Strengths: Intuitive interface, expansive documentation.
Weaknesses: No functions specifically for forensic analysis and management of logs.
Verdict: Powerful yet simple log aggregation technology. Definitely worth a look.
SummaryWhere a normal search engine would let you search the web, Splunk is advertised as a software solution that indexes and searches all information in your data center environment, giving easier access to logging utilities for incident response and network forensics.
Installation is simple, asking only whether or not to log data from the current machine. Splunk supports many different log types and logging utilities from which it can monitor, analyze and correlate data. The entire interface is intuitive and easy to navigate. It takes little time to understand and use basic features. The management system in Splunk is hassle-free - from adding data inputs to adding users.
Users can be restricted to specific data sets and to displaying correlations of the sets. Splunk has features to graph and chart, making the data easier to grasp, as well as to explain to others. The product also has a "Live Tail" feature, letting you view, in near real-time, all incoming logs. In our test bed, Splunk performed very well, with searches taking seconds. It uses AJAX to display results.
Splunk has basic, free support options, as well as paid options. At no cost, there are support forums, email and online ticket-based systems and IRC support channels. When purchasing enterprise support, at 20 percent the list price, users receive phone support (6 a.m. - 6 p.m.) and guaranteed response times.
There are several different options for documentation - from a community wiki to video help and product roadmaps. Splunk documentation is easy to understand and navigate. There are also FAQs and several cheat-sheets to help along the beginning administrator or user.
Depending on the level of support necessary and the amount of logging required, the enterprise licensing may be worth it - the free Splunk Basic can handle up to 500mb of data, but if more is needed the enterprise edition is a must-have, starting at $7,500.
Splunk is an excellent and efficient product for aggregating the logs in your entire IT infrastructure, whether for security, network, event or general log management. However, it must be used with other forensic tools since it is not really a forensic tool in its own right.
Splunk just announced their Enterprise Security Suite (ESS), which includes some basic forensic searches and alerts. In July 2009, Splunk ESS 2.0 will include a more robust set of searches, alerts and correlations for Forensic uses.