Now, other log management vendors, such as LogLogic, are also building in support for indexing unstructured data, and purpose-built analysis products, such as security event managers from vendors like ArcSight and Intelletactics, offer many more features for data mining, event correlation, analysis and archiving. But you'll spend much more that the $5,000 starting price for the enterprise version of Splunk.
Digging For Gold
A notable change in Splunk 3.0 are new visualization tools that graph event data in a variety of ways, such as over time or compared with other data. More than pretty pictures, a graphic of rejected TCP or UDP traffic from your firewall can readily show anomalies that warrant further investigation. Graphics can be saved as reports for later review or added to dashboards. In tests, we created a trend graph of TCP ports dropped over the past day and built a dashboard dedicated to security events.
Building queries and creating dashboards does require getting cozy with your log data. Splunk's index searching, while powerful, is improved on with enhancements to event typing. An event type is really just a keyword for a specific index search that can be used to conduct searches and build reports. Once you've defined a search that shows the events you're interested in, you can turn it into an event type. We built two searches that showed only dropped TCP and dropped UDP packets on our firewall. We then created a report that displayed the trend over time for each. Event types are a simple way to reclassify search results into something meaningful.
Splunk 3.0 can also parse an event string into fields, which is useful in reports. For example, our Sonicwall firewall logs were automatically parsed into fields, allowing us to create a report of destination IP's over time. Other sources of events, like our Snort 2.6 IDS, had no parsed fields. We could still perform keyword searching on Snort events, but we couldn't use fields in reports. Field parsing uses regular expressions to break the event string into fields—a difficult task if you're not used to writing complex regular expressions. If you want to have multiple Splunk installations performing the same field parsing, you can create a bundle, which is a set of configuration files, and distribute them.
Discover the benefits of scalable backbone and network services for application and cloud providers.
Network automation is gaining momentum. Here's how you can drive this powerful technology to its full potential.
Subsea cable alternatives can provide a level of comfort for those concerned about disruptions. Realistically, they will continue to play a small, but critical role in the short term.
