PaulDotCom mailing list archives
Re: Logrhythm & Splunk
From: Chris Keladis <ckeladis () gmail com>
Date: Sat, 21 Aug 2010 03:44:28 +1000
On Wed, Aug 18, 2010 at 5:29 PM, Ali Alhebshi <alialhebshi () gmail com> wrote:
If you work for a large organization, I wouldn't recommend splunk. Though it's not bad to meet regulatory "log management" related requirements. If your main goal is security, you better consider a SIM. It's a hassle to fine-tune Splunk to meet your security requirements. Don't think of modules, most of them are in beta and don't work as they say (EVEN COMMERCIAL).
This is the crux. Splunk is too flexible, SIEMs are (generally) too inflexible, at least the one's i've worked with. Personally i'd take the lesser of the two evil's and go with Splunk. Your right that it's not a SIEM outright, and will require some work to tune it for security, but i think in that process it familiarizes the operator with their logs, and with such a flexible solution as Splunk much is possible, compared to fixed searches and reports from other SIEMs. Dont get me wrong, both have advantages and disadvantages, and in certain cases, time is of the essence and folks will prefer to save time and have their correlation done by their SIEM vendor, it might not be accepted wisdom, but does have it's place in the enterprise. Splunk do have an SIEM add-on which i haven't used and cant vouch for, but i think their on the right-track although not "there-yet". "Modules", Parsers (or Apps in Splunk-speak) are forever in beta (from any SIEM/Log vendor) as logs from continuously changing brands/models/versions of devices are consumed. I think Splunk are on a winner in that regard with a "log-everything-analyze-later" approach. Other SIEMs would just error out the data as unparseable which would be a risk in and of itself. While there's no clear winner at this point in time, hopefully the OP has enough information to choose a solution that's right for the them. :) Cheers, Chris. _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Logrhythm & Splunk Michael Allen (Aug 14)
- Re: Logrhythm & Splunk John Lowry (Aug 17)
- Re: Logrhythm & Splunk Ali Alhebshi (Aug 18)
- Re: Logrhythm & Splunk Champ Clark III [Softwink] (Aug 20)
- Re: Logrhythm & Splunk Chris Keladis (Aug 21)
- Re: Logrhythm & Splunk Ali Alhebshi (Aug 18)
- Re: Logrhythm & Splunk Michael Allen (Aug 21)
- Re: Logrhythm & Splunk Michael Dickey (Aug 21)
- Re: Logrhythm & Splunk John Lowry (Aug 17)