In a previous post I did a comparison of ELK and Splunk. I will take a few minutes here to kind of explain what ELK is. ELK stack (Elasticsearch, Logstash, Kibana) is simply amazing. Each program making up ELK brings their own uniqueness and are vital parts to making the thing work. Elasticsearch provides the search capability for Kibana. Logstash is the receiver of all the logs being ingested into ELK. Kibana is the visual portion of the stack allowing for the searching, correlation, and dashboards. The picture below brings it all together for us.
Month: June 2015
I’ve been working on Bare Monkey for a few months now. Bare Monkey inputs a Windows memory capture and runs it against all Volatility plugins and outputs them to a text file. Afterwards, it deletes the generated files that are empty and then compresses the files left. It also creates a tarball and a MD5 hash. The README and code can be found on my github at www.github.com/wiredpulse/BareMonkey.
You will have to change the extension to .sh and chmod 755.
Some of the benefits of the program are that Volatility will no longer be needed after the program runs, you can analyze the output with a text editor, and grep through the data rather quickly.
,,,, _,_) # /)
(= =)D__/ __/ //
C/^__)/ _( ___//
\_,/ -. '-._/,--'
_\\_, / -//.
\_ \_/ -,._ _ ) )
\/ / ) / /
\-__,/ ( ( (
)\_ / -(
When conversing about log collection and correlation on an Enterprise level, Splunk usually always comes up in the conversation. While I am an avid Splunk fan, outside of the free version, it can be a little expensive. ELK (Elasticsearch, Logstash, and Kibana) is very comparable to Splunk, in my opinion. Through my research and hands-on experience with the two, I’ve formulated the below thoughts and comparison.
Splunk: Free up to 500MB a day. The paid version has unlimited indexing per day.
ELK: Free. There is a newer paid version that comes with support.
Splunk: One could have it up and running rather quickly. The amount of time already spent on (more…)