August 12, 2007
Log management is one thing, making use of them is another. A couple of years ago
I was doing an investigation for a client on about 4 gigs of logfiles from 3 webservers,
a router, and an IDS.After that I was on a mission to find something that I
can use to aid in post event analysis and not over think the process for me. While
there are alot of good tools out there that aggregate log files and do correlation,
they are not very well suited for post incident response handling. The very features
that help you do dashboard reporting actually inhibit you when conducting an investigation.
Normalization of data is useful if you need reporting and alerting, but an investigator
needs to see the data his way, quickly, and untarnished.
Thats where Splunk comes in. If you havent SPLUNKED then you dont know what you are
The best of the web 2.0 applications I have ever seen, Splunk is like an Ajax enabled
google for log files. Powerful, intuitive, and best of all, not patronizing.. Leavesyou
feeling like you have good multitool that doesnt try to think for you.
Check them out – www.splunk.com
you wont ever look at an investigation the same way again.
– Ray Zadjmool QSA