IT Guys - Splunk users?

TinBoats.net

Help Support TinBoats.net:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
I went to Splunk Live here in Boston. I am thinking of brining it in house but need an opinion of someone who uses it day to day. Are you using it as a SIEM? How do you find query searches over a period of time, say 3 months?
 
I find Splunk to be a bit high maintenance for home use.

And that's from a guy who's home theater runs on two ESXi servers, with vcenter.
 
Just purchased it for my company. 250k out the door with hardware not including cold storage. It will be a beast of a SIEM and logging tool. The end result besides use for the security team will be that it will be used by the analytics team, data warehouse and even marketing.
 
I'm the server security admin and spent a great deal of time investigating SIEM solutions working with our desktop and network security admins. Splunk did not make the "C" list. I also inherited a Splunk deployment when I started at my current job. After much research, attempt to work with their tech support, reading and searching documentation, I easily convince my director to cancel our service contract and severing ties. Even direct intervention by our account rep, once I tracked him down resulted in no effective support. We needed to work with Professional Services (more money). Splunk had been purchased as a Syslog server, which it does rather well if at a very high price because it was wicked powerful. I found them to be and they admitted to be extremely *nix biased. Pricing and support to include Windows logs (99%) of our needs sent the costs through the roof. They don't support it well and the documentation contradicts itself frequently. Most of it is a bad copy and past of the documentation for the additional cost Exchange module. They didn't even bother to do a find and replace change Exchange to Active Directory. I determined that Splunk is a search and indexing engine that has a number of predefined configuration files and rules that they call Apps. Those need significant configuration to be of any use. After a month of struggle, I concluded it that Splunk not a product or company I wanted to work with. I can't remember another experience with a company that left me with such a bad taste in my mouth in over 35 years in IT. Google the Cult of Splunk and brings up some interesting results.

As far as SIEM, unless you're deeply committed to Splunk and have least one dedicated Splunk Certified wizard or willing to put your organization at the mercy of a VAR and have a blank check I'd look elsewhere. I concluded this before I started on migrating our Windows logs to Splunk. There are far better SIEM tools for less money and less work. After several months research, we're running Proof of Concept deployments for AlienVault and LogRythym for SIEM. Both are noted for ease of deployment and management as well as being comprehensive SIEM tools, by NSS Labs and Gartner. Gartner notes the unusually high levels of satisfaction reported by users of both products, but touts Splunk for its configurability and how large firms that already are using Splunk will feel at home. LogRythym, is based on Elastic Search, which seems to the biggest threat to Splunk's indexing engine.

Update: We finally settled on LogRythym for SIEM and log aggregation. AlienVault wouldn't actually let me work with their tech support during the POC, I found some bugs for them and I think it would struggle under a heavier load, but it has it's positives and we would were about to go with them until LogRhythym slashed our acquisition cost. LogRythym is a beast in comparison to Alien Vault, but tech support has been great and it's been mostly performance tuning since initial installation. We haven't taken any of the training yet, but are getting good use out of it despite that.
 

Latest posts

Top