Hi Tyler, On Wed, Jan 19, 2011 at 1:17 PM, <[email protected]> wrote: > I’ve been looking into the functional overlap between SPLUNK and OSSEC, and > it seems that SPLUNK can accomplish many of the same tasks as OSSEC. I’ve > used the OSSEC app for SPLUNK, so they must partner well, but I can’t find > very many differences. > > > > In short, it seems as if someone would purchase the SPLUNK enterprise > product, they would have a replacement for their existing OSSEC deployment… > > > > What are your thoughts? Is there room for both tools in the enterprise? > > > > > > > > > > > > Tyler Ross > >
While there is some overlap, they each perform their primary functions very well. Splunk gives you a great gui to view the alerts OSSEC provides. It doesn't do notifications or file integrity monitoring well. OSSEC gives you great notifications (emails) and integrity monitoring, but doesn't have a gui (wui doesn't count). The benefits of Splunk go down with the more data you have because the price goes up. It's not difficult to stuff more than 500MB of data into splunk in a day. And the free version has some other serious limitations.
