[ale] Alternative to splunk?

Beddingfield, Allen allen at ua.edu
Fri Jun 6 10:30:54 EDT 2014


He is using Logstash with ElasticSearch...  it is up to a about 20 servers (mix of virtual and physical) and several TB of data - probably because of the volume of data it is processing.  They are pulling in DNS and LDAP logs.
--
Allen Beddingfield
Systems Engineer
The University of Alabama

________________________________________
From: ale-bounces at ale.org [ale-bounces at ale.org] on behalf of Jeremy T. Bouse [jeremy.bouse at UnderGrid.net]
Sent: Friday, June 06, 2014 9:11 AM
To: ale at ale.org
Subject: Re: [ale] Alternative to splunk?

On 06.06.2014 09:25, Beddingfield, Allen wrote:
> One of my co-workers set up Logstash, but it seems to take a lot of
> care and feeding, and a lot of servers.  We are about to move that to
> Splunk.
> --
> Allen Beddingfield
> Systems Engineer
> The University of Alabama
>

Not sure exactly what is meant by "care and feeding" but Logstash
itself is lightweight, the real storage and search is done via
ElasticSearch. The more ES servers the more distributed the searching
power is and the more storage your ES cluster has the more redundant and
greater retention period you have. I've actually written scripts that
auto-snapshot off indexes daily and the close & delete them after a
specified retention period. Logstash stack pretty much runs on
auto-pilot at this point.
_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo



More information about the Ale mailing list