One of the most popular comparisons on PeerSpot is IBM QRadar vs Splunk.
People like you are trying to decide which one is best for their company. Can you help them out?
Which of these two solutions would you recommend for Log Management? Why?
Thanks for helping your peers make the best decision!
--Rhea
As all consultants say...it depends.
The elements I would factor in are:
1) How they are staffed?
2) What groups outside of security will use this tool?
3) Is this for SIEM or log management?
4) Size of environment
For" how are they staffed" question I think if you have developers and scripting expertise in house then this makes for a strong case for Splunk. If not then Q-Radar may be a better fit.
The next question..."what groups outside the security group with use this tool?". Splunk does a lot of items that are really nice to haves, but don't necessarily fall into the security space. So if folks outside of security team will use the tool and subsequently help fund the endeavor this makes a strong case for Splunk. If this is a pure play security need, then out of the box, I feel this is a strong case for Q-Radar
Is this for SIEM or log management? By default Splunk is not a SIEM, once you buy the SIEM/Security license then it becomes a SIEM. That being said, it does log management and analytics very well. Out of the box Q-Radar is a very effective SIEM with tons of pre-set rules. So obviously if this is a pure play log management move, then Splunk becomes a strong choice here.
Size of environment. Because the Splunk licensing model is based on the number of events being produced in your environment, then this is a factor that must be considered. Q-Radar on the other hand is one of most straight-forward SIEM installations, and shortest time to value out there. As such, they have often been associated with small to mid sized organizations.
There are other factors out there to consider...this is in no means an all encompassing list, however, I feel if you ask yourself these questions, at a minimum , then your answers becomes a lot clearer.
It depends on the intended purpose of the tool and the type of people implementing it. Q-Radar tends to focus its out-of-the-box reports on compliance reporting, as well as tracking behavior-based tracking that is arduous for the DIY script writer. Having used both, they are both great platforms that take quite a bit of training to fully understand and wring the most value. Once you are at a steady state of log analysis, Q-Radar tends to be more useful on exploring "what we don't know" while Splunk tends to focus on confirming what I suspected, but didn't have the evidence.
If you love scripting and going after known deviations, there are alot of Splunk consultants and expertise for hire. This makes Splunk slightly better for small organizations. If known deviations are "table stakes" and you focus is on exploring risks currently unknown to you...then Q-Radar is the better option, in my opinion. Q-Radar's learning curve used to be slightly steeper than Splunk...but I've heard there is more automation and better training on the Q-Radar in the past few years.
I had been looking at the Security Analytics Platforms from the top right quadrant in the Gartner and Forrester reports and found that [architectural] use-case really matters.
For my business I was looking to build a shared environment that would service multiple customers so multi-tenancy, data security, roles based access controls and self-service-ability were key requirements. For the purposes of providing the SOC a single-pane of glass I needed a single configurable dash, and in a single-tenant environment both (Splunk and QRadar) could do it but in a multi-tenanted scenario on one could do it, at least without having to adding unnecessary systems.
Also, I didn't want to spend too much time on integration, setup and configuration so having [SIEM] use cases and compliance reporting available out-of-the-box and integration with common devices and OS had to be part of the base offering allowing the team to install and start using it immediately.
For me QRadar ticked all the boxes. Additionally the vast range of free apps which include user behavioral analytics are available which let you leverage its analytics engine.
That said, Splunk is an effective analytics platform that has use cases outside of SecOps. You will need to have the depth of certified knowledge, expertise and deep pockets to make effective use.
First of all, I'm a Splunker (by religion, not by employment :)), which makes my opinion a bit subjective.
It really depends on what are you expecting from the solution and how skilled and how ready for new approaches you are.
QRadar is great as a pure SIEM solution. Easy to use, super integrated with common devices, fantastic correlations and reports, everything expected from a top SIEM solution.
Splunk, on the other hand, offers much more. Splunk is more a general purpose big-data collecting platform, used to search and find anything very quickly and correlate any data, without prior knowledge of the data structure. SIEM is just one purpose to use Splunk, often better suited and equipped than competitive SIEM solutions, because it always uses ALL data, not just the normalized ones. However, a newbie to Splunk might find the search-oriented GUI and more advanced approach than competitors rather confusing. Believe me, once you get used to the philosophy of Splunk and get familiar with its usage, there is no way back to any other tool.
The biggest difference is that QRadar brings a lot of interesting embedded functionalities (UBA, Watson, DataFlow) that makes the difference from a cybersecurity perspective, whereas Splunk is more open than QRadar.
Both Splunk and IBM QRadar are amazing technologies for SIEM. I would recommend QRadar for pure information security purposes. If you really need to do more than SIEM and information security tasks, you should look at Splunk. I used Splunk for fraud control and monitoring and it is amazing. You can consume any kind of data and do so many things. Your imagination is the limit. I'm a big Splunk fan!
We have always used IBM QRadar so I guess I am partial to that solution. I have researched Splunk, LogRhythm, Alien Vault, etc but we just have never made that transition. I am uncertain about Splunk reporting but I agree with Tim in that QRadar does offer extensive compliance-related reporting. I would also add that IBM has done a lot in the past few years to open up their API to partners to allow for a greater interoperability between multiple tools. So the integration between multiple tools is getting better. Unfortunately for us most of those tools are not used in our environment.
The answer of course is, it depends. They are both great tools. In my experience, Splunk would be viewed favorably by teams that prefer scripting and building their own capabilities. Splunk does also has an add-on ES module that is pre-configured to address many common security/compliance reporting needs. I have less experience with Q-Radar relative to Splunk however I did recommend Q-Radar to a company who wanted something they could deploy rapidly to satisfy a HIPAA reporting requirement. My observation is that Q-Radar may have more compliance-related reporting out of the box relative to Splunk.
As per my personal opinion Splunk Enterprise Security is best. but as per expert i dont know about this who is best.
I have no experience with IBM QRadar but if it comes with a built in dash board like SolarWinds LEM or Oracle Vault it would be one step up. If we could tie this into the other IBM analytical tools that would be awesome.
Splunk is splunk. It does the job and allows for different options but what I see is some dash board building and tweaking which is needed for big enterprises. Mine is small and I don't have resources to throw at Splunk. I need more of an "out of the box" solution.
As I have reviewed both products .
If I compare IBM Qradar vs Splunk, I would suggest Splunk .
Splunk :
· Extensive Log collection capabilities across the IT environment
• Log search is highly intuitive and customized capability
· “App Store” based architecture allowing development of Splunk Plugins to suit monitoring & analytics requirements
· Handle multi-step investigations: trace activities associated with compromised systems and apply the kill-chain methodology
Qradar
• Limited customized capability
• Limited multi-tenancy support
• Limited capability to perform advanced use cases development and analytics
Apart from Qradar and Splunk, I can suggest another SIEM log Management product as LogPoint SIEM
LogPoint SIEM
• Very simple deployment, configuration and easy to use
• The built-in scaling architecture enables enterprise-wide implementation
• Capture Data exfiltration attempts, information leakage through emails and file sharing application
• Simple and Flexible Administration
• Comparatively less in price model
I would recommend Splunk every day of the week. Splunk is not only a SIEM like no other in the market through its flexibility, ease to handle while being uniquely effective in adapting to new and changing threats. Thanks to the platform architecture it is also quite simply and effectively extendable to satisfy additional use cases such as Infrastructure, compliance or user behaviour monitoring.
There is literally no limits to what Splunk can do with your data.
Splunk - in a heartbeat.
I have never lost a sale to Q-Radar
I have never heard of a customer replacing Splunk with Q-Radar (but lots of companies talk about replacing Q-Radar with Splunk.
As a Security SIEM, Splunk is simply better. I have no idea why IBM is ranked as high as it is in the Gartner Magic Quadrant, but the company I work for has invested substantial efforts in evaluating which tool we would use for our managed service (which we provide to global banks and global retail organisations), and our decision was to select the best solution. Sorry link. Period.
It is a strategic platform that has the ability to provide valuable business insight to every part of the organization.
Finally, if all the global retail and financial services are all choosing Splunk, (as is every organization who takes cyber seriously), then why would you risk your reputation, or your business by choosing anything else.
One of the most popular comparisons on IT Central Station is IBM QRadar vs Splunk. People like you are trying to decide which one is best for their company. Can you help them out? I can speak from my personal experience on Splunk as a product & vendor, and I can speak to IBM QRadar more generally – not having used it directly.
Which of these two solutions would you recommend for Log Management? If the need/requirement is simply Log Management, I would recommend Splunk over QRadar. However, I might recommend other tools over Splunk.
Why? QRadar is designed and advertised as a Security Information & Event Management (SIEM) system, which is actually only one piece of a larger IBM QRadar Security Intelligence Platform. Where Splunk makes packages that are easy to deploy and manage yourself with a great community of likeminded Splunk’ers to lean on, IBM sells a complex ecosystem of products in a framework to tools that require special knowledge and/or IBM Global Services to deploy & manage. However expensive Splunk products are, the cost for IBM tools is greater when accounting for all technical debt (services, skilled labor, infra, extras, etc.)
None are "log management" tools, and Splunk is not SIEM nor is the Enterprise Security add on. When you state "log management" I can infer log retention, historics, data analysis, so I think that the question needs to be further refined to make sense of what you're asking versus getting a bunch of fanboy answers: "X is the market leader because..."
Splunk has its place, as does QRadar, they are two completely different products performing completely separate functions. QRadar is a SIEM that ingests logs and makes security sense of it. Splunk ingests logs and waits for your input on what you want it to do. Splints Enterprise Security is not (for the love of anything holy) a SIEM as much as it tries to be.
Presently I monitor over 210k endpoints, and am generating massive amounts of logs in Splunk. I DO NOT use it as my go to for anything but rely on experienced colleagues and a variety of tools that take a lot of time and effort to track down and analyze whether something is an incident versus an event. With QRadar, it would alert me since it already has thousands of offenses, events out of the box. The downside? Putting together metrics and pie charts is not an option - because that is NOT what was designed for. Similar to Splunk - it was NOT designed to be SIEM, and even Splunk the organization has spelled this out repeatedly.
IMHO I think your question should be clarified as to what you mean by "log management." I could throw up syslog systems and effectively manage my logs. What is your objectives for these logs.
If you are looking for a Log Management you can choose Splunk or QRADAR Log Manager. If you are looking for a SIEM QRADAR is the number one in SIEM. You can also choose Splunk but ask for the complete SIEM solution.
My recommendation is QRADAR with Watson Advisor
Both Splunk and Q-Radar will likely meet your baseline requirements. And both offer solutions partnered with orchestration tools for your current automation needs. The one differentiator I highly recommend you look at is available integrations - which integrations with existing products in your environment do you need to achieve your goals this year? And which integrations do you see your organization needing in the next 1-3 years? If both Splunk and QRadar provide the integrations you need, which of the two have the most maturity with the integrations that matter most?
I would recommend LogPoint because it’s agile, flexible and has a fair nodes based pricing model. So it’s easy scalable, can be used within a company’s business lines sticking to the groups framework contract and there is no project issue with pricing.
The software itself as many agents (i.e. SAP) and uses a big data approach (normalizing data at collection time) with the advantage of fast analysts work later.
Only Splunk
Let me address you to this interesting comparison. Personally, I prefer QRadar, reasons are shown in the SlideShare's presentation.
www.slideshare.net
I have no experience with Q-Radar - only Splunk,
To be very clear, it depends on the size of the infra and the number of users.
I wouldn't choose IBM if there are more than 10000 users I would prefer ArcSight.
Then for Log Management, Splunk is better but same point as above it depends on the size and also the objective because Splunk might be expensive if a lot of use cases need to be done.
We are using ArcSight as a SIEM and I am very satisfied but for the log management, I would prefer Splunk than ArcSight Loggers.
ArcSight is better if the infra to monitor is big and if the objective is numerous due to its flexibility and powerfulness.
Splunk would probably be a lean solution unless you guys are a heavy IBM shop. Splunk is a lot more lightweight and probably will be cheaper as well.
It should be neither of these two if you are looking for a log management. Arcsight is one good product I have come across for log management.
IBM QRadar - because of ease of deployment and management. Plus the cost
for expansion is much higher with Splunk. But if money is not an object and
you have tech savvy security people go for Splunk. It's the best in class
for log management and correlation
Splunk
This will largely depend on the usecase.
For security usecases I still have a preference for QRadar, but any of those products is a step in the right direction.
The most important thing is be loyal to the choice and use the tool to its full potential.
Regards
Hans
Unfortunately, the question is not so easy to answer. The use of different products depends on the requirements and the size of our customers. Based on these requirements, we review the use of Arcsight (ADP), Splunk, IBM QRadar or Tripwire Logmanager. The orchestration between log management and SIEM in harmonizing customer requirements results in the use of the right software.
Today, our SOCs not only monitor data flows but also the use of our Security Robotics and Facility automation Systems and Energy Systems. (Like block heat and power plant, Photovoltaic, Heatingsystems, Powerbanks, Redox Flow Systems, etc.)
AristotleInsight.com. Only solution that incorporates baysian filtering to drastically reduce noise. Been 'next generation' for the last 5 years and at an affordable price.
I would recommend RSA NetWitness Suite.
I really don't agree with the answers saying that Splunk and QRADAR are not log manager. QRADAR Log Manager product is full Log Management solution. In this version there is no SIEM but we can correclate events coming from the same log source. Splunk with addition licence is also a Log Manager but you must customize and develop you own scripting and dashboard.
Quick answer is neither... since both of these are not log management tools.
We are using LogRhythm.
The simple answer, and correct answer, is neither.
Can either application automatically repair your network when it slows or crashes? (Automated remediation)?
Can either application provide preemptive real-time diagnosis of your network events in order to avoid problems?
Can either application provide preemptive real-time diagnosis of events/data as they attempt to enter your network (not just appear on your screen after a 4-10 second delay)
Can either application process 4TB/day per day on 4 servers, or do they require more than 100 servers?, or even 200 servers?
Can either application process between 50,000 – 100,000 events, PER SECOND, on a single server?
Can either application deduplicate log data, meaning that up to 95% of that data flow is reduced, while retaining the integrity to rebuild exactly the correct data stream for any audit?
Can either platform search over 250 million events over 14 days, in about 10 seconds, or does it take 10 minutes?
LogZilla LZ5 does all of this since it is s a full NetOps platform that has moved WAY beyond simple log management applications. LZ5 listens, learns and resolves (automatically) – and can do so over the cloud.
Check it out with a free trial. Find out why Network engineers are truly amazed. www.logzilla.net
One of the most popular comparisons on IT Central Station is IBM QRadar vs Splunk.
People like you are trying to decide which one is best for their company. Can you help them out?
Definitely, both are very good, and the specific complexity of each environment will define what you will need.
Which of these two solutions would you recommend for Log Management? Why?
I would definitely recommend Splunk, It has a powerful correlation engine, constant updates to the product, effective cost-benefit ratio, and scale architecture models, these keys make me think that it is the right solution.
Both of these products are leaders in their space but the selection of the product is subjected to the purpose of use and the support available on respective country.
If your intended purpose is for log management choice would be Splunk but if it's for Security/Event Management it would be QRadar. In my opinion, QRadar is having a slight edge over Splunk in terms of Security/Event handling.
Other key criteria for selection are the support/expertise availability in your respective countries because configuring and operating these products requires immense of effort/expertise...
Splunk is much more nimble but requires a lot of product knowledge to properly set up, which adds to the implementation cost. IBM’s products all come with implementation, but the tradeoff there is in customizability.
All things being equal, if the budget were there, I would choose Splunk between the two.
Splunk is a great tool that can be used for a lot of business analysis. If I were looking for a SIEM between the two, I would choose QRadar, although I am not fan of it. Like Splunk, to get a lot of value and granular detail beyond the canned reports, you need someone who knows what they are doing. Then you have to have someone that knows/understands what they are looking at. Having dealt with both, I am comfortable suggesting small orgs look to a provider.
There are great 'services' to accomplish what either of these generally do. Small organizations would be good to look at other options.
I agree with Loren Buhle
I would strongly recommend Splunk to be a log manager not only for IT Security Incident Response but also System admin and IT Audits. The current Splunk version adapts much better than versions of IBM Qradar or especially ArcSight.
I would choose Q Radar (Security Intelligence Platforms):
Whilst Splunk is highly rated by Gartner we do not see it as a commercial threat. The IBM support team summarised Splunk as being a very good collection tool with very poor analytics. Plugins are available for Splunk users to take advantage of IBM Q Radar's Analytics.
QRadar
Have used both.
Splunk is much better.
We have been using Loganalyzer for some time coupled with Spiceworks, and the experience has been good. Both are open source, so there is an additional benefit of zero cost.
We implemented Splunk.
Absolutely Splunk Enterprise Security. Splunk is the market leader. List of customers who used to have competitive solutions that switched into Splunk is growing.