Become a fan of Slashdot on Facebook


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Comment Re: Coming from an information security academic (Score 1) 88

Actually, I understand exactly what a Search Head cluster (put it behind a Load Balancer to handle the traffic, not the DNS round robin) with multiple Search Heads does. It allows you to share all your user load over several servers, which does help performance, when some people are doing huge searches and some just want to watch a dashboard. Beyond that, not everyone understands that separating your apps over multiple search heads actually helps as well. DBConnect for instance, if you have that on a SH with some other apps, you have a lot of back end work, which will lower your performance. Of course, using Heavy Forwarders to gather data and do some preparsing helps even better.

Having used numerous other SIEM or Log aggregation tools on the market over the last 10 years, I can say that Splunk does scale better than any other commercial SIEM. It also allows you to take any data feed and get results and mappings faster with a lot less work. But just as with any other SIEM, you have to plan out your install and run before you build it or you will kill your performance.

You also have to understand the search formatting. The order of things like Deduping data (or using the NOT perm in a search) matters with Splunk, and affects your performance big time.

As for your statement "Here you are talking about separating search-heads from indexers and you should know that most customers already have small clusters with that separation, and yes performance still sucks." This is contrary to what I have heard. Of the people I know who run Splunk, many did not separate out their install until a year or so into the install. This I think is a failing of the Splunk documentation for real world load. Once you go beyond the 10 gig a day license you MUST separate the servers to keep performance higher. Just like how you should not put ES and the PCI app on the same server (even though its supported)

The SIEMs that use a SQL backend (like LogRhythm) cannot return data as fast as Splunk, nor are they are versatile in allowing searches.

Comment Re: Coming from an information security academic (Score 1) 88

It seems you do not understand how Splunk runs entirely. Running the same searches over and over does nothing to improve performance. Its when you "accelerate" them or add them to a summary index that speeds it up. In a VERY real world environment, I search millions of records many times an hour, depending on what I am looking for or the request I get, Some of these are even over several (or all) of my indexes. Currently my install averages 130 million records a day, from about 15 different source feeds (with many source types per, such as Network gear). When I run some monthly data that is a LOT of records, which pulls in minutes or less.

I would suggest reviewing your SOW with their professional services and asking them to build you out a Index and Search Head cluster. Heck even just separating the search head and indexes to separate servers will improve your performance.

Comment Re: Coming from an information security academic (Score 1) 88

Sounds like you do not have your build setup correctly. If you scale out Splunk correctly, 3 8 core / 8 gig of ram boxes in a Search head cluster, can pull MILLIONS of records in seconds. We went from 2 indexers and one search head, to a Index cluster and Search head cluster, and noticed a 1000% increase in performance. Also pulling in billions of log records a day with no issues. All of our indexers are recycled servers that were EOL.

Comment Re:Like 'World of Warcraft' (Score 3, Informative) 168

Um, but WoW has been going for over 10 years, and still have a higher number of players than any other MMO out there. Most MMO's still wish they were even a fraction of successful as WoW.

This is the first big name AR game, and I am guessing that it will get better, and be copied, just like WoW was.

Comment Re:Why doesn't an IP address prove something? (Score 2) 164

It would definitely be harder to show that you were innocent if the VPN service is in your name. While not impossible for someone to hijack a VPN connection, My personal opinion is that such an argument without proof would be an uphill battle in court. Note: I am not a lawyer.

So, having been to court many times, both with a lawyer and acting Pro Se, I can assure you that (in civil court at least), it HAS to be proven that it was actually YOU who did it. A log by itself is not enough.

What I mean by this, a cell phone in my name, could be left on the counter and a child could have used it to make a phone call. While that is my phone and in my name, no one witnessed the call, and the log file cannot attest to it having been me make that call

Not sure about criminal court, but the rules of evidence are the same, so would have to assume that someone would have to witness you doing it or provide attestation that it was truly you. Which would be hard in this case

Comment Re:Why doesn't an IP address prove something? (Score 5, Insightful) 164

I'm a Network Engineer and I have worked in the I.T. field for 30 years. I specialize in computer forensics.

This is completely correct. In this age of cyber attacks, malware, ransomware, viruses, and hacks, it is very common for somebody else to seize control over a computer remotely and make your computer do things without your noticing it or leaving any trace.

Anybody ever accused of such a crime, should remember that a vast majority of cases depends on an admission of guilt. a VAST majority. In fact, the only ones that don't are the few cases with absolute no doubt, rock solid evidence of who was "driving", and what they were doing, and that only happens if a person is completely stupid.

FYI, a VPN connection, provides proof that YOU were the person driving since it's password protected and paid for with your credit card.

Really, a VPN connection can only be established by you?

Yet if someone else already has access and control of your pc, likely with a keylogger on the pc, what stops them from using the VPN as you? Nothing, that is what.

Comment Re:Worst mass shooting of _recent_ US history. (Score 1) 1718

Then what would you call the civil war? Was that "legal" as well? Or the fight for our independence where we threw off our government overloads? In both cases many more people were wounded and killed in one day. While I find what happened to be horrible, I cannot understand someone saying it was the worst mass shooting in US history (Heard it both US History and in "recent" history)

Slashdot Top Deals

Usage: fortune -P [-f] -a [xsz] Q: file [rKe9] -v6[+] file1 ...