We have a rather small Splunk license but this has suited us for quite a while.
Now we're experimenting with the *NIX app on Linux and quickly discovered that it chews up our license fast.
I know the *NIX app can be tweaked; some features enabled/disabled, polling intervals changed, etc... Does anyone have any recommendations for this? Are there features of the *NIX app you simply do not need/use? Are the default polling intervals too short? I realize everyone's needs are different, I'm just trying to get an idea of what people are doing.
Thanks!
One thing on unix based machines I found very helpful was monitoring of the /home/*/.history and /root/.history files. That was it is hard for the developer/admin to come back and say the system is broke and I didn't do anything. While it isn't real time, it is nice to have a record of what they have done.
Thanks for the tip. We actually tried something like that on AIX but, unfortunately, AIX puts binary characters in their .sh_history files. Would definitely be interested in doing that on Linux though. Thanks!