Aggregating and analyzing log data is an IT best practice--and a requirement in regulated industries--but it can also be a pain in the you-know-what. Many log aggregation products have purpose-built parsing engines that process logs as they're received and build up event databases. This works well if all your log sources have parsers built in, but not all do. That means for unsupported devices, events are stored as raw log data that's not easily searched. To make matters worse, there are no standards for log messages themselves. This makes extracting meaning from events difficult.
Meanwhile, the volume of data that network devices and servers generate can be staggering.
Enter Splunk 3.0, the latest software release from Splunk. This excellent analyzer accepts any plain text as unstructured log data, indexes keywords, and stores the records. Splunk uses a search-based interface for log analysis.
We tested the software in our Syracuse University Real-World Labs and found complex searches fairly easy once we glommed on to the search capabilities.
The software has basic archiving features, but they may not be sufficient for companies that need robust, long-term log storage. And because Splunk is software, you need to plan for adequate server resources. Splunk runs on Linux, but the company is working on a Windows version. You can try Splunk for free with a 30-day enterprise license, and a freeware version also is available. The product as tested starts at $5,000 for 500 Mbytes per day.