Splunk vs Loglogic: Battle of the logs

If you need a centralized logging solution for your business, you’ll need to consider Splunk vs Loglogic. I have experience with both in corporate environments.

I guess you can say I spent a lot of time configuring and waiting on Loglogic. I spent a little time configuring Splunk and a lot of time turning the data inside it into knowledge.

Cost

Splunk is much cheaper up front. You can run it on your own hardware, and you pay by the gigabyte.

But that means that down the line, Loglogic is cheaper. With Loglogic, you buy an appliance, plug it in, and you can write as much data to it as you want until it fills up. You can empty it and rewrite it as many times as you want. Here’s how to make it fill up 45% less quickly.

Speed

There’s no comparison. Splunk searches rarely take more than a few minutes and many finish in less than two minutes. I’ve seen Loglogic searches take days or weeks, and that was even after having Tibco come in and optimize the applicances. The more data you write to it, the slower it gets.

I’ve conducted incident investigations using Splunk in 30 minutes. I never could have dreamed of doing that in Loglogic.

Not just logging

Splunk also allows you to visualize the data you put into it, like you would with Excel, only there isn’t a limit of 1.04 million rows to contend with. Splunk doesn’t quite turn any average joe into a data scientist, but it comes close. It really is a data science tool, not just a logging solution. And once you have those capabilities, you wonder how you lived without them.

Loglogic prides itself on just being a place to stuff logs. It doesn’t correlate or anything. It’s very dumb and featureless. You can export data sets to CSV and that’s about it.

Data sources

Splunk has APIs and can consume logs from Windows machines and anything that speaks syslog. It can also pull in file-based logs. You can also define how Splunk interprets those logs it pulls in.

Loglogic has the ability to consume syslog, Windows, and file-based logs via standard Unixy file transfer methods. There’s no API and very limited options for telling Loglogic how to interpret the file.

Plug in and go

Loglogic bills itself as a plug in and go solution. Splunk doesn’t.

The thing is, anything that’s plug in and go with Loglogic is plug in and go with Splunk too. That’s OS-level stuff, or applications that speak syslog.

Things that are hard to do in Log Logic are easier to do in Splunk. Any competent systems administrator can get moderately challenging logs into it in an hour or so. Projects that took me days in Loglogic took me hours in Splunk. And then when I had the data in Splunk, I could do all kinds of cool stuff with it.

No logging solution is going to be as easy to implement as it claims to be. Ironically, by not trying to be easy, Splunk ends up being easier.

In conclusion

If you have a regulatory requirement to store log data but never intend to use it, Loglogic is a cost effective way to meet that requirement. Then again, there are open-source solutions that are cheap too, and most of them do more than Loglogic.

But if you want to consume and use log data, Splunk is the far superior solution. Splunk is much faster, and allows you to visualize the data in lots of ways to make it easy to understand. I can retrieve my data, visualize it several ways, interpret it, and finish my investigation in Splunk while Loglogic would still be 10% of the way into the retrieval process.

After spending some time with both solutions, to me, Splunk vs Loglogic isn’t much of a battle. There can be valid use cases for Loglogic, but most of the time, Splunk is worth the extra expense. As a security professional, I’m big on making data actionable, or at least turning data into knowledge. Splunk helps me do that. Loglogic gives you a place to dump your data and forget about it.

If you want security, Splunk helps you get that. If you want compliance, Loglogic will do.

Leave a Reply

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux