If you need a centralized logging solution for your business, you’ll need to consider Splunk vs Loglogic. I have experience with both in corporate environments.
I guess you can say I spent a lot of time configuring and waiting on Loglogic. I spent a little time configuring Splunk and a lot of time turning the data inside it into knowledge.
I’ve covered event logging before, but the excellent site Malware Archaelogy has some cheat sheets that include Splunk queries you can use to find incidents or malware operating in your network, or even use to create dashboards so you can keep an eye on things. Malware Archaelogy’s list of events to log is a bit different from what I covered before, but there’s a considerable amount of overlap. You probably want what they recommend and what anyone else is recommending.
The key to corporate computer security is situational awareness, and I don’t think anyone sells a blinky box that provides enough of that. But you can build it with Splunk.
And, for what it’s worth, I do recommend Splunk. I’ve used Log Logic in the past, and its searches often take days to finish, which means Log Logic is so slow that by the time you find anything in it, it’s likely to be too late. Splunk isn’t quite real-time, but you can find stuff in a few minutes.
Fireeye runs a bunch of its processes as root, a practice that’s been a no-no since the late 1990s, and they’re more interested in litigation than they are in working with the guy who discovered it.
The attitude is all too common.
If you’ve ever upgraded a LogLogic universal collector and had it fail to work, it’s very disconcerting to see the error message when you try to reinstall the previous version: Downgrades aren’t supported. But there is a solution if you need to downgrade a Log Logic universal collector. Read more
My 9-5 gig revolves primarily around Tibco LogLogic (I’ll write it as Log Logic going forward, as I write in English, not C++), which is a centralized logging product. The appliances collect logs from a variety of dissimilar systems and present you with a unified, web-based interface to search them. When something goes wrong, having all of the logs in one place is invaluable for figuring it out.
That value comes at a price. I don’t know exactly what these appliances cost, but generally speaking, $100,000 is a good starting point for an estimate. So what if I told you that you could store 45% more data on these expensive appliances, and increase their performance very modestly (2-5 percent) in the process? Read on.