Been a long time since writing and lots has changed! New
house, cataract surgery (at 39!), new job, developing and implementing the log
management and event correlation program at a large edu, etc. On that front a
large university is very different than a large corporation. Take all of those
issues you have with decentralization and multiply that by about 50. I debated between
believable and hyperbole there and ended up somewhere in the middle I guess. 
One of the bigger changes is using Splunk for the first
time. At some point I should write some comparisons between ArcSight, Symantec
MSSP, and Splunk. Granted it has been a few years since I’ve used ArcSight’s
Enterprise Security Manager (ESM) or Logger for that matter though I remember
ESM fondly and often wistfully. It still amazes me when I hear people say
things like ArcSight is too hard. I maintain that for most of those cases they
somehow had the idea (or were told by the sales people) that it was some
magical plug and play cross between a one armed bandit and magic 8-ball. I also
hear in the latest update to Symantec’s MSSP they have implemented a number of the
dozens of changes I suggested (am sure others as well!) and it is now much
better than what it was 6 months ago.
If there is one piece of advice I could give it would be install
Splunk today. You may not use it a ton in an active way but at the very least I
wish I had had it for all of those times I had large Excel spreadsheets to
massage in an effort of extracting value. 
Welp as was the case when I first started writing this was
written while waiting for the oil to be changed in one of my vehicles. That is
complete and this sort of went in a different direction than planned. In my
next post I plan to talk about a few ways I’ve found in Splunk to look for
fields that don’t exist. As an aside it is somewhat interesting to think about
writing Splunk stuffs in somewhat of the same way I used to write about
ArcSight stuffs. The main driver back then was there wasn’t much out there at
all for ArcSight and LM/SIEM in general and the ArcSight forums were gated to
the general public. That isn’t the case with Splunk (gated community) and sadly
the act of running the Splunk implementation and general ho-ha leaves me far
less time to actually DO something in Splunk than I’d like.
 
