Educause Security Discussion mailing list archives
Re: Log management
From: Isaac Straley <straley () UCI EDU>
Date: Wed, 31 Jan 2007 07:52:15 -0800
This can be done through what is called "Live Splunk", which is only available with the commercial version. You can generate alerts or send out reports based on saved searches. From their FAQ (http://www.splunk.com/support/235): Can Splunk send alerts? Yes, Live Splunks allow you to schedule any search and establish rules to alert via email, RSS or by triggering a shell script. Live Splunk alerts have been integrated with a number of systems management tools as well, such as Nagios and CA Unicenter. We are actively building additional integrations with other systems management products to provide for seamless alerting workflow. Can I generate reports with Splunk? Yes, Report Splunks allow you to summarize the results of any search using either simple syntax like "top _ips" or full SQL. However, instead of reporting on data stored in a structured schema in a relational database, Splunk's reports run on search results that are put into a structured table only at search time. Splunk automatically recognizes many fields, and you can train it to recognize new ones, without re-indexing the data. Report results can be viewed in the Splunk Web interface and also exported to csv for use in other reporting tools. Reports can be scheduled for delivery in email using Live Splunk scheduling. Chris Green wrote:
Can splunk deliver automated reports? Last I played with it, it seemed like something that might be good for people to go troubleshoot an issue but not something that could easily automate reporting on specific activities. I had the same problem after viewing an ArcSight demo for their Logger device. Seems great for centralizing, bad for automated reporting. I'm explicitly not looking for something that does real-time alerting ala OSSEC for many of these things.-----Original Message----- From: Alex Campoe [mailto:campoe () USF EDU] Sent: Wednesday, January 31, 2007 8:26 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Log management We are in the process of deploying Splunk within our environment. I experimented with a handful of machines and was very impressed withthesearch features, allowing us to correlate, for instance, brute force SSH attempts from remote machines across the machines covered easily. Definitely worth a look.
Current thread:
- Log management Charles L. Bombard (Jan 31)
- <Possible follow-ups>
- Re: Log management Mclaughlin, Kevin L (mclaugkl) (Jan 31)
- Re: Log management John Bullock (Jan 31)
- Re: Log management Jeff Giacobbe (Jan 31)
- Re: Log management Alex Campoe (Jan 31)
- Re: Log management Charles L. Bombard (Jan 31)
- Re: Log management Chris Green (Jan 31)
- Re: Log management Isaac Straley (Jan 31)
- Re: Log management Isaac Straley (Jan 31)
- Re: Log management Isaac Straley (Jan 31)
- Re: Log management Nick Lewis (Jan 31)
- Re: Log management Greg Vickers (Jan 31)
- Re: Log management Jason Richardson (Feb 01)
- Re: Log management John Ladwig (Feb 01)
- Re: Log management Wes Young (Feb 01)
- Re: Log management Mark Bauer (Feb 01)
- Re: Log management Kees Leune (Feb 20)