LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 08-22-2007, 07:23 PM   #1
Noodles25
LQ Newbie
 
Registered: Apr 2007
Posts: 18

Rep: Reputation: 0
Cheaper Splunk Alternative


Does anyone know of any cheaper alternatives to splunk? For what it is, it seems very expensive and there's no way that I could convince management to splash out for it.
 
Old 08-22-2007, 09:23 PM   #2
choogendyk
Senior Member
 
Registered: Aug 2007
Location: Massachusetts, USA
Distribution: Solaris 9 & 10, Mac OS X, Ubuntu Server
Posts: 1,197

Rep: Reputation: 105Reputation: 105
Well, some might argue that it's not in the same class, however, it suits my idea for what I want in this type of thing. And, it's open source, which fits your directive for cheaper. It's called SEC, or Simple Event Correlator. Simple, powerful, fast, pure perl, and not a lot of other stuff added on. I confess that I haven't actually implemented this yet, but I did spend a lot of time searching. My idea is to implement syslog-ng with a syslog server and have SEC running on the syslog server.

http://www.estpak.ee/~risto/sec/

http://sourceforge.net/projects/simple-evcorr/

For similar reasons, I am in the middle of configuring mon (try googling that, I don't remember how I finally stumbled on it). I want to keep my servers as simple as possible. If a monitor program gives me a list of a gazillion things it needs installed in order to function, then I don't want it.

http://mon.wiki.kernel.org/index.php/Main_Page

I don't intend to get into graphics for either of these. However, you can apply the same philosophy to that, using just RRDTool and a dirt simple (not full function) perl based web server that kicks off from inetd and has zero footprint otherwise.

http://oss.oetiker.ch/rrdtool/

I had a hard time finding the simple perl web server, and I don't remember where it is or what its name was now. It was almost as hard to find as mon or sec. There were 2 or 3 of them, but only one suited me. If I decide to go this route, I'll have to find it again.
 
Old 08-22-2007, 09:34 PM   #3
Noodles25
LQ Newbie
 
Registered: Apr 2007
Posts: 18

Original Poster
Rep: Reputation: 0
Thanks for the info. Do you know of SEC supports multiple server reporting back to one or just monitors logs on one server?
 
Old 08-23-2007, 06:21 AM   #4
choogendyk
Senior Member
 
Registered: Aug 2007
Location: Massachusetts, USA
Distribution: Solaris 9 & 10, Mac OS X, Ubuntu Server
Posts: 1,197

Rep: Reputation: 105Reputation: 105
That was the point of using syslog-ng with a log server together with SEC. Syslog-ng is pretty much the standard for this sort of thing.

SEC is really simple, but powerful. You could put it on multiple servers, but the advantages of having a log server are significant enough on their own. You have one place to look at logs (few sysadmins spend enough time doing that), still have log history if one of the servers is compromised, etc. Typically, this would be configured so that local system logs are maintained in addition to the log server. This means that if you are working on a particular server, you have logs locally. If you are trying to correlate events across multiple servers, you have one place to look. And, if you have a compromised system, in which the hacker /dev/nulled the logging, you have the log history up to that point on the log server, and you can analyze what happened.
 
Old 08-23-2007, 04:10 PM   #5
pmcgovern
LQ Newbie
 
Registered: Aug 2007
Posts: 3

Rep: Reputation: 0
deleted by moderator

Last edited by reddazz; 08-23-2007 at 08:25 PM. Reason: advertising
 
Old 08-23-2007, 08:25 PM   #6
reddazz
LQ Guru
 
Registered: Nov 2003
Location: N. E. England
Distribution: Fedora, CentOS, Debian
Posts: 16,298

Rep: Reputation: 75
pmcgovern, the forum rules do not permit advertising. Please visit http://www.linuxquestions.org/advertising/ for more information on advertising. Feel free to contact the forum admin if you have any questions about this policy.

Last edited by reddazz; 08-23-2007 at 08:27 PM.
 
Old 08-23-2007, 08:31 PM   #7
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 18,589

Rep: Reputation: 3112Reputation: 3112Reputation: 3112Reputation: 3112Reputation: 3112Reputation: 3112Reputation: 3112Reputation: 3112Reputation: 3112Reputation: 3112Reputation: 3112
Ahhh yes ....
I had wondered about where the (advertising) line was to be drawn.

Still, I was surprised when the OP mentioned splunk was too expensive. I had always considered it as free from the truckloads of ads I had seen - on sf.net or freshmeat.net maybe.
Never bothered downloading it, so never knew the true position.
 
Old 08-24-2007, 10:51 AM   #8
pmcgovern
LQ Newbie
 
Registered: Aug 2007
Posts: 3

Rep: Reputation: 0
Splunk

My apologies if my post appeared to be advertising. Not my intention.

Noodles25 has been looking for something cheaper then Splunk.

My only point was Splunk is free (up to 500 megabytes of indexable data a day). It's hard to be cheaper then free. Noodles may not know that there is a free version.

Last edited by pmcgovern; 08-24-2007 at 10:52 AM.
 
Old 11-23-2008, 04:21 PM   #9
Noodles25
LQ Newbie
 
Registered: Apr 2007
Posts: 18

Original Poster
Rep: Reputation: 0
500MB a day wasn't enough for my needs and the costing of splunk above that was too much.
 
Old 02-04-2009, 01:38 AM   #10
pitcat
LQ Newbie
 
Registered: Feb 2007
Posts: 5

Rep: Reputation: 0
and Lire ....
http://www.logreport.org/

and awstats ....

http://awstats.sourceforge.net/

Last edited by pitcat; 02-04-2009 at 01:56 AM. Reason: added awstats
 
Old 09-18-2009, 07:48 AM   #11
james.b
LQ Newbie
 
Registered: Sep 2009
Posts: 2

Rep: Reputation: 0
you could checkout logscape from liquidlabs

Hope that helps,
J.
 
Old 07-25-2011, 07:22 AM   #12
ccosk
LQ Newbie
 
Registered: Jul 2011
Posts: 1

Rep: Reputation: Disabled
Cheaper Splunk Alternative

google for f-deets, syslog format, mutliple platforms supported.
 
Old 11-09-2011, 07:56 AM   #13
worm5252
Member
 
Registered: Oct 2004
Location: Atlanta
Distribution: CentOS, RHEL, HP-UX, OS X
Posts: 567

Rep: Reputation: 57
ccosk, Thanks. As many people are finding, 500MB of data is nothing when you start taking about log aggrigation of many servers, so the free version of Splunk will not work. As many others are doing, I am searching around for splunk alternatives. I like Splunk, I think it is a great product, but unless you are a fairly decent size enterprise, budgets are not flexible enough to cover this expense.

I am taking a look into f-deets now to see if that will work for our needs.
 
Old 09-21-2012, 06:13 AM   #14
RobinUS
LQ Newbie
 
Registered: Sep 2012
Location: Eindhoven area, The Netherlands
Posts: 3

Rep: Reputation: Disabled
Hi there,

We're working on a product that does things like:
  • Collecting data
  • Aggregation
  • Visualisation
  • Notifications
  • Scheduled reports
  • Much more..

If you would like to help us out and provide some feedback on what you need, we can give you access to our beta. Take a look at http://www.cloudpelican.com/ and signup to stay in touch.
 
Old 09-21-2012, 06:47 AM   #15
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 18,589

Rep: Reputation: 3112Reputation: 3112Reputation: 3112Reputation: 3112Reputation: 3112Reputation: 3112Reputation: 3112Reputation: 3112Reputation: 3112Reputation: 3112Reputation: 3112
Resurrecting old (inactive) threads is generally frowned upon. Especially if it could be construed you have merely signed up here to do advertising.

Personally, I would be happier to see that web page have (much) more data on what you are proposing (along the lines you have posted here maybe) before surrendering my email address to be potentially spammed.
Something to consider maybe - some of us have become more suspicious over the years.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Splunk host agent. sparc86 Linux - Server 1 05-03-2007 03:15 AM
Anyone Tried Splunk richinsc Linux - Server 5 04-23-2007 11:35 AM
Those Splunk ads - what ? bgeddy LQ Suggestions & Feedback 4 02-04-2007 03:31 AM
runner.splunk.com Hitboxx LQ Suggestions & Feedback 3 01-24-2007 07:09 PM
LXer: Oss offers cheaper, open source Windows alternative LXer Syndicated Linux News 0 08-03-2006 11:54 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 10:06 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration