Sunday, January 6, 2013

Back in the saddle...and using Splunk!


Been a long time since writing and lots has changed! New house, cataract surgery (at 39!), new job, developing and implementing the log management and event correlation program at a large edu, etc. On that front a large university is very different than a large corporation. Take all of those issues you have with decentralization and multiply that by about 50. I debated between believable and hyperbole there and ended up somewhere in the middle I guess.

One of the bigger changes is using Splunk for the first time. At some point I should write some comparisons between ArcSight, Symantec MSSP, and Splunk. Granted it has been a few years since I’ve used ArcSight’s Enterprise Security Manager (ESM) or Logger for that matter though I remember ESM fondly and often wistfully. It still amazes me when I hear people say things like ArcSight is too hard. I maintain that for most of those cases they somehow had the idea (or were told by the sales people) that it was some magical plug and play cross between a one armed bandit and magic 8-ball. I also hear in the latest update to Symantec’s MSSP they have implemented a number of the dozens of changes I suggested (am sure others as well!) and it is now much better than what it was 6 months ago.

If there is one piece of advice I could give it would be install Splunk today. You may not use it a ton in an active way but at the very least I wish I had had it for all of those times I had large Excel spreadsheets to massage in an effort of extracting value.

Welp as was the case when I first started writing this was written while waiting for the oil to be changed in one of my vehicles. That is complete and this sort of went in a different direction than planned. In my next post I plan to talk about a few ways I’ve found in Splunk to look for fields that don’t exist. As an aside it is somewhat interesting to think about writing Splunk stuffs in somewhat of the same way I used to write about ArcSight stuffs. The main driver back then was there wasn’t much out there at all for ArcSight and LM/SIEM in general and the ArcSight forums were gated to the general public. That isn’t the case with Splunk (gated community) and sadly the act of running the Splunk implementation and general ho-ha leaves me far less time to actually DO something in Splunk than I’d like.