Log management review: Splunk 4
Splunk doesn't have all the features of the top competitors, but pairs good value with an active development communityFollow @rogeragrimes
It's fair to say that I learned a lot about log management through Splunk. A few years ago, I used Splunk for a variety of computer security applications, most notably to collect and forward events across a wide range of machines. Picking it up again two years later, I was pleasantly surprised to find that Splunk has become feature-rich and very handy beyond its early origins.
For this review, I installed Splunk 4.1.2 across a few different platforms. Splunk comes as a single installer, available for Windows (XP and later), Linux, Unix, BSD, Mac, and a few other operating systems, including a few of the most popular network devices.
Depending on how you decide to use Splunk, all the components can be installed on a single computer; at a minimum, Splunk requires dual processors and 8GB of RAM. In addition, the various components can be spread across multiple computers. Indexers host the Splunk data store and provide indexing services for local and remote data sources. Stored data is compressed to half its original size. Search heads, forwarders, deployment servers, and high-availability components can also be deployed in a distributed implementation. I installed all components on single servers since I wasn't testing enterprise performance. Online and downloadable documentation is particularly good.
Splunk: Log collection and management