IT Guys - Splunk users?

Computer questions, Gaming systems, TV's and anything electronic can go here.
User avatar
Jim
Site Admin
Posts: 18170
Joined: 29 Nov 2006, 21:00
15
Location: Shrewsbury, MA

IT Guys - Splunk users?

Post by Jim »

Anyone on board?
Be Respectful!
This site is rated PG, No Politics, No Porn, No Bashing allowed!

Please use our Amazon Affiliate link. It costs you nothing and sends a few cents to the site.
Image
Amazon Link!

Webbster
Posts: 2
Joined: 05 Apr 2013, 14:29
9
Location: Hagerstown, MD

IT Guys - Splunk users?

Post by Webbster »

Howdy. What's up?

User avatar
Jim
Site Admin
Posts: 18170
Joined: 29 Nov 2006, 21:00
15
Location: Shrewsbury, MA

IT Guys - Splunk users?

Post by Jim »

I went to Splunk Live here in Boston. I am thinking of brining it in house but need an opinion of someone who uses it day to day. Are you using it as a SIEM? How do you find query searches over a period of time, say 3 months?
Be Respectful!
This site is rated PG, No Politics, No Porn, No Bashing allowed!

Please use our Amazon Affiliate link. It costs you nothing and sends a few cents to the site.
Image
Amazon Link!

User avatar
BassAddict
Posts: 4389
Joined: 04 Aug 2007, 11:22
14
Location: Yet another move closer to Ahab!!!

IT Guys - Splunk users?

Post by BassAddict »

:LOL2: man i read that wrong :LOL2:
Two stroke isn't enough, four strokes is way too many!! Image

chuck99z28
Posts: 28
Joined: 11 Aug 2015, 16:29
6

IT Guys - Splunk users?

Post by chuck99z28 »

I find Splunk to be a bit high maintenance for home use.

And that's from a guy who's home theater runs on two ESXi servers, with vcenter.

User avatar
Jim
Site Admin
Posts: 18170
Joined: 29 Nov 2006, 21:00
15
Location: Shrewsbury, MA

IT Guys - Splunk users?

Post by Jim »

Just purchased it for my company. 250k out the door with hardware not including cold storage. It will be a beast of a SIEM and logging tool. The end result besides use for the security team will be that it will be used by the analytics team, data warehouse and even marketing.
Be Respectful!
This site is rated PG, No Politics, No Porn, No Bashing allowed!

Please use our Amazon Affiliate link. It costs you nothing and sends a few cents to the site.
Image
Amazon Link!

User avatar
WaltR
Posts: 11
Joined: 29 Jul 2016, 16:54
5

IT Guys - Splunk users?

Post by WaltR »

I'm the server security admin and spent a great deal of time investigating SIEM solutions working with our desktop and network security admins. Splunk did not make the "C" list. I also inherited a Splunk deployment when I started at my current job. After much research, attempt to work with their tech support, reading and searching documentation, I easily convince my director to cancel our service contract and severing ties. Even direct intervention by our account rep, once I tracked him down resulted in no effective support. We needed to work with Professional Services (more money). Splunk had been purchased as a Syslog server, which it does rather well if at a very high price because it was wicked powerful. I found them to be and they admitted to be extremely *nix biased. Pricing and support to include Windows logs (99%) of our needs sent the costs through the roof. They don't support it well and the documentation contradicts itself frequently. Most of it is a bad copy and past of the documentation for the additional cost Exchange module. They didn't even bother to do a find and replace change Exchange to Active Directory. I determined that Splunk is a search and indexing engine that has a number of predefined configuration files and rules that they call Apps. Those need significant configuration to be of any use. After a month of struggle, I concluded it that Splunk not a product or company I wanted to work with. I can't remember another experience with a company that left me with such a bad taste in my mouth in over 35 years in IT. Google the Cult of Splunk and brings up some interesting results.

As far as SIEM, unless you're deeply committed to Splunk and have least one dedicated Splunk Certified wizard or willing to put your organization at the mercy of a VAR and have a blank check I'd look elsewhere. I concluded this before I started on migrating our Windows logs to Splunk. There are far better SIEM tools for less money and less work. After several months research, we're running Proof of Concept deployments for AlienVault and LogRythym for SIEM. Both are noted for ease of deployment and management as well as being comprehensive SIEM tools, by NSS Labs and Gartner. Gartner notes the unusually high levels of satisfaction reported by users of both products, but touts Splunk for its configurability and how large firms that already are using Splunk will feel at home. LogRythym, is based on Elastic Search, which seems to the biggest threat to Splunk's indexing engine.

Update: We finally settled on LogRythym for SIEM and log aggregation. AlienVault wouldn't actually let me work with their tech support during the POC, I found some bugs for them and I think it would struggle under a heavier load, but it has it's positives and we would were about to go with them until LogRhythym slashed our acquisition cost. LogRythym is a beast in comparison to Alien Vault, but tech support has been great and it's been mostly performance tuning since initial installation. We haven't taken any of the training yet, but are getting good use out of it despite that.
Walt R
Murphy was an optimist
'98 14' Lowe Ranger with 18 hp Johnson FD-19