Logging and Learning

We recently deployed Splunk at work. I’ve only pointed a few servers (the core ones) and the networking gear towards it and it’s already making a HUGE impact by simplifying the tasks that rely on log review. Just by adding the domain controllers and core switches, we immediately gain visibility to Authentication and DHCP matters. As we move forward, we will continue to extend the flow to include in process operations logs from Enterprise Applications like SAP, Oracle eBusiness, and all of the other ERPs we have in house. So far the log flow is pretty light (only about 240MB/Day average) but once we start to ramp up the use of the system I expect this to grow dramatically.

So far I have been really happy with the way Splunk works. I am just now starting to hit some frustration as I start install some of the applications and actually go through their implementation. This is fairly typical of open source type software and the additions available from the splunkbase are not an exception to the rule. In particular, I am trying to get the CheckPoint OPSEC LEA Application installed and configured. The installation only hit one snag on the CentOS 5 box I have splunk running on and I noted the fix on the applications page.

So now I have the application installed and I have no idea what to do next to configure or verify if it’s working. It looks like I’ll have to drop back to the original source project to run my troubleshooting from… I’[ll post more on this as I move along in hopes it will be helpful to others.