Re: For those who Splunk

[Garrett Hildebrand <gdh () UCI EDU>]

> 1.  Is it on-premise or in the cloud?

On-premise.

> 2.  Why did you make that choice, whatever it is?

You don't get administrative access to the underlying host in the
cloud. This means that anything you need to update that can't be
updated through the GUI needs to be submitted as a ticket to Splunk
and they do the work according to the SLA. A good example of that
would be creating new Deployment Apps.

Also, there is one fee for being in the cloud that you don't have
with on-premise. They charge you extra for data retention beyond
the default. We keep most of our data for 6 months and for one index
we keep it for a year.

> 3.  What is your per day license?

20 Gigabytes. But we filter-out logs that have no security application.
Without those filters we would need three times that.

> 4.  Do you have any "gotchas" to share about the direction you chose?
We have to do our own administration.

Garrett
-==-==-
G.D. Hildebrand              Senior IT Security Analyst
UC Irvine, OIT, 6137 Ayala Sci Lib., Irvine, 92697-1175
tel.: 949-824-8913                   email: gdh () uci edu
Created new page 15 December 2016
My URL is http://about.me/garretthildebrand
*Splunk - the Benihana of log-data slicing and dicing.*

Don't be a victim of phishing. Legitimate businesses don't ask you
to send sensitive information through insecure channels. Learn more:
http://er.educause.edu/blogs/2016/3/april-dont-get-hooked
Handle passwords wisely: http://www.bbc.com/news/technology-37510501