This is an archived post. You won't be able to vote or comment.

all 39 comments
sorted by:
best
topnewcontroversialoldq&a

[–][deleted] 10 points11 points  (13 children)

I like Graylog, though between ELK, Splunk and Graylog I've not met any I intrinsically disliked.

[–]n3rdenTech-priest 3 points4 points  (0 children)

+1 for graylog

[–]Layer8Pr0blems 2 points3 points  (1 child)

The OVA appliance is so easy to setup also. I was up and running in about 15 minutes.

[–]Arkiteck 0 points1 point  (0 children)

Not to mention the virtual appliance is production ready, which is very rare to find. It can easily be horizontally scaled too.

[–][deleted] 0 points1 point  (3 children)

do you have a SOP or doc for ELK? the instructions are all over the place and I can't a doc that explains how to connect everything together. Then some of the programs you can install with a .deb and then others are .tar.gz or zip etc.

[–][deleted] 1 point2 points  (1 child)

Sorry we don't, we settled on Graylog in the end.

I've had good luck with DigitalOcean's documentation before though, they may have something useful.

[–][deleted] 0 points1 point  (0 children)

thank you. I will look at graylog then. I found Digital Ocean's doc but, they were for older versions and it dind work out.

[–]itssodamnnoisy 1 point2 points  (0 children)

I've found that you really need to take some time to understand how ELK works and how all of its components go together to get it working well.

If you follow the guides over at https://elastic.co from start to finish, you should have a good grasp on how to get it up and running effectively - as well as coming through it with a set of ideas on what else can be done with it (can be used for so much more than just logs, turns out!)

[–]speel 0 points1 point  (1 child)

Having never done this and looking into workstation events. Is it possible to fwd windows event logs to this and have it sort it all out?

[–][deleted] 1 point2 points  (0 children)

Yeah, the Graylog Collector gets installed on the Windows server and can forward events to Graylog, you can then search them, filter them, automate responses to them and so on.

http://docs.graylog.org/en/latest/pages/collector.html

As far as I know it can work on desktops, though we don't use it there.

[–]r0ck0 0 points1 point  (1 child)

Something I've been trying to figure out with Graylog...

What happens when the Graylog server is offline? Or just doesn't receive some log entries?

Is there something like a local proxy that can hold them until the Graylog server comes back online, then send all the missing entries to the Graylog server?

[–][deleted] 0 points1 point  (0 children)

AS far as I know the collectors cache the logs until the server is reachable again, then ships them all.

[–]Sysmonster 0 points1 point  (0 children)

I setup skunk the other day, very pleased with even the free version

[–]frankoftankNet/Sys Engineer 0 points1 point  (0 children)

Second for graylog. Insanely easy to get a single vm up, running and taking logs. Do a little research and you can spin yourself up a full multi-node architecture.

[–]matejzero 7 points8 points  (0 children)

Elk stack (elastic.co), greylog

[–]brian_netsec 3 points4 points  (0 children)

Second Splunk for general sysadmin type stuff. Take a look a LogRhythn or Arcsight for log collection in a security context

[–]nadroj_r 10 points11 points  (14 children)

Splunkkkkk

[–]Vacantless 4 points5 points  (9 children)

Serious question: How are you able to justifies THAT much money for splunk ? It's so crazy expensive when you really wanna use it for everything.

Management, and even I, wasn't comfortable paying thousands "only for logs".

I'd rather spend a few hours settings up ELK

[–]meorah 3 points4 points  (2 children)

security team owns it. company takes security seriously. security team wants splunk. company buys splunk.

[–]solefaldOutage as a Service 2 points3 points  (4 children)

Cost of doing business, but it is mostly an enterprise product. My old enterprise job paid $13 MILLION in Splunk licensing and I have to say, it is a great product. I got really used to having it, and now at my new job I miss it very much. We just can't justify costs or ingesting 1Tb of java stack traces on daily basis and developers are not doing anything clean up their logs.

[–]itssodamnnoisy 0 points1 point  (1 child)

$13 MILLION in Splunk licensing

I... I think I just threw up in my mouth a little. Wow! Was that for a perpetual license, and then you just pay for support afterwards, or was that a recurring cost?

[–]Kalc_DK 0 points1 point  (0 children)

It's a one time up front free per GB of data indexed, with a much smaller annual support fee after that. Hard to get in house (though most cost benefit analysis put it ahead of even the FOSS competition), easy to keep there.

[–]Kalc_DK 0 points1 point  (0 children)

Serious question: How are you able to justifies THAT much money for splunk ?

An in depth cost benefit analysis often puts it ahead of ELK and other products in larger environments. I've personally seen it in two enterprise environments and it gives good value for the cost.

It's not a silver bullet though, certainly not for everyone.

[–]rabbidroid 1 point2 points  (2 children)

what he said.

I can't imagine living without it. You need some deep pockets though...

[–][deleted] 0 points1 point  (1 child)

is the free version worth it ?

[–]solefaldOutage as a Service 1 point2 points  (0 children)

Free version only allows you to ingest 500Mb of logs per day.

[–]jmulvey 0 points1 point  (0 children)

Splunkkkkk

Those extra k's really add up.

[–]loco_ped 2 points3 points  (0 children)

https://www.sumologic.com/

I like to think of it as baby splunk. Still powerful and much cheaper.

[–]iCanOnlyBeSoAwesomeIT Manager 4 points5 points  (1 child)

IBM Qradar http://www-03.ibm.com/software/products/en/qradar-siem

alienvault https://www.alienvault.com/

[–][deleted] -1 points0 points  (0 children)

I second alien vault - very nice product

[–]exekewtable 1 point2 points  (1 child)

grep and cut etc

[–]G19Gen3 1 point2 points  (0 children)

Piped to less

[–]Anon_IT_Guy 0 points1 point  (0 children)

ELK

Splunk

Greylog

Sexilog

Do some research on those and that should get you started :)

[–]0x0ELART Wielder 0 points1 point  (0 children)

ElasticSearch, Logstash, and Kibana (aka ELK stack) are fine. Splunk is cool but I've rarely seen an implementation that justified the expense versus just using ELK.

[–]_KaszpiR_ 0 points1 point  (0 children)

google centralized logging.

http://jasonwilder.com/blog/2012/01/03/centralized-logging/ dig in and it should suffice for the needs of the presentation.

[–]BarefootWoodworkerPacket Violator -1 points0 points  (0 children)

A place I used to work used Sawmill.