When conversing about log collection and correlation on an Enterprise level, Splunk usually always comes up in the conversation. While I am an avid Splunk fan, outside of the free version, it can be a little expensive. ELK (Elasticsearch, Logstash, and Kibana) is very comparable to Splunk, in my opinion. Through my research and hands-on experience with the two, I’ve formulated the below thoughts and comparison.
Cost (Monetarily):
Splunk: Free up to 500MB a day. The paid version has unlimited indexing per day.
ELK: Free. There is a newer paid version that comes with support.
Cost (Time):
Splunk: One could have it up and running rather quickly. The amount of time already spent on bettering the project and its widely usage in the community helps others getting their SIEM up and running if issues do arise.
ELK: The time needed in order to understand the intricacies is far greater than that of Splunk. With a dedicated team working on this project, the time could be significantly reduced but that would eat into the monetary investment. Not to mention relying on three different open source software packages could cause some issues in the future especially if one of the projects no longer gets supported. That is a small risk but still a risk.
Installation:
Splunk: Lots of documentation exists and one could be up and operational in minutes. Its basically a “follow the defaults” type installation.
ELK: Installation requires installing the three different software components. Installation of each takes a couple of minutes but issues could arise depending on the OS it’s installed on. There are a few points during the installation of each where one can test is that component is working correctly.
Plugins
Splunk: There are a ton of apps available (free and paid) in their app store.
ELK: Fewer apps exist and come from a number of different vendors but they all will meet most organizational needs. There also seems to be no validation process either for said apps. There is a lot of DIY associated with this project.
Training:
Splunk: Being that Splunk is much more established and widely used, their formal training opportunities are greater. There are also a decent amount of videos and tutorials available on the web.
ELK: Formal training does exist as well but fewer people have heard of ELK and use it and therefore the demand is not as great. With a few hours to dedicate, one could learn the system enough to meet an organizations needs. The input, filter, out put portion of logstash is probably the most challenging piece of it all.
If given the choice, I would have to side with ELK. The possibilities are endless!