Blogs

Rafael Marty, who I already know is a very smart guy, had the guts and insight to say what no one else wants to say about chain-of-evidence and court admissibility of log data. He points out that “unaltered” is a totally fictitious requirement for maintaining admissibility of log data as evidence. Go Raffy! He promises followon posts about the details of why he says so.

But meanwhile I’ll take my own stab at why… basically, log data is recorded by computer programs. Often these computer programs call other programs to handle the actual log output – say syslog, or log4j – which themselves add timestamps, headers, etc. If a log management system of some type does further parsing on the output, as…

Trigg3r writes from Mindanao about using Splunk on Squid proxy logs.

While catching up on the long tail, Chris Anderson’s blog where he explores his thesis about the impact of digital distribution on mass media products, I realized most IT people take what Chris calls a blockbuster attitude when it comes to deciding what log sources to centralize.

(The basic long tail idea is that in the past, when the cost of distributing each movie title or album was fairly high, only the most popular items could be profitable. But with digital distribution, suddenly the aggregate profit of all of the more niche stuff may be larger than the hits. You profit by having everything anyone might want in stock.)

When it comes to building some sort of central log host, sysadmins focus…

Thanks to all of you out there who are not only trying out Splunk, but blogging your first impressions.

Some recent reviews:

• 
  Alex Nordstrom:
  “From here on, you can now browse all your log messages in a beautifully structured and intelligent way.”
• ProdAdmin:

  “…you can see right away what the most common events in our logs are.”

• 
  Demetri Mouratis follows up after his initial review:“I’m here to tell you it was pretty easy.”

Notes: