Solved: Is it better to send logs directly to Splunk?

toddehb · ‎07-30-2023

Hi, I am new to SIEM products. Does it make sense to sent all logs to Graylog first and from there to eg. Splunk or OSSIN? Or is it better to directly forward logs from the endpoints to SIEM?

Simple_Search · ‎08-01-2023

Two Cents - Depending on your operating environment, sending logs to a third party processor may be best as this will give you the ability to archive off your logs prior to the ingestion from Splunk in their rawest form (if required). Once data is indexed by Splunk the data cannot be considered pure as it could be modified via the Props/Transform command.

View solution in original post

gcusello · ‎08-01-2023

Hi @toddehb ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Simple_Search · ‎08-01-2023

Two Cents - Depending on your operating environment, sending logs to a third party processor may be best as this will give you the ability to archive off your logs prior to the ingestion from Splunk in their rawest form (if required). Once data is indexed by Splunk the data cannot be considered pure as it could be modified via the Props/Transform command.

toddehb · ‎08-01-2023

Thanks for your Input.

gcusello · ‎07-30-2023

Hi @toddehb,

you are asking the innkeeper if the wine is good!

obviously We'll hint to use only Splunk as log management also because Splunk is the leader in SIEM and log management solutions and Greylog not.

In addition, having all logs in Splunk you can use them for your security and visibility searches in Splunk.

The only problem (I don't know the cost of Greylog) is that You pay Splunk license for the volume of indexed logs, so you pay more increasing the indexed logs, and to have a SIEM, you need to buy also a Premium app called Enterprise Security.

I worked with more SIEMs and I didn't find comaparble products, but as I said, I'm one of the innkeeper.

On this site you can find a comparison between Greylog to Splunk (https://www.capterra.it/software/183539/graylog) and this is a comparison between log management systems, Splunk in addition is also a SIEM (Using Enterprise Security), Greylog not!

Ciao.

Giuseppe

toddehb · ‎07-30-2023

@gcusello

Thanks. I read something, that graylog could normalize the logs and that would be better for splunk to work with. Don't know if it's true. For me it wouldn't make any difference. It is for my home lab and as I found out one can use Splunk with 500MB of logs for free. Think for at home that should be sufficient.

gcusello · ‎07-30-2023

Hi @toddehb,

ok, good for you, remember that in this way, you cannot have the SIEM full features because you cannot use the Enterprise Security App, even if you can install two free apps:

Splunk Security Essentials (https://splunkbase.splunk.com/app/3435)
Splunk Alert Manager https://splunkbase.splunk.com/app/2665

and in this way create your own SIEM.

Ciao.

Giuseppe

Is it better to send logs directly to Splunk?

other

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio