Log Management Forum

Content Specialist
IT Central Station
May 31 2018
One of the most popular comparisons on our site is Compare ELK Logstash vs Graylog.  One user says about ELK Logstash, "ELK documentation is very good, so never needed to contact technical support." Another user says about Graylog, "UDP is a fast and lightweight protocol, perfect for sending large volumes of logs with minimal overhead." In your opinion, which is better and why? Thanks! --Rhea
Martin LabelleThe question has two part. You need to choose the back end to aggregate the log / information you want to centralize to allow advance query. On our side we decide to go with ElasticSearch has a backend and leverage the kibana for advance query to our users. Also on our project, we did many integration in ElasticSerrch like application logging. The client side / log shipping mechanism, you have many way to do it. Gralog / Syslog forwarder have minimal overhead to forward event / log. ELK support Graylog and many other method. We decide to leverage the beat project (filebeat) to forward all file log to ELK. As conclusion, both product are very powerful and the real value is to have a central point with all relevant information to take the right decision.
Content Specialist
IT Central Station
Mar 19 2018
One of the most popular comparisons on IT Central Station is IBM QRadar vs Splunk. People like you are trying to decide which one is best for their company. Can you help them out? Which of these two solutions would you recommend for Log Management? Why? Thanks for helping your peers make the best decision! --Rhea
Loren BuhleIt depends on the intended purpose of the tool and the type of people implementing it. Q-Radar tends to focus its out-of-the-box reports on compliance reporting, as well as tracking behavior-based tracking that is arduous for the DIY script writer. Having used both, they are both great platforms that take quite a bit of training to fully understand and wring the most value. Once you are at a steady state of log analysis, Q-Radar tends to be more useful on exploring "what we don't know" while Splunk tends to focus on confirming what I suspected, but didn't have the evidence. If you love scripting and going after known deviations, there are alot of Splunk consultants and expertise for hire. This makes Splunk slightly better for small organizations. If known deviations are "table stakes" and you focus is on exploring risks currently unknown to you...then Q-Radar is the better option, in my opinion. Q-Radar's learning curve used to be slightly steeper than Splunk...but I've heard there is more automation and better training on the Q-Radar in the past few years.
Darius RadfordAs all consultants say...it depends. The elements I would factor in are: 1) How they are staffed? 2) What groups outside of security will use this tool? 3) Is this for SIEM or log management? 4) Size of environment For" how are they staffed" question I think if you have developers and scripting expertise in house then this makes for a strong case for Splunk. If not then Q-Radar may be a better fit. The next question..."what groups outside the security group with use this tool?". Splunk does a lot of items that are really nice to haves, but don't necessarily fall into the security space. So if folks outside of security team will use the tool and subsequently help fund the endeavor this makes a strong case for Splunk. If this is a pure play security need, then out of the box, I feel this is a strong case for Q-Radar Is this for SIEM or log management? By default Splunk is not a SIEM, once you buy the SIEM/Security license then it becomes a SIEM. That being said, it does log management and analytics very well. Out of the box Q-Radar is a very effective SIEM with tons of pre-set rules. So obviously if this is a pure play log management move, then Splunk becomes a strong choice here. Size of environment. Because the Splunk licensing model is based on the number of events being produced in your environment, then this is a factor that must be considered. Q-Radar on the other hand is one of most straight-forward SIEM installations, and shortest time to value out there. As such, they have often been associated with small to mid sized organizations. There are other factors out there to consider...this is in no means an all encompassing list, however, I feel if you ask yourself these questions, at a minimum , then your answers becomes a lot clearer.
Tim WittenburgThe answer of course is, it depends. They are both great tools. In my experience, Splunk would be viewed favorably by teams that prefer scripting and building their own capabilities. Splunk does also has an add-on ES module that is pre-configured to address many common security/compliance reporting needs. I have less experience with Q-Radar relative to Splunk however I did recommend Q-Radar to a company who wanted something they could deploy rapidly to satisfy a HIPAA reporting requirement. My observation is that Q-Radar may have more compliance-related reporting out of the box relative to Splunk.
User at a tech services company with 1,001-5,000 employees
From a few reviews I saw that Elastic Stack, which is an open source stack solution is gaining popularity.  Splunk has been in the market for quite some time but is commercial product.  Is it possible to replace Splunk with Elastic Stack?  If so, what are all the benefits we may be losing in this decision?  Does Elastic Stack also have a retention policy?  Is Kibana a form of equivalent to what Splunk provides?  Is it advisable to set Elastic Stack for an enterprise application?  What may be the challenges if we want to setup Elastic Stack for application which runs on two nodes and with a load balancer?
Content and Community Manager
IT Central Station
Recently, our user activity has shown that Splunk is the most commonly searched solution on our site.  3,643 of our community members follow Splunk, and it's listed in five of our product categories: Log Management, Data Visualization, IT Operations Analytics, and Security Information and Event Management (SIEM). What are some of the best features and use-cases of Splunk, and why are people explicitly searching for it to learn more?
Randall HindsI agree with Aaron & Tom on their points. Along their use cases, I have been able to show more than Log data in Splunk views. We tested several plug-ins during a small pilot, and we were able to bring O/S (Win/Unix/Linux) & APM data metrics into the same views as Logged data. I've seen others use it to visualize a wider range of data types, too. That said, Tom's point resonates with me. Their are better tools for visualization (ZoomData & Kibana come to mind), but as an aggregator Splunk has the most plug-in types out there. IF (big if) you have the $$ to support ingesting everything, you could theoretically pull data that lives in 40 or 400 source tools and thousands of hosts/systems into a single set of enterprise views. I am not fortunate enough to have that kind of budget though... After proving the concept in pilot, we had to dismantle our 'unified views' due to lack of funding.
Jean-Luc LabbéGood log management solution you can use if you know what you ae looking for. Not a SIEM solution though even though customer should be aiming for solutions that go beyond what a SIEM does, that is, a Security Intelligence platform.
Julio JimenezThe flexibility that it offers, One of the most powerful features of Splunk is its ability to extract fields from events when you search, creating structure out of unstructured data. It takes a small amount of “learning time” to start creating or getting searches that are meaningful to you. You can start “splunking” for free, which allows you to see the benefit. There is a ton of resources on the web, uses cases, and step by step instructions.

Sign Up with Email