Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it better to send logs directly to Splunk?

toddehb
Engager
‎07-30-2023 09:10 AM

Hi, I am new to SIEM products. Does it make sense to sent all logs to Graylog first and from there to eg. Splunk or OSSIN? Or is it better to directly forward logs from the endpoints to SIEM?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Simple_Search
Path Finder
‎08-01-2023 11:48 AM

Two Cents - Depending on your operating environment, sending logs to a third party processor may be best as this will give you the ability to archive off your logs prior to the ingestion from Splunk in their rawest form (if required). Once data is indexed by Splunk the data cannot be considered pure as it could be modified via the Props/Transform command.

View solution in original post

Tags (1)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-01-2023 11:05 PM

Hi @toddehb ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution
Solution

Simple_Search
Path Finder
‎08-01-2023 11:48 AM

Two Cents - Depending on your operating environment, sending logs to a third party processor may be best as this will give you the ability to archive off your logs prior to the ingestion from Splunk in their rawest form (if required). Once data is indexed by Splunk the data cannot be considered pure as it could be modified via the Props/Transform command.

Tags (1)
0 Karma
Reply
Solved! Jump to solution

toddehb
Engager
‎08-01-2023 10:58 PM

Thanks for your Input. 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-30-2023 11:14 PM

Hi @toddehb,

you are asking the innkeeper if the wine is good!

obviously We'll hint to use only Splunk as log management also because Splunk is the leader in SIEM and log management solutions and Greylog not.

In addition, having all logs in Splunk you can use them for your security and visibility searches in Splunk.

The only problem (I don't know the cost of Greylog) is that You pay Splunk license for the volume of indexed logs, so you pay more increasing the indexed logs, and to have a SIEM, you need to buy also a Premium app called Enterprise Security.

I worked with more SIEMs and I didn't find comaparble products, but as I said, I'm one of the innkeeper.

On this site you can find a comparison between Greylog to Splunk (https://www.capterra.it/software/183539/graylog) and this is a comparison between log management systems, Splunk in addition is also a SIEM (Using Enterprise Security), Greylog not!

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

toddehb
Engager
‎07-30-2023 11:32 PM

@gcusello 

Thanks. I read something, that graylog could normalize the logs and that would be better for splunk to work with. Don't know if it's true. For me it wouldn't make any difference. It is for my home lab and as I found out one can use Splunk with 500MB of logs for free. Think for at home that should be sufficient.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-30-2023 11:40 PM

Hi @toddehb,

ok, good for you, remember that in this way, you cannot have the SIEM full features because you cannot use the Enterprise Security App, even if you can install two free apps:

and in this way create your own SIEM.

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...