LogRhythm NextGen SIEM Platform vs. ScienceLogic SL1 vs. Splunk Observability Cloud

Having mostly worked with their on-premises solution, I think it's well-suited for small , medium, and even big organisations. I feel it might be less suited if the customer wants a SIEM with 100% uptime, as it goes down a lot. Or if they want to depend on customer support. I suggest that if you want to go with LR, you have to have your own experienced engineers to work on.

Incentivized

For Windows, the issue is in higher resource consumption related to WinRM monitoring, which provides better options then the SNMP monitoring, which on the other hand is less resource intensive. The problem is also with support for OS with other than English language.

Incentivized

Its great if you need real-time visibility across complex or regulated environments. Also strong for hybrid or multi-cloud setups where uptime, observability and fast IR are required. It’s probably overkill for smaller teams or environments that don’t have constant changes or compliance reporting needs. It's expensive and has a steep learning curve. Also, in my opinion, do not get yourself into a consumption based model. Costs can certainly get out of control quickly.

Incentivized

• LogRhythm NextGen SIEM Platform has an alarm system that generates tickets based on the event and the way it has been configured in the LogRhythm console. Let's say we have a ticket for a malicious email attachment. The ticket will some information like the source of the log, the source IP, destination IP etc. It can be drilled down to obtain specific information like the recipient, source location, file attachment name, SHA hash of the file, source and destination port, time, mac address of the machine that downloaded it etc. This helps the analysts to go to the root of the cause and take actions easily without manually parsing them.
• The second good thing about the LogRhythm NextGen SIEM Platform is that it is very easy to use with its well-structured interface. To use LogRhythm, an user barely require any technical skills. A little overview of IP, CIDR, hash, etc. is enough to get your hands on it. It requires no programming or coding skills, as everything is GUI based. It also provides a beautiful visualization dashboard. There is another beautiful feature that it provides for the classification of events, known as cases. Multiple users working on the same platform can create cases and add events to it. They also help to maintain future reference.
• The third good feature is the search tool which is very powerful. For example, sometimes it is hard to find the users who downloaded a malware from the guest wireless of the institution and not the private network. The search tool helps us in searching the user by automatically correlating the MAC address from the current network logs and the previous logs as the MAC address is the same. It is highly scalable for parsing a large number of logs from various sources.
• I particularly think this is one of the best software available for log parsing in an organization where non-technical users are working on incident response. This tool has a good amount of flexibility. However, it can only be configured with the LogRhythm NextGen SIEM Platform Console.
• In terms of usability, as already mentioned, it is a very easy tool to use, with a GUI based interface.

Incentivized

• Best overall coverage of montioring different technologies.
• Easy to use in any environment
• Customizable being able to generate your own reports, dashboards, DA's, RBA's, etc.
• Have very good out of the box integrations with other monitoring solutions such as ServiceNow
• Always improving and regularly releasing new versions and upgrades to the system/DA's.
• Interactive community

Incentivized

• The first one is its Kubernetes container monitoring.
• I really like this features because as we know how much K8s is vast and to manually monitor each part of the Kubernetes it takes so much time but Splunk Observability Cloud makes it easier. And even once we integrate K8s with Splunk Observability Cloud it gives us some prebuilt dashboards which gives holistic view of our Cluster and its nodes, pods, etc.
• The dashbaord feature of Splunk Observability Cloud, it gives us full flexibility to customize our dashboard with a wide range of predefined chart types.
• Now it also supports OTEL, which is a plus point for observability. As now everyone is moving towards Otel and in current market there are only few tools who supports OTEL based integrations, Splunk Observability Cloud is one out of them.

Incentivized

• LogRhythm absolutely needs to provide back end support for threat intelligence lists. Performing a linear search on massive lists of IPs on incoming web traffic can bring the SIEM to its knees.
• LogRhythm should drop its entire code base for implementing lists and simply turn them into hash tables to avoid the excessive cost associated with referencing lists in rules. I haven't seen the code, but the performance suggests O(n).
• The reporting feature is the worst of all SIEMs, luckily reports are not my primary service offering. LogRhythm should definitely revamp its reporting to be more intuitive.

Incentivized

• Dashboards are quite old and are of Iron age. Need to have AP2 dashboards only instead of AP1 and consistent new design across all functionalities.
• Reporting is not improved since Y2020 and need to revamp completely. Need to integrate Dashboards and Reporting. PowerBI Like functionality to be given OOTB. Reports should be extracted in Excel, PDF, HTML and should be heavily automated.
• Create and Open APIs for basic and advanced monitoring data extraction.
• Topology based Event Correlation and Suppression should be improved drastically. Need to identify critical network interfaces based on Topology and monitor them. Basic customization of Dynamic App and/or Powerpack to exclude/include certain metrics/events to be permitted OOTB instead of customizations.
• Integration with ServiceNow to be improved and to be taken to next level. Automation Powerpack should be made available OOTB as part of base product and to be priced attractively.
• Take product to next level where we can monitor actual impacted IT or Business Service instead of metrics and events BSM and Topology map to be auto discovered and identify the network dependencies and alternate paths automatically instead of manual creation of BSM.

• You can use table-like functionality to generate dashboards, but these queries are heavy on the system.
• It could be easier to give insight into what type of line parsing is used for specific documents in a company-managed environment and/or show ways to gain the insights needed.
• I would like to see ways to anonymize specific data for shared reports without pre-formatting this in a dashboard on which reports could be based.

Incentivized

LogRhythm is focused on SIEM. That is their core business. Cost of operations, feature set and ease of use. The Log Rhythm support team is outstanding. Overall reliability is good. Reporting module needs some improvement and LR is promising that there will be significant improvements in future releases.

Incentivized

It is simply because of all the best possible autonomy solutions it is providing and getting better day by day. Using AI and Devops along with handy automation, The monitoring and Management of devices becomes much easier and the way it is growing in all the aspects is one the best reasons too. Evolution of the SL1 platform in the autonomy monitoring and management is quite appreciable.

Incentivized

Good: Stable system with low error rate Easy to use for simple use cases Bad: UI is not very clear for complex usage Mobile view (when logged in from phone) is bad No library for .net

Incentivized

LogRhythm does a rather decent job of making the functionality advanced (allowing for advanced keyword & field searching, use of "AND" as well as "OR" statements in the search bar) while keeping it accessible (by not requiring a specific syntax to do quick searches). This combined with a user interface that has headings and labels that are intuitive is very helpful.

Incentivized

The core functions are there.
The complexity is due to the complexity of the space.
The score is based on comfort (I no longer notice the legacy UI) and the promise that I see in the 8.12 Unified UI (a vast improvement).
It is also based on the fact that with 8.12, you can now do everything in the new UI but you still have the legacy UI as a fallback (which should now be unnecessary for new installations)

Incentivized

When there is an issue, it’s a win if one can easily identify the root cause. To do the same, it should allow the user to dig deep with multiple data points and compare the data and identify the anomaly. In this use case, it’s good to drive from Splunk 011y.

Incentivized

SL is always there and online when you need to get info from it. The only times when SL was not available in our own data center, was when network links from out side of the data center was down and those links were not in our controll. Having a central database and people accessing it all over the world, may put a bit of constarin on the performance of the dashboards when reports gets generated, but that is far and few n between.

Incentivized

SceinceLogic SL1 architecture helps the platform to give a top-notch performance in every respect, Data collection to reporting happens very smoothly. With the new user interface pages load much faster. Individual appliances carrying the individual task ensure things are working without lag. Integration with ticketing tool(SNOW) is well managed by the ScienceLogic, no issue or much delay has been observed while interacting with an external tool.

Incentivized

While LogRhythm support is generally quick to respond, the initial response is usually from a first line support engineer with general knowledge of the product. Any advanced or complex issues have always required the assistance of a higher tier of support, directly or indirectly. For a few occasions we actually used our PS hours to work on the issue.

Incentivized

So far, it's good as part of my overall experience, except for a couple of use cases. The support team is well knowledgeable, has technical sound, and is efficient. When support escalates to engineering, the issue gets stuck and takes months to resolve.

Incentivized

Splunk support is very quick and efficient. Pre-sale specialists are very skilled and available.

Incentivized

It was good, Do the online training first and understand it and you will get the most out of the in-person training that way. This also takes you to an advanced level which is very good and the training as been overhauled once again along with new product coming in such as Zebruim / Skylar, worth going through again if it a while back that you first did this.

Incentivized

There are a lot of educational materials and courses on the SL1 training site (Litmos university). However the recording quality is sometimes not very good - screen resolution is low. There is a lack of professional rather than user-oriented documents and there are mistakes in documentation and education is not well structured.

Incentivized

• Buy professional services.
• Buy and implement the system if possible.
• Remember that the end point log configuration may require other teams in your company to assist you in getting the desired logs from all resources.
• Attend the end user and daily operations training after a period of usage so you are not overwhelmed with information on concepts not yet seen.
• Don't be afraid to call for help during your first months of use.
• Don't close any ticket until you are sure the expected results are verified.
• Use the community forums to discuss issues with your peers.
• Watch the training videos offered by L R University.

Incentivized

Implementation is smooth if we are to just support the out-of-the-box features available in ScienceLogic. For any custom requirement, having to go to SL1 Professional Services is the worst part of procuring this suite. And more often than not, SL1 Professional Services also ask to raise feature request. So, you subscribe to Professional Services to only hear back from them that "This feature is not supported and needs to have a separate feature request". At times frustrating.

Incentivized

Follow a training before starting.

Incentivized

LogRhythm was simpler to set up and configure as well as extract information from. It also was less intrusive in terms of how many appliances were needed to implement. We were up and running within 5 hours to start accepting log sources. We selected LogRhythm as well since support is based in the USA in Colorado.

Incentivized

Science logic SL1 is so user friendly and it's really easy to navigate between function. I would recommend Sciene logic SL1 to all of them who are looking for really useful monitoring tool and expecting easy way of managing it.

Incentivized

Splunk Infrastructure Monitoring provides far superior options for anybody using a complex hybrid multi-cloud environment and allows both your SOC and NOC to work together on the same data while driving their own insights. We found other products are still in the old world view of servers and agents residing together within a single data centre, but modern apps are no longer like this.

Incentivized

Our deployment model is vastly different from product expectations. Our global / internal monitoring foot print is 8 production stacks in dual data centers with 50% collection capacity allocated to each data center with minimal numbers of collection groups. General Collection is our default collection group. Special Collection is for monitoring our ASA and other hardware that cannot be polled by a large number of IP addresses, so this collection group is usually 2 collectors). Because most of our stacks are in different physical data centers, we cannot use the provided HA solution. We have to use the DR solution (DRBD + CNAMEs). We routinely test power in our data centers (yearly). Because we have to use DR, we have a hand-touch to flip nodes and change the DNS CNAME half of the times when there is an outage (by design). When the outage is planned, we do this ahead of the outage so that we don't care that the Secondary has dropped away from the Primary. Hopefully, we'll be able to find a way to meet our constraints and improve our resiliency and reduce our hand-touch in future releases. For now, this works for us and our complexity. (I hear that the HA option is sweet. I just can't consume that.)

Incentivized

• It gives the overall view of the environment so we are always aware of our security position.
• It has created operational effectiveness; we are able to rapidly detect threats and resolve it fast.
• We have been able to track inappropriate login attempts through tickets.

Incentivized

• Once a powerpack is developed and configured for a device for one customer, it is easy to deploy the same powerpack on a second customer estate and configure specifically for that customer without having to reinvent the powerpack. This saves time and therefore money.
• Once the customer estate tuning is complete, the Operations team have come trust the alerts. This is especially true when transient or self-correcting alerts are automatically cleared without ops team involvement, but a record is still available for audit and debugging purposes. This saves time and therefore money.
• When setup correctly, it provides good visibility into applications, devices and whole customer estates. This saves time and therefore money when issues arise.

Incentivized

• Significantly reduced the MTTR (Mean Time To Recovery), which in turn has improved the end-user experience tremendously.
• Meets compliance requirements of security policies, audit, regulation, and forensics.
• Helps us to track/manage the resource usage on our cloud instances which has a direct implication on the recurring cost.

Incentivized