<html><head><style>body{font-family:Helvetica,Arial;font-size:13px}</style></head><body style="word-wrap:break-word"><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto"><br></div> <br> <div id="bloop_sign_1476467293337956864" class="bloop_sign"></div> <br><p class="airmail_on">On October 14, 2016 at 12:03:45, Rick Troth (<a href="mailto:rmt@casita.net">rmt@casita.net</a>) wrote:</p> <div><div><blockquote type="cite" class="clean_bq" style="font-family:Helvetica,Arial;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span><div bgcolor="#FFFFFF" text="#000000"><div></div><div><div class="moz-cite-prefix">At my place of work, we ship Splunk embedded in appliances.<br>I gather that it is a closed source log handler which<span class="Apple-converted-space"> </span><u>can talk SYSLOG protocol</u><span class="Apple-converted-space"> </span>and presses its affinity for CEF (Common Event Format). CEF strikes me as a good thing because SYSLOG traffic can be way too free-form for enterprise processing. (Just too little structure for huge volumes of log traffic to be processed effectively without something like CEF.)</div></div></div></span></blockquote></div><p>Badly formatted - or worse completely unformatted - logs are a huge problem and it does require some thought behind how an application generates its logs. Splunk can deal with and recognize lots of formats out of the box, and can be taught others. The key is that the logs have to be in a format. You can't simply dump whatever you want into your log files (like raw XML) - or a variety of formats in a single log - and expect Splunk will figure it out by magic.</p><p>Badly formatted (or missing) timestamps on log entries can also royally screw things up while Splunk spends a ton of time trying to figure out what the timestamp for the event should be.</p><div>Adhering to a CEF can make a massive difference in Splunk's usability and performance by addressing both of the above.</div><br><blockquote type="cite" class="clean_bq" style="font-family:Helvetica,Arial;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span><div bgcolor="#FFFFFF" text="#000000"><div><div class="moz-cite-prefix">I found Splunk's gigabyte licensing to be annoying. A customer can bump into the wall and lose traffic. (I forget the details of the failure mode.)</div></div></div></span></blockquote></div><p>Last I knew, you don't lose logs due to licensing violations. Basically, it's a certain number of violation "strikes" for going over the log input ("indexing") limit per month. I believe it is 5 strikes, and then you can't search your logs until you resolve the license issue by talking to Splunk - or perhaps some amount of time passes and searches work again. You should never lose logs.</p></body></html>