Sebastian Duda, 123RF.com

Unifying events with Splunk

Splendid Splunk

Article from ADMIN 00/2010

By Russ McRee

Secure your enterprise, monitor system performance, and more by harnessing the power of Splunk to search, monitor, report, and analyze events and data from any source.

Systems administrators, security engineers, and analysts share a common challenge in typical enterprise environments. Rare is the data center in which only one operating system is in use, or only one version of the same operating system. Monitoring and managing system events and security events across such hybrid environments is no small feat.

In this article, I intend to give special attention to the process of shipping various events, including Windows events, off to a single collection source via agents and syslog, particularly in *nix-heavy environments, where syslog might be the de facto standard.

Although I'll focus mainly on security event monitoring and correlation, you can use these methods for performance and system monitoring and optimization as well.

The centerpiece of this discussion is Splunk [1]. The Splunk website says that Splunk is "… software that provides unique visibility across your entire IT infrastructure from one place in real time. Splunk enables you to search, report, monitor, and analyze streaming and historical data from any source."

On Splunk's website, you'll see numerous humorous references to Splunk's capabilities:

Taking the sh out of IT.
Log is my co-pilot.
All batbelt, no tights.
Australian for grep (my favorite).

To be certain, these are coy marketing phrases, but they are accurate, as I will show in this article.

Assumptions

This article assumes that you're familiar with the basic premise of Splunk and have heard of or used OSSEC (a host-based intrusion detection system) [2] and Snare (auditing and event-log manager) [3].

Some choices need to be made when unifying events in a hybrid event.

...

Use Express-Checkout link below to read the full article (PDF).