It's fair to say that I learned a lot about log management through Splunk. A few years ago, I used Splunk for a variety of computer security applications, most notably to collect and forward events across a wide range of machines. Picking it up again two years later, I was pleasantly surprised to find that Splunk has become feature-rich and very handy beyond its early origins.
For this review, I installed Splunk 4.1.2 across a few different platforms. Splunk comes as a single installer, available for Windows (XP and later), Linux, Unix, BSD, Mac, and a few other operating systems, including a few of the most popular network devices.
Depending on how you decide to use Splunk, all the components can be installed on a single computer; at a minimum, Splunk requires dual processors and 8GB of RAM. In addition, the various components can be spread across multiple computers. Indexers host the Splunk data store and provide indexing services for local and remote data sources. Stored data is compressed to half its original size. Search heads, forwarders, deployment servers, and high-availability components can also be deployed in a distributed implementation. I installed all components on single servers since I wasn't testing enterprise performance. Online and downloadable documentation is particularly good.
Splunk: Log collection and management
Installation was as simple as clicking Next, Next, and Finish. Once installed, Splunk is accessed through an HTTPS Web interface using TCP port 8000 by default, a command-line interface, or a custom third-party UI (if purchased or downloaded separately). The screen below shows the main Splunk Manager interface. Many of the available features, including reports, searches, and dashboard views, depend on which Splunk applications are installed. There is a healthy Splunk development community, and many of the Splunk add-ons are available for free.