[olug] Splunk Alternative

Matthew G. Marsh olug4mgm at paktronix.com
Wed Mar 25 10:34:24 CDT 2015 

We have a master log collection server (several actually but only one of 
importance) using Rsyslog and all logs from all boxes logging to the 
Rsyslog server get sent through a FIFO to an OSSEC instance with a 
PostgreSQL backend DB. It takes some tuning on OSSEC but is well worth it 
if you have the time to go through the tuning process up front.

I like the fact that Rsyslog allows me to send the logs to the FIFO, 
perform any per host filtering/rewriting if needed, and also parse/store 
the original logs into individual files for (hopefully never needed) legal 
archiving.

One corner case has a defined special instance of OSSEC running (Cisco 
VPN infrastructure) so that we can see both issues with the VPNs and any 
internally mounted attacks over the VPNs. But that is also running on the 
same server.

Not as pretuned drop in hands off but very flexible and powerful. FWIW.

On Tue, 24 Mar 2015, Matt Goeres wrote:

> I am running a setup like this for straight syslog. It doesn’t have any alerting capabilities but the search works great. I haven’t done much more if any than the article to parse out the logs but the search already works like a grep on a raw file anyways.
> https://blog.linuxnet.ch/logserver-with-elasticsearch-logstash-rsyslog-kibana-on-ubuntu-14-04/
>
>
>
> On March 24, 2015 at 11:07:18 PM, Aric Aasgaard (aric at omahax.com) wrote:
> What is the best alternative to Splunk? I like Splunk, but its licensing  model is worse than the terrible deals offered by Kevin O'Leary on the Shark  Tank. Do any of you have good experience with fluentd?
> _______________________________________________  OLUG mailing list  OLUG at olug.org  https://lists.olug.org/mailman/listinfo/olug  _______________________________________________OLUG mailing listOLUG at olug.orghttps://lists.olug.org/mailman/listinfo/olug
>

--------------------------------------------------
Matthew G. Marsh
Special Email Addr for OLUG ;-}
Phone: (402) 932-7250
Email: olug4mgm at paktronix.com
WWW:  http://www.paksecured.org
--------------------------------------------------

More information about the OLUG mailing list