We're looking for a solution that will help us do many different things:
Most of our environment is virtual, but can the Splunk App for VMWare also monitor physical machines?
We also want a solution that doesn't take a lot of configuration and tweaking. We are the helpdesk as well as all other aspects of IT, so we need to be available to help our end users when they need us.
I appreciate feedback on whether or not Splunk will help us accomplish what we're looking to get set up.
Those are general questions, but answerable. Basically Splunk analyses logs, and the rules are pretty simple. If you are collecting the logs, and the logs have the information you’re looking for then:
1) Yes, if the logs contain useful messages. Splunk is very good at showing you events for specific time periods.
2) Yes, if there is a log that precedes the outage, then an alert can be configured to trigger on that event.
3) Yes, if the system is configured to record file changes, then Splunk can show them to you.
Regarding (2) - if you mean an actual server outage as in dropping off the network or OS crash, splunk won't know about this as it isn't actively polling anything. You could feasibly do this by setting up alerts based on switchport linkdown messages but this could quickly become unwieldy and difficult to manage.
For polling and alerting you'd really need to be looking at something like SolarWinds/Whatsup/Zabbix/HP NNMi/OVO etc.
Splunk will definitely cover the log analysis requirements though, it's very flexible.
Those are general questions, but answerable. Basically Splunk analyses logs, and the rules are pretty simple. If you are collecting the logs, and the logs have the information you’re looking for then:
1) Yes, if the logs contain useful messages. Splunk is very good at showing you events for specific time periods.
2) Yes, if there is a log that precedes the outage, then an alert can be configured to trigger on that event.
3) Yes, if the system is configured to record file changes, then Splunk can show them to you.
Thanks for your help. We decided to implement an OpenNMS monitoring system. We're going to hold off on Splunk for now. Thanks for your help!