I discovered Splunk in late 2007, and was convinced the concept was good. Splunk is a log collector, plus a powerful search engine, using its own language. GUI is quite pretty (written in Flash), and core code is written in Pyhton (odd idea).
A that time, Splunk was very Linux-oriented, thus not fitting my needs (Windows logs). Last version was more interesting : it runs on Windows (that doesn't really matters), and can collect Windows event logs natively (that's better).
So I installed and configured Splunk, version 3.3.1. It looks like this:
A short comparison with my EventCentral, with the only concern of Windows event log gathering, states :
| EventCentral | Splunk | |
| Installation & configuration |
Quite some work |
InstallShield |
| Hands-on |
Easy | Hard work |
| Auto-discovery |
yes |
no (but check "crawler", just in case) |
| Gathering frequency |
24h |
10s by default which is almost real-time |
| Alerts |
no | yes |
| External links |
yes
(eventid.net, etc.) |
no |
| Acknowledgement with comments |
yes |
no |
| GUI | yerk | cool |
| Search capabilities | limited |
powerful integrated language |
| Graphs |
erh...no | built-in |
| CPU / RAM consumption |
very low |
very high |
| Gathering with... |
psloglist | WMI |
| Other log type gathering | none |
oh yes (generic tool) |
| Development team |
1 | loads |
| Cost |
Free | Pay for enterprise version |
Installation
Easy: download Splunk (you have to register on-line), and run on a Windows server, Active Directory Domain member. Don't forget to:
- Run Splunk service with an account having WMI access right to computers you want to gather logs from (Domain admin is a good candidate).
- Activate WMI.
Configuration
Check that configuration file C:\Program Files\Splunk\etc\system\inputs.conf contains:
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.py]
disabled=0
That line activates WMI.
Change configuration file C:\Program Files\Splunk\etc\system\wmi.conf, for example like this:
[WMI:DCEventLog]
server = srv1, srv2
interval = 10
event_log_file = Application, System, Security, Directory Service, DNS server, File Replication Service
disabled = 0
[WMI:RemoteEventLog]
server = srv3
interval = 10
event_log_file = Application, System, Security
disabled = 0
First block instructs Splunk to collect event logs from Domain Controllers SRV1 and SRV2 (Directory Service, etc.) . Second one collects the 3 standard logs from SRV3.
Restart Splunk thru web interface (admin/server/control server). You are done, and it works.
Now you can compare Splunk to EventCentral, and tell which best suits your needs.