Scott's Ramblings

Category: Splunk

All things done with Splunk

  • Syslog-ng Scalability

    Normally my posts are about the things I’ve done at home on personal projects, but here is one I did for a client recently.

    Syslog is a protocol used by network gear, appliances, and most Unix distributions to handle their logs. Most importantly (for this discussion) the protocol is used by these devices to send their logs to a central server. The client is a very large organization and was sending data from 100’s of devices configured with high verbosity so that they can see any security events more clearly. They also had a lot of filters configured in Syslog-ng so that they can sort the events so their SEIM can consume them properly. Syslog-ng couldn’t keep up with all the events coming in.
    (more…)

  • Getting Cfengine Community to promise logs into Splunk

    One of the benefits of the enterprise version of Cfengine is the ability to capture the logs and the status of cf-agent runs centrally. Auditors have typically asked the IT teams to provide a snapshot of the environment so they can evaluate what is and is not in compliance. However capturing the Cfengine logs centrally means that we can get these reports on the fly. Auditors don’t need a snapshot anymore; they can have full access to see not just current state, but when things were last changed and when hosts go out of compliance. But up until now this data was only available in Cfengine Enterprise. Here is a solution to get the data from Cfengine Community and into Splunk where it can be reported on as needed.
    (more…)