Educause Security Discussion mailing list archives

Re: Log management

From: Isaac Straley <straley () UCI EDU>
Date: Wed, 31 Jan 2007 07:52:15 -0800

This can be done through what is called "Live Splunk", which is only
available with the commercial version.  You can generate alerts or send
out reports based on saved searches.

From their FAQ (http://www.splunk.com/support/235):

Can Splunk send alerts?

Yes, Live Splunks allow you to schedule any search and establish rules
to alert via email, RSS or by triggering a shell script. Live Splunk
alerts have been integrated with a number of systems management tools as
well, such as Nagios and CA Unicenter. We are actively building
additional integrations with other systems management products to
provide for seamless alerting workflow.

Can I generate reports with Splunk?

Yes, Report Splunks allow you to summarize the results of any search
using either simple syntax like "top _ips" or full SQL. However, instead
of reporting on data stored in a structured schema in a relational
database, Splunk's reports run on search results that are put into a
structured table only at search time. Splunk automatically recognizes
many fields, and you can train it to recognize new ones, without
re-indexing the data.

Report results can be viewed in the Splunk Web interface and also
exported to csv for use in other reporting tools. Reports can be
scheduled for delivery in email using Live Splunk scheduling.

Chris Green wrote:

Can splunk deliver automated reports?  Last I played with it, it seemed
like something that might be good for people to go troubleshoot an issue
but not something that could easily automate reporting on specific
activities.

I had the same problem after viewing an ArcSight demo for their Logger
device.  Seems great for centralizing, bad for automated reporting.  I'm
explicitly not looking for something that does real-time alerting ala
OSSEC for many of these things.

-----Original Message-----
From: Alex Campoe [mailto:campoe () USF EDU]
Sent: Wednesday, January 31, 2007 8:26 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Log management

We are in the process of deploying Splunk within our environment. I
experimented with a handful of machines and was very impressed with

the

search features, allowing us to correlate, for instance, brute force
SSH attempts from remote machines across the machines covered easily.

Definitely worth a look.

Current thread:

Log management Charles L. Bombard (Jan 31)
- <Possible follow-ups>
- Re: Log management Mclaughlin, Kevin L (mclaugkl) (Jan 31)
- Re: Log management John Bullock (Jan 31)
- Re: Log management Jeff Giacobbe (Jan 31)
- Re: Log management Alex Campoe (Jan 31)
- Re: Log management Charles L. Bombard (Jan 31)
- Re: Log management Chris Green (Jan 31)
- Re: Log management Isaac Straley (Jan 31)
- Re: Log management Isaac Straley (Jan 31)
- Re: Log management Isaac Straley (Jan 31)
- Re: Log management Nick Lewis (Jan 31)
- Re: Log management Greg Vickers (Jan 31)
- Re: Log management Jason Richardson (Feb 01)
- Re: Log management John Ladwig (Feb 01)
- Re: Log management Wes Young (Feb 01)
- Re: Log management Mark Bauer (Feb 01)
- Re: Log management Kees Leune (Feb 20)