sunhux
asked on
Comparing Splunk, ELK & Metron Hadoop
We are considering Splunk, ELK or Apache Metro Hadoop for SIEM.
Q1:
I've encountered nightmares with a top-end SIEM in the past when
querying/retrieving data : takes days & even crash : which of the
above has excellent super-speed log management & querying?
Q2:
I was told by an ex-colleague that Arcsight/Splunk requires CEF
(Common Event Format or syslog format) to be piped to them
as they can't accept any other format. A vendor using QRadar
told me QRadar requires syslog/CEF format inputs too.
I've SNMP traps / MIBS events (eg: from Cisco & proprietary
devices) that my ex-colleague told me can't be accepted by
Splunk/Arcsight, so would like to know if any of the 3 above
tools are more readily able to accept other SNMP/other
event formats
Q3:
Heard that ELK lacks policies which in the long run will be
costlier if we get consultants to customize : do the other
2 products have this concern.
Also, Splunk Enterprise goes by amount of logs & we're
concerned that too much logs (can be 500MB/month)
will make the cost high: weighing between customization
/set-up PS efforts & licensing costs based on amount of
logs (which I guess we can archive off older logs to reduce
the license cost), which of the 3 are more cost-effective?
Q1:
I've encountered nightmares with a top-end SIEM in the past when
querying/retrieving data : takes days & even crash : which of the
above has excellent super-speed log management & querying?
Q2:
I was told by an ex-colleague that Arcsight/Splunk requires CEF
(Common Event Format or syslog format) to be piped to them
as they can't accept any other format. A vendor using QRadar
told me QRadar requires syslog/CEF format inputs too.
I've SNMP traps / MIBS events (eg: from Cisco & proprietary
devices) that my ex-colleague told me can't be accepted by
Splunk/Arcsight, so would like to know if any of the 3 above
tools are more readily able to accept other SNMP/other
event formats
Q3:
Heard that ELK lacks policies which in the long run will be
costlier if we get consultants to customize : do the other
2 products have this concern.
Also, Splunk Enterprise goes by amount of logs & we're
concerned that too much logs (can be 500MB/month)
will make the cost high: weighing between customization
/set-up PS efforts & licensing costs based on amount of
logs (which I guess we can archive off older logs to reduce
the license cost), which of the 3 are more cost-effective?
ASKER
We have quite a bit of applications in AWS that we need to monitor:
some apps just has a field to forward events to a "SMTP server" or
"syslog server"
some apps just has a field to forward events to a "SMTP server" or
"syslog server"
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Splunk is generally the most expensive but you get what you pay for. Reducing the logs you send and retention length can keep costs down. One of the quickest to get up and running and returning actionable reports.
For a SIEM, arcsight and alienvault are my usual goto applications. A bit more control vs a full hosted platform.
ELK is great, but not what I suggest starting with unless you have plenty of time to tinker and figure things out. There are hosted platforms built on ELk, but they are still going to provide a lot of options that expect you to have experience.
I would suggest you trial Splunk and learn as you go, whether or not you stick with the platform it's a great learning experience.
For a SIEM, arcsight and alienvault are my usual goto applications. A bit more control vs a full hosted platform.
ELK is great, but not what I suggest starting with unless you have plenty of time to tinker and figure things out. There are hosted platforms built on ELk, but they are still going to provide a lot of options that expect you to have experience.
I would suggest you trial Splunk and learn as you go, whether or not you stick with the platform it's a great learning experience.
ASKER
Heard that Splunk has an UEBA that we have to purchase separately.
Which of the 3 products has the best amount of UEBA features already
built-in so that we don't have to invest in it