Before I go into details about the best SIEM solutions, I would like to spend just a few lines of text to issue a warning about two systems. These are not just opinion, but are factual experiences using the systems and tracking TCO and progress. I have spend countless of hours with support from both companies, and rarely got a solution, other than temporary workarounds. ALL systems ended up being decommission and replaced.
#1 – Logpoint
Terrible slow and needs a crazy amount of capacity to do even the basic tasks. With 64 GB of RAM and 8 cores, the system crashed when reaching 1750 EPC. There was no internal health monitoring, and in general you get the feeling Logpoint is still not out of the Beta stage. On top of the TCO is to high, and local support is lacking in general understandig og logging/SIEM.
#2 – Solarwinds LEM
It promises Fast and easy “compliance reporting” and “Real-time event correlation” but you can only use the predefined reports and those are far from what you should expect in 2018. On top of that we had a few examples of Syslog data that disappeared – not acceptable at all.
… the only good thing I can say about those systems, are they are so bad, their customers search for alternatives and fixes on Google, and end up hiring me to implement a better alternative – 🙂