3

Currently, my organization is using Splunk to store logs from various places (DBs, Apache, systems we write, etc.). We don't really use most of its abilities (pull logs automatically, etc.), but we do require the search it provides - showing the event and some of its surroundings.

Recently the free version of Splunk started giving us hard time, so we would like to replace it with some other tool, even with less features, as long as it could index and search over large amount of logs.

Could you please offer such alternatives?

EDIT: while the suggestions given are great, none offer the searching and indexing capability I need. Can you offer something else?

Community
  • 1
Moshe
  • 582
  • 5
  • 9
  • Required to be free? You can have a look at Arcsight Logger, free up to 750 MB per day. Note that Logger is a SIEM, while Splunk is not. – Frands Hansen Jan 28 '12 at 22:36
  • Thanks Frands. Unfortunately, the free license for Arcsight Logger allows merely 50GB of logs, which is less than what I have. During the time since I posted this question, we've started considering for-fee products such as Ativio. – Moshe Jan 30 '12 at 13:15

4 Answers4

3

Syslog-ng is a one of the traditional ways to centralize your logs. This older Linux.com article explains how to set this up. The article doesn't include indexing exactly, but shows you how to set up Log check to filter the logs using regex and get notified of non-trivial events.

Kyle Brandt
  • 82,107
  • 71
  • 302
  • 444
2

In the past, I had centralized logging enabled via syslog-ng, but more recently, at a new site, I've switched to rsyslog. Here's a good comparison:

http://www.rsyslog.com/doc-rsyslog_ng_comparison.html

Adam D'Amico
  • 964
  • 8
  • 9
1

As a log system I will recommend rsyslog, as its features and license has made the default in some Linux distributions. If you want a tool to search in those logs you may look at Octopusy ( http://www.8pussy.org/ )

You can also get more feedback on another question: Alternatives to Splunk? Alternatives to Splunk?

Community
  • 1
Pablo Martinez
  • 2,326
  • 16
  • 13
1

Rsyslog as a log collector (you can run nearly any syslog on each client) and phplogcon as a UI for viewing the log data will do the job. Be warned, I found the documentation for rsyslog to be seriously lacking and majorly frustrating at times. I was able to make it do everything I wanted, but it took me many more hours to get things working than it did for me to get syslog-ng free working. See the phplogcon demo site to see the search and filtering interface in action.

Brian De Smet
  • 1,139
  • 7
  • 10