New Releases Expand Splunk and Zenoss
Two different companies, but two essential applications for every enterprise IT network, Zenoss and Splunk have both recently announced some great new features and new partnerships (individually).
Zenoss is an open source IT monitoring solution that combines the features of what used to be separate solutions into one application. The non-free version adds many advanced features and support.
Splunk is an open source “IT Search Tool,” that gathers, aggregates, and correlates logs and other sources of IT data in a slick, customizable, and searchable interface. It, too, has a non-free version that provides features that are more advanced.
Both products are must-haves and both are excellent examples of powerful open source offerings. Both also strike a good balance between fully open and fully closed source, offering the core functionality that works for smaller organizations completely free.
The big Zenoss news is that the latest version, 2.3, now supports VMware. What does it mean to support VMware? That is an excellent question, and one that marketing material does not generally cover well. Zenoss, thankfully, is very forthcoming with details.
VMware support in Zenoss means that it will automatically discover VMware servers using the VMware API, so that you still need not install a monitoring agent. Zenoss can:
- Discover and inventory your entire VMware infrastructure
- Provide both physical and virtual performance data in a single location
- Track the movement of virtual machines
One point of frustration with monitoring tools and virtual environments is losing track of your virtual machines. Say you get a page about a few hosts being down, but you don’t know where they are physically running, or where they were last running. In theory they should just migrate to a working server, but this happens all the time due to policies about migrating too much. In the past, you’d be in the dark until logging in to the cluster management console and inspecting, but now you can see everything in a single view of the entire environment.
Other new additions to Zenoss 2.3 include enhanced Windows monitoring, improved Java application monitoring and many new community-developed ZenPacks.
Splunk has been busy re-branding itself as “IT Search” rather than just log analysis. This is fair, given that its data aggregation spans much further than just snarfing and correlating syslog data.
Continuing in this fashion, Splunk’s big news is that it has partnered with F5 to provide application security search and reporting. Splunk for use with F5 allows users to splunk information obtained from F5 Application Security Manager and FirePass SSL VPN products.
Splunking (yes, it is a verb) security data allows Splunk to report on threats in a very detailed way. It’s already gathering syslog and other server data, and when security information is thrown in the mix, Splunk can correlate threats or attacks with other data to provide a much broader picture of the situation.
Out of the box, Splunk can provide useful tidbits such as:
- Top violations by protocol and specific application
- Top attacks, where they come from, and what applications are being attacked the most
- Failed VPN logins and detailed VPN usage information
Of course, reports can be custom tailored and you can correlate any pieces of information you wish with extreme ease.
Splunk and Zenoss
Splunk’s goal is to provide indexing for all IT data, allowing access to information in such a way that aids troubleshooting in record time. Zenoss’s new capability with VMware is also a time-saver when monitoring your infrastructure, as was described above. These complimentary products, again, are must-haves.
Zenoss’s open source model is to provide Zenoss Core free. This includes most features that smaller organizations need. There are also many community-developed ZenPacks (add-ons) available. The types of things reserved for the Zenoss Enterprise version are generally specialty hooks to commercial applications or other very advanced features. Zenoss has chosen to provide a fully functioning Core product that works for most smaller organizations, free and without limitations.
Splunk, on the other hand, limits the amount of data that can be indexed. After 500MB per day, it starts nagging you to purchase a license. All the features are there, but if you have a lot of data, you will need to purchase the license. Many medium-sized organizations can get away with never needing to get the non-free version.
Two excellent open source companies, two different ways of engaging the community and providing their products. Both methods provide smaller enterprises great benefits for zero cost, if desired.