Re: Log management

[Isaac Straley <straley () UCI EDU>]

I, from a personal viewpoint, really like Splunk.  It's got great
indexing, a variety of input methods, and easy to use search and
correlation capabilities.  My only real beef with it currently is the
access control system.  It's very basic with three roles which mainly
revolve around the ability to add inputs and alerts.  This is not bad in
a very small or controlled environment, but depending on your definition
of "centralized" this can create problems if you want to limit access to
view (or even list) some or all of the logs.

My understanding from talking to their reps is a better access control
system is in development, but it's sometime away.  There was supposed to
be a release which made some progress in this area but unless I have
missed something, they have not done it yet.

If this is not a problem for your environment, Splunk is well worth
looking at.

Isaac

--

Isaac Straley
Manager, IT Security
Network & Academic Computing Services
University of California, Irvine
straley () uci edu
(949) 824-1471

Jeff Giacobbe wrote:
> Charles-
>
> I've heard good thinks about Splunk (splunk.org) though I haven't really
> kicked the tires myself yet. Splunk can index and search all kinds of
> system and network log data in near real-time and has some alerting
> functions as well.
>
> It's free for up to 500MB of log data per day. More than that requires a
> license.
>
> --
> Jeff Giacobbe
> Director of Systems, Security, and Networking
> Montclair State University