1 Reply Latest reply on Feb 9, 2017 2:50 PM by branfarm

    How do you like LEM especially when compared to Splunk?

    bobby.alvarez

      We are currently leveraging Splunk for security data and correlation, sever / desktop event filtering, dashboarding of customer service and BI data, etc. Recently we lost both of our Splunk admins and are tossing around the idea of switching over to LEM in part or fully.

       

      Are you guys enjoying using LEM? Also, do you have any insight to the advantages of LEM vs Splunk?

        • Re: How do you like LEM especially when compared to Splunk?
          branfarm

          I've used both -- I was the Splunk admin at my last job, and my new company has been using LEM for a couple of years now.   In my opinion, if you are used to using Splunk you will be severely disappointed with LEM.    Not that LEM is a terrible product -- I think it offers easy access to functionality right out of the box, and includes some very useful information in the canned reports/queries.   If you're coming from having no SIEM at all, it's an easy way to start.  But it's not flexible/extensible at all, and heaven help you if you want to extract additional data from the built in connectors (I'm looking at you ASA connector).   I think the LEM interface is fairly clunky, and needs some modernization.   The advantage LEM has is clearly in the pricing model.    LEM has a different licensing philosophy than Splunk, and will likely be significantly cheaper since it's licensed by node vs log volume.

           

          tl;dr -- Companies with mature practices around SIEM will most likely find LEM lacking, but it's better than nothing and an easy way to get into the game.

          2 of 2 people found this helpful