- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Installation
- :
- Is it better to send logs directly to Splunk?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Two Cents - Depending on your operating environment, sending logs to a third party processor may be best as this will give you the ability to archive off your logs prior to the ingestion from Splunk in their rawest form (if required). Once data is indexed by Splunk the data cannot be considered pure as it could be modified via the Props/Transform command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @toddehb ,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the contributors 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Two Cents - Depending on your operating environment, sending logs to a third party processor may be best as this will give you the ability to archive off your logs prior to the ingestion from Splunk in their rawest form (if required). Once data is indexed by Splunk the data cannot be considered pure as it could be modified via the Props/Transform command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your Input.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @toddehb,
you are asking the innkeeper if the wine is good!
obviously We'll hint to use only Splunk as log management also because Splunk is the leader in SIEM and log management solutions and Greylog not.
In addition, having all logs in Splunk you can use them for your security and visibility searches in Splunk.
The only problem (I don't know the cost of Greylog) is that You pay Splunk license for the volume of indexed logs, so you pay more increasing the indexed logs, and to have a SIEM, you need to buy also a Premium app called Enterprise Security.
I worked with more SIEMs and I didn't find comaparble products, but as I said, I'm one of the innkeeper.
On this site you can find a comparison between Greylog to Splunk (https://www.capterra.it/software/183539/graylog) and this is a comparison between log management systems, Splunk in addition is also a SIEM (Using Enterprise Security), Greylog not!
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. I read something, that graylog could normalize the logs and that would be better for splunk to work with. Don't know if it's true. For me it wouldn't make any difference. It is for my home lab and as I found out one can use Splunk with 500MB of logs for free. Think for at home that should be sufficient.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @toddehb,
ok, good for you, remember that in this way, you cannot have the SIEM full features because you cannot use the Enterprise Security App, even if you can install two free apps:
- Splunk Security Essentials (https://splunkbase.splunk.com/app/3435)
- Splunk Alert Manager https://splunkbase.splunk.com/app/2665
and in this way create your own SIEM.
Ciao.
Giuseppe
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
