topic Re: Logs directly to Splunk? in Installation

Is it better to send logs directly to Splunk?

toddehb — Mon, 31 Jul 2023 18:46:26 GMT

Hi, I am new to SIEM products. Does it make sense to sent all logs to Graylog first and from there to eg. Splunk or OSSIN? Or is it better to directly forward logs from the endpoints to SIEM?

Re: Logs directly to Splunk?

gcusello — Mon, 31 Jul 2023 06:14:10 GMT

Hi @toddehb,

you are asking the innkeeper if the wine is good!

obviously We'll hint to use only Splunk as log management also because Splunk is the leader in SIEM and log management solutions and Greylog not.

In addition, having all logs in Splunk you can use them for your security and visibility searches in Splunk.

The only problem (I don't know the cost of Greylog) is that You pay Splunk license for the volume of indexed logs, so you pay more increasing the indexed logs, and to have a SIEM, you need to buy also a Premium app called Enterprise Security.

I worked with more SIEMs and I didn't find comaparble products, but as I said, I'm one of the innkeeper.

On this site you can find a comparison between Greylog to Splunk (https://www.capterra.it/software/183539/graylog) and this is a comparison between log management systems, Splunk in addition is also a SIEM (Using Enterprise Security), Greylog not!

Ciao.

Giuseppe

Re: Logs directly to Splunk?

toddehb — Mon, 31 Jul 2023 06:32:51 GMT

@gcusello

Thanks. I read something, that graylog could normalize the logs and that would be better for splunk to work with. Don't know if it's true. For me it wouldn't make any difference. It is for my home lab and as I found out one can use Splunk with 500MB of logs for free. Think for at home that should be sufficient.

Re: Logs directly to Splunk?

gcusello — Mon, 31 Jul 2023 06:40:28 GMT

Hi @toddehb,

ok, good for you, remember that in this way, you cannot have the SIEM full features because you cannot use the Enterprise Security App, even if you can install two free apps:

Splunk Security Essentials (https://splunkbase.splunk.com/app/3435)
Splunk Alert Manager https://splunkbase.splunk.com/app/2665

and in this way create your own SIEM.

Ciao.

Giuseppe

Re: Is it better to send logs directly to Splunk?

Simple_Search — Tue, 01 Aug 2023 18:48:44 GMT

Two Cents - Depending on your operating environment, sending logs to a third party processor may be best as this will give you the ability to archive off your logs prior to the ingestion from Splunk in their rawest form (if required). Once data is indexed by Splunk the data cannot be considered pure as it could be modified via the Props/Transform command.

Re: Is it better to send logs directly to Splunk?

toddehb — Wed, 02 Aug 2023 05:58:53 GMT

Thanks for your Input.

Re: Is it better to send logs directly to Splunk?

gcusello — Wed, 02 Aug 2023 06:05:54 GMT

Hi @toddehb ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉