LogRhythm Logging for the masses (of stuff you own)
Updated July 17, 2020

LogRhythm Logging for the masses (of stuff you own)

James Harrison, CISSP | TrustRadius Reviewer
Score 6 out of 10
Vetted Review
Verified User

Overall Satisfaction with LogRhythm

It is deployed as an enterprise logging solution. It collected logs from Windows (all flavors), *nix, Cisco, Syslog, NetFlow and other sources. It provides logs that are analyzed, reported on and used in daily operational troubleshooting. It provides scheduled reports to meet the auditing and compliance needs of an HIPAA organization.
  • Great Web UI for help desk troubleshooting.
  • Identification and drilldown of authentication issues.
  • Performance trending.
  • Correlation of events.
  • Access and group policy change monitoring.
  • Reporting is based on Crystal Reports, requiring a template prior to building a report. The template once saved, cannot be edited. Repeat until you get it right.
  • Query building in the WebUI has little or no documentation.
  • Depth of training on reporting is lacking.
  • LogRhythm has had a positive impact on our reporting capabilities, although the reporting module is very difficult to use.
  • Our support teams use LogRhythm to alert on, track and troubleshoot issues with authentication, inappropriate access attempts and other anomalous behavior.
  • The cost of deployment was significantly lower than the competitor QRadar.
We had business requirements for the following features:
  • Sustained flow acquisition and data collection of dissimilar log types from multiple sources.
  • Customization for Reporting and Alerting in near real time.
  • Offer Dynamic Monitoring.
  • Presented in a Security Event Console.
  • Automated Response Generation for Security Events.
  • Support for Regulatory Compliance.
  • Host, Application and Object Access Logs.
  • Integration with IAM (Identity Access Management).
  • Ability to Express and Track Compliance with User-Defined Policy.
  • Mapping of Events to NIST/CSF and ISO 27001 Control Frameworks and Regulations.
  • Incident Management and Workflow.
  • Data Collection and Archiving.
  • Redundancy, Scalability and Deployment Flexibility.
  • Correlation and Taxonomy.
  • Enterprise Administration, Auto-Discovery, Asset Classification, Embedded Security Knowledge
Logging is always necessary if
1. You have audit requirements for system access
2. You need to alert and report on user activity
3. You need to troubleshoot issues
4. You want to monitor, report and alert on malicious / suspicious activity
5. You want to impress your management team with statistics...

I cannot think of any computing environment where logging is not appropriate.

LogRhythm NextGen SIEM Platform Feature Ratings

Centralized event and log data collection
Event and log normalization/management
Deployment flexibility
Integration with Identity and Access Management Tools
Custom dashboards and workspaces
Host and network-based intrusion detection

Using LogRhythm

20 - Information security is the product owner.
IT support staff including desktop and server support and analysts
Regulatory Auditors
Executives receive reports
Analysts, technicians, programmers, engineers
  • Regulatory compliance
  • Log collection and archiving
  • Log analysis for troubleshooting issues
  • Reporting of security and access activities
  • The AIEngine allows us to track and alert on anomalous activity
  • The dashboard gives a realtime view of activities
  • Scheduled reporting has reduced required audit findings for our numerous HIPAA and SOC audits.
  • File integrity monitoring will be added to our deployment
  • We are adding new threat feeds to our deployment
LogRhythm is focused on SIEM. That is their core business. Cost of operations, feature set and ease of use. The Log Rhythm support team is outstanding. Overall reliability is good. Reporting module needs some improvement and LR is promising that there will be significant improvements in future releases.

Evaluating LogRhythm and Competitors

Yes - 

  • EIQnetworks SOCVue

Attempts to get the demo version running on our test server were
unsuccessful even with the assistance of a EIQ support engineer


Successful tests were conducted over a period of two weeks. It appears the Windows solution will
require a great amount of customization to be useful in our environment. Agents would be required to every endpoint. Company was disqualified by our team when Gartner
failed to review them due to financial stability of the company. Size of development and support team is
also a concern.

Alien Vault

A review of available feature set did not fit the XYZ WIDGET CO.

EventLog Analyzer

Off shore company, missed two different appointments for demo

IBM QRadar

Rebranded version of our current solution. Got quote to replace what we currently
have. 2 weeks ago I was promised a
call from IBM sales to discuss further.
Never got that call.


Appliance based solution. Online
evaluation, full demo, great interaction with presales engineering. International support team.

  • Price
  • Product Features
  • Product Usability
  • Product Reputation
  • Third-party Reviews
LogRhythm is an appliance based solution. We deployed it as a high-availability
collector, with servers in all our geographically diverse data centers.
The appliance had the ability to add additional storage to the
repository as our storage requirements and retention times are extensive. We looked for a solution that had great reviews in the vertical space (SEIM). Log Rhythm's core business is just that.
I would have required all competitors to provide custom reports that mirrored what we were getting from the system we retired. I would have asked for a side by side evaluation to be run for 30 days in our environment to compare all features. Log Rhythm advertised the features, but it took some time (up to a year) to realize that value.

Would I buy it again? Yes, but I would hire the Pro Services team to come on site and see our old platform, before deploying the new one.

LogRhythm Implementation

  • Buy professional services.
  • Buy and implement the system if possible.
  • Remember that the end point log configuration may require other teams in your company to assist you in getting the desired logs from all resources.
  • Attend the end user and daily operations training after a period of usage so you are not overwhelmed with information on concepts not yet seen.
  • Don't be afraid to call for help during your first months of use.
  • Don't close any ticket until you are sure the expected results are verified.
  • Use the community forums to discuss issues with your peers.
  • Watch the training videos offered by L R University.
  • Implemented in-house
  • Professional services company
The implementation was two tiered in so much as our internal teams provided the initial rack and cable, base configuration and turn on. We then worked with the Pro Serve team at L R to get the system configured. There was issues not discussed by the sales team such as the need for a license for the full feature System monitor agent. Part of that disconnect was due to our changing sales force reps in the middle of the negotiation.
Yes - Physical installation. Rack, cable and network configuration
Power on and initial configuration of appliances
Configuration of log collectors
Configuration of endpoints to direct logs to the system (this is the most time consuming of all the steps)
Verify and accept logs from various resources
Begin creating lists of resources
Create reports and validate expected results, Tune report criteria, repeat
Create training documents for internal users

Change management was a small part of the implementation and was well-handled - Our company has a well defined change management program. The most challenging issue is getting the project team to understand the steps required to implement a system of this type. The other challenging issue was the steps to configure Windows logging and alerting. Tuning of logs could only be accomplished after the collection of a large number of logs. The tuning phase did not require C M approval or oversight.
  • Configuration of the Life Keeper software
  • Configuration of the endpoints. We have a large group of dissimilar systems including AIX, *inux, Cisco, Windows and other resources.
  • Pruning of logs not needed for daily operations.
  • Learning to generate reports similar to the ones previously available through our old SIEM Platform

LogRhythm Support

Over the last couple of years, we have had some challenges requiring longer and higher tiered support. Log Rhythm was quick to assign a 3rd tier engineer to assist us in identifying and re-mediating those problems. They have also assisted in getting us to later versions. They are willing to hand hold during platform upgrades.
Quick Resolution
Good followup
Knowledgeable team
Problems get solved
Kept well informed
No escalation required
Immediate help available
Support understands my problem
Support cares about my success
Yes - UP time is of the essence. I have a high availability deployment and must keep logs flowing into the system. Our desktop and analyst support teams uses the WebUI for daily operational and troubleshooting. The security team uses LR for reporting, alerting and monitoring of bad behavior trends.

Additionally, support is needed to assist when we can't get the information we know is there.
Yes - I have discovered a couple of bugs in the reporting tools. Log Rhythm was quick to find workarounds and the issues were corrected in patch deployments.
During a recent update, there were issues with the 3rd party app (Life Keeper) that manages the high availability connection between the main system and backup server. That app had issues, and required the L R tech staff to engage other teams. They coordinated a conference call and worked with the other parties to insure I would get the assistance required to solve the issue. At the end of a couple of days, the issue had been corrected and the L R tech called to review and verify that failover was working as expected.

Using LogRhythm

Training is lacking for the reporting and query building. Overall, the investigation tool is my most used feature. It is very easy to drill down when searching for an interesting event.
The real time dashboard in the console is feature rich and provides graphical views and the ability to see associated logs.

The alarms dashboard displays the most recent significant events, and the ability to track and document how the event is being handled.
Like to use
Technical support not required
Well integrated
Quick to learn
Feel confident using
Lots to learn
  • The WebUI is the most used part of the platform, used by our Desktop support analysts, engineers and others for daily operations.
  • The security team uses the console and reporting tool on a daily basis.
  • Adding new assets to the system is very easy.
  • Performing an investigation results in a case, which can be shared with team members.
  • The knowledge base is a great feature and keeps the system up to date with relevant data include report templates
  • The Malware feed monitor keeps the database up to date with potential threat information.
  • Reporting is very difficult, and results are often unpredictible
  • Building queries in the WebUI require a bit of scripting to get the desired result.
  • The AI Engine is a bit corny with the graphical cube approach to build out alert scenarios.