GNSC Blog

No I am not talking about visiting caves.  Splunking is the process of using a product called Splunk.  It’s a security search engine that allows you to view log information from various sources such as firewalls, servers, and other network devices and report on them.  Think of it as as Google for IT stuff.  Beyond the functionality, which is excellent, the really nice thing about this product is that it’s open source meaning it’s essentially free to use, if you don’t want any professional advice or support and you are not pumping tons of data into it.

This 2 minute video give you all the information you need to get started.

 

How does it work?

Splunk like Google needs data to work.  Google’s strength is that it can not only search through tons of data but it can correlate it, making some assumptions in terms of what should be displayed and in what order.  Splunk works much the same way.  It uses data generated from virtually any networked computer device and then allows you to search for things that are important, such as signs of potential or known problems.  By default it can gather information from Event Logs automatically, syslogs, file shares and with a growing list of plug-in’s can read data from other sources.

So how does it benefit the average company?

Splunk is a framework that can make sense of data.  In it’s simplest form, it can show you on one page the condition of a system, security information, change controls, web page stats, etc. 

If you’re looking for a way to easily report on the IT log data you already have you should look at Splunk.

This entry was posted on Friday, August 15th, 2008 at 3:10 pm and is filed under Misc, Security Matters, Threat Management. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.