mailing list archives
Re: Logrhythm & Splunk
From: Chris Keladis <ckeladis () gmail com>
Date: Sat, 21 Aug 2010 03:44:28 +1000
On Wed, Aug 18, 2010 at 5:29 PM, Ali Alhebshi <alialhebshi () gmail com> wrote:
If you work for a large organization, I wouldn't recommend splunk. Though
it's not bad to meet regulatory "log management" related requirements. If
your main goal is security, you better consider a SIM. It's a hassle to
fine-tune Splunk to meet your security requirements. Don't think of modules,
most of them are in beta and don't work as they say (EVEN COMMERCIAL).
This is the crux. Splunk is too flexible, SIEMs are (generally) too
inflexible, at least the one's i've worked with.
Personally i'd take the lesser of the two evil's and go with Splunk.
Your right that it's not a SIEM outright, and will require some work
to tune it for security, but i think in that process it familiarizes
the operator with their logs, and with such a flexible solution as
Splunk much is possible, compared to fixed searches and reports from
Dont get me wrong, both have advantages and disadvantages, and in
certain cases, time is of the essence and folks will prefer to save
time and have their correlation done by their SIEM vendor, it might
not be accepted wisdom, but does have it's place in the enterprise.
Splunk do have an SIEM add-on which i haven't used and cant vouch for,
but i think their on the right-track although not "there-yet".
"Modules", Parsers (or Apps in Splunk-speak) are forever in beta (from
any SIEM/Log vendor) as logs from continuously changing
brands/models/versions of devices are consumed.
I think Splunk are on a winner in that regard with a
"log-everything-analyze-later" approach. Other SIEMs would just error
out the data as unparseable which would be a risk in and of itself.
While there's no clear winner at this point in time, hopefully the OP
has enough information to choose a solution that's right for the them.
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
Main Web Site: http://pauldotcom.com