Re: For those who Splunk

[hodgett <m.hodgett () QUT EDU AU>]

We installed Splunk a few years ago on premise. I believe we are 
collecting about 200Gb/day. We did have have different SIEM before this 
and it wasn't keeping pace. The cost of Splunk wasn't a security 
decision, it was a business decision based on the data being use to 
monitor systems and some key services to provide service quality and 
some business intelligence. Security was an added benefit although 
shifting the cost of the old SIEM to Splunk did help.

Because of the size of our environment and the amount of data the 
decision to stay on-site was easy, although with current business 
decisions forcing cloud  based installations this might change. Good 
design and implementation of the layout of indexes, search nodes, and 
forwarders is a must.

Matthew Hodgett, M.InfTech, CISSP

On 07/04/17 01:52, Emily Harris wrote:
> We are about to start a small(ish) Proof of Concept for using Splunk.  
> In our POC we intend to use the product on-site, but I know that 
> Splunk Cloud is becoming increasingly popular.
>
> This is a very informal poll, but I'm hoping to gather some meaningful 
> comments and use cases.
>
> For those who use Splunk:
>
> 1.  Is it on-premise or in the cloud?
>
> 2.  Why did you make that choice, whatever it is?
>
> 3.  What is your per day license?
>
> 4.  Do you have any "gotchas" to share about the direction you chose?
>
> Thank you so much!
>
> ----
> Emily Harris, CISSP
> Information Security Officer, CIS
> Vassar College
> 845-437-7221