I discovered Splunk in late  2007, and was convinced the concept was good. Splunk is a log collector, plus a powerful search engine, using its own language. GUI is quite pretty (written in Flash), and core code is written in Pyhton (odd idea).

A that time, Splunk was very Linux-oriented, thus not fitting my needs (Windows logs). Last version was more interesting : it runs on Windows (that doesn't really matters), and can collect Windows event logs natively (that's better).

So I installed and configured Splunk, version 3.3.1. It looks like this:

A short comparison with my EventCentral, with the only concern of Windows event log gathering, states :

Installation

Easy: download Splunk (you have to register on-line),  and run on a Windows server, Active Directory Domain member. Don't forget to:

• Run Splunk service with an account having WMI access right to computers you want to gather logs from (Domain admin is a good candidate).
• Activate WMI.

Configuration

Check that configuration file C:\Program Files\Splunk\etc\system\inputs.conf contains:

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.py]
disabled=0

That line activates WMI.
Change configuration file C:\Program Files\Splunk\etc\system\wmi.conf, for example like this:

[WMI:DCEventLog]
server = srv1, srv2
interval = 10
event_log_file = Application, System, Security, Directory Service, DNS server, File Replication Service
disabled = 0

[WMI:RemoteEventLog]
server = srv3
interval = 10
event_log_file = Application, System, Security
disabled = 0

First block instructs Splunk to collect event logs from Domain Controllers SRV1 and SRV2 (Directory Service, etc.) . Second one collects the 3 standard logs from SRV3.

Restart Splunk thru web interface (admin/server/control server). You are done, and it works.

Now you can compare Splunk to EventCentral, and tell which best suits your needs.