On Wed, Aug 18, 2010 at 5:29 PM, Ali Alhebshi <[email protected]> wrote:
> If you work for a large organization, I wouldn't recommend splunk. Though > it's not bad to meet regulatory "log management" related requirements. If > your main goal is security, you better consider a SIM. It's a hassle to > fine-tune Splunk to meet your security requirements. Don't think of modules, > most of them are in beta and don't work as they say (EVEN COMMERCIAL). This is the crux. Splunk is too flexible, SIEMs are (generally) too inflexible, at least the one's i've worked with. Personally i'd take the lesser of the two evil's and go with Splunk. Your right that it's not a SIEM outright, and will require some work to tune it for security, but i think in that process it familiarizes the operator with their logs, and with such a flexible solution as Splunk much is possible, compared to fixed searches and reports from other SIEMs. Dont get me wrong, both have advantages and disadvantages, and in certain cases, time is of the essence and folks will prefer to save time and have their correlation done by their SIEM vendor, it might not be accepted wisdom, but does have it's place in the enterprise. Splunk do have an SIEM add-on which i haven't used and cant vouch for, but i think their on the right-track although not "there-yet". "Modules", Parsers (or Apps in Splunk-speak) are forever in beta (from any SIEM/Log vendor) as logs from continuously changing brands/models/versions of devices are consumed. I think Splunk are on a winner in that regard with a "log-everything-analyze-later" approach. Other SIEMs would just error out the data as unparseable which would be a risk in and of itself. While there's no clear winner at this point in time, hopefully the OP has enough information to choose a solution that's right for the them. :) Cheers, Chris. _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
