2 of 2 people found this helpful
I've used both -- I was the Splunk admin at my last job, and my new company has been using LEM for a couple of years now. In my opinion, if you are used to using Splunk you will be severely disappointed with LEM. Not that LEM is a terrible product -- I think it offers easy access to functionality right out of the box, and includes some very useful information in the canned reports/queries. If you're coming from having no SIEM at all, it's an easy way to start. But it's not flexible/extensible at all, and heaven help you if you want to extract additional data from the built in connectors (I'm looking at you ASA connector). I think the LEM interface is fairly clunky, and needs some modernization. The advantage LEM has is clearly in the pricing model. LEM has a different licensing philosophy than Splunk, and will likely be significantly cheaper since it's licensed by node vs log volume.
tl;dr -- Companies with mature practices around SIEM will most likely find LEM lacking, but it's better than nothing and an easy way to get into the game.