Also, make sure you're using the latest version of Splunk. 4.0.6 had a couple of issues with some of the saved searches.
On Sun, Jan 3, 2010 at 9:46 AM, Dave S <[email protected]> wrote: > Thanks all. I'll give it a try. > > Although I find myself torn between the two systems. > Splunk is a killer report-generating platform, but it can be quite > demanding on clients and networks as it collects - excuse me "vacuums" > - all of the raw data. > On the other hand, one of the things I love dearly about OSSEC is how > light-weight the agent is and how well it regulates data collection. > Users would never notice it's there, which is important so they don't > try to deactivate it like they do with anti-virus apps that get > carried away. > > So here's hoping to get the best of both worlds. > > - Dave >
