Educause Security Discussion mailing list archives
Re: SIEM preferences for the budget conscious institution
From: Kevin Wilcox <wilcoxkm () APPSTATE EDU>
Date: Fri, 27 Jan 2017 17:14:48 -0500
On 27 January 2017 at 13:51, Christopher Caldwell <caldwell () gwu edu> wrote: With a judicious use of Puppet to manage the Splunk infrastructure, I (1
person) manage three clusters (including one multi-site), totaling 12 indexers, 11 search heads, nearly 500 forwarders (both co-located and “syslog servers”) and 4TB of data by myself.
Just for clarification, are you using forwarders as Splunk uses forwarders or as the rest of the logging world uses forwarders? I.e., are you managing 500 servers that are "heavy forwarders" and exist only to serve the logging infrastructure (the way the rest of the logging world uses the word forwarders) or are there 500 servers running the Splunk agent (as opposed to sending via syslog), thereby technically being a "light forwarder" (but not actually existing to serve Splunk)? And is that 4TB of data indexed daily or 4TB total in the ecosystem? kmw
Current thread:
- SIEM preferences for the budget conscious institution Rob Milman (Jan 27)
- Re: SIEM preferences for the budget conscious institution Barnes, William (Jan 27)
- Re: SIEM preferences for the budget conscious institution Baillio, Aaron (Jan 27)
- Re: SIEM preferences for the budget conscious institution Christopher Caldwell (Jan 27)
- Re: SIEM preferences for the budget conscious institution Johnson, Kyle A (Jan 27)
- Re: SIEM preferences for the budget conscious institution Kevin Wilcox (Jan 27)
- Re: SIEM preferences for the budget conscious institution Barnes, William (Jan 27)