Splunk: The log expert
Overall Satisfaction with Splunk Enterprise
Splunk Enterprise is a brilliant tool that we use in the University of Colorado, Denver to analyze logs obtained from various sources. Our team is responsible for maintaining the security of our campus and the University of Colorado, Anschutz medical campus.
The log sources are typically firewall logs, email logs, logs from the Intrusion detection system (IDS), logs of different services running on the google cloud, etc. It offers a very easy interface and a query language. We can build our own alarm rule and UI within it for visualization. The rules will run at a time defined by the user and will send metrics to the email. It helped in automating blacklisting as now we can get the most troublesome IP addresses and block them in a minute. It also helped us in tracing a list of most vulnerable on the campus. The most powerful feature is the correlation of log sources. Correlation of log sources is a very taxing process for any software. Splunk handles this gracefully. By correlating firewall traffic, wireless and IDS traffic we once spotted a machine that had a trojan in it and was trying to spread itself laterally through open SMB ports.
The log sources are typically firewall logs, email logs, logs from the Intrusion detection system (IDS), logs of different services running on the google cloud, etc. It offers a very easy interface and a query language. We can build our own alarm rule and UI within it for visualization. The rules will run at a time defined by the user and will send metrics to the email. It helped in automating blacklisting as now we can get the most troublesome IP addresses and block them in a minute. It also helped us in tracing a list of most vulnerable on the campus. The most powerful feature is the correlation of log sources. Correlation of log sources is a very taxing process for any software. Splunk handles this gracefully. By correlating firewall traffic, wireless and IDS traffic we once spotted a machine that had a trojan in it and was trying to spread itself laterally through open SMB ports.
Pros
- It is very useful in creating custom rules for analyzing system logs and display relevant information. The query language is very easy to learn.
- We can create custom UI to visualize the output of our data. The interface is very flexible. It also allows the sharing of rules among users.
- There is an open online community to help others. Stackoverflow also has a splunk community. These resources make it more convenient to learn.
Cons
- They can introduce a query builder for non-technical users.
- The query error messages could be more specific.
- Ease of collecting IP for blacklisting.
- Generation of metrics against compromised accounts based on location and time of the year. It helped in launching phishing education campaign before hitting the most vulnerable month of the year.
- It helped in neutralizing vulnerable word-press sites across the campus, leading to the decrease of account compromise.
Splunk is a very useful, lightweight and simple tool to analyze logs. As a computer science student who loves coding, it is much more convenient to use. I can build custom queries for myself or a subset of the users. The language is much simpler than SQL and is much faster as well for large amounts of data. It is highly scalable and with a customizable dashboard, it becomes even more useful than LogRhythm which is not that flexible.
Do you think Splunk Enterprise delivers good value for the price?
Yes
Are you happy with Splunk Enterprise's feature set?
Yes
Did Splunk Enterprise live up to sales and marketing promises?
Yes
Did implementation of Splunk Enterprise go as expected?
Yes
Would you buy Splunk Enterprise again?
Yes
Comments
Please log in to join the conversation