Splunk

A few things are interesting to me here at RSA 2008. Most of them I’ve known about for a long time, but it’s great to be able to see them up close and talk to SEs for as long as you want. Here’s the short, highly raw list of the stuff I’m getting excited by:

1. Google Message Security (Formerly Postini)

2. ArcSight

3. WebSense

4. WhiteHat Security

And there are many more I’m missing. I’ll mention them later.

But the thing I’m most enthused about right now is Splunk — a system for searching through logs.

Not very sexy, right? Lots of tools search through logs. ArcSight, LogLogic, any SEM really. True, but Splunk makes it sexy, and sexy in a useful way. It’s an Ajax interface instead of legacy HTML or Java, and powered by Flash-enabled graphing it has a really pleasing presentation.

But the most important thing is the searching. First, it’s fast. And with the ajax stuff and the way it indexes it feels even faster. It auto-completes as you type in search queries, based on what it has in the index.

Then there’s the fact that you construct and modify just by clicking on things in the results. So you see a thing that says “apache” in some log. Well, you can click on that word “apache” and choose to add it to the query explicitly, or even to show you everything WITHOUT “apache” in it.

And so it goes…you just keep adding things to the query as desired, and results come back quick — as I mentioned. Then you can do cool stuff like send these queries to different types of dashboards, and you can even create an RSS feed from the query output.

Ok, now the wicked part. It’s a free download and free to use, in your enterprise, for up to 500 megabytes of data per day. That’s confidence, and I can’t wait to play with it.

[ Splunk ]

Related posts:

1. Day-1 Skills That Cybersecurity Hiring Managers Are Looking For

2. You Should Be Running Your Own VPN Server