5 hours to start accepting log sources. We selected LogRhythm as well since support is based in the USA in Colorado.
Logstash can be compared to other ETL frameworks or tools, but it is also complementary to several, for example, Kafka. I would not only suggest using Logstash when the rest of the ELK stack is available, but also for a self-hosted event collection pipeline for various searching systems such as Solr or Graylog, or even monitoring solutions built on top of Graphite or OpenTSDB.
Sumo Logic works very well out of the gate. For a small business it has given us what we need. I worked at a larger company previously, and we produced so many logs we had to create a custom logging service to handle them all. Cost and availability are big issues when deciding between the different services, whether self maintained and hosted, or provided by another company.
Positive: LogStash is OpenSource. While this should not be directly construed as Free, it's a great start towards Free. OpenSource means that while it's free to download, there are no regular patch schedules, no support from a company, no engineer you can get on the phone / email to solve a problem. You are your own Engineer. You are your own Phone Call. You are your own ticketing system.
Negative: Since Logstash's features are so extensive, you will often find yourself saying "I can just solve this problem better going further down / up the Stack!". This is not a BAD quality, necessarily and it really only depends on what Your Project's Aim is.
Positive: LogStash is a dream to configure and run. A few hours of work, and you are on your way to collecting and shipping logs to their required addresses!
