Community Comunidad

Alternative to Splunk: Pandora FMS as a monitoring tool

December 5, 2019

Alternative to Splunk: Pandora FMS as a monitoring tool

This post is also available in : Spanish

Pandora FMS as an excellent Splunk alternative: let’s review both!

The American magazine “Fortune” specializes in global banking, business and finance… What does it have to do with monitoring? Well, in one of its annual lists, the Fortune 100 (the largest companies on the planet), 92 companies use Splunk software… If we compare by volume of money, yes, Splunk would be the best software and that’s where this article would end.

But if your company or organization is on its way to appear in Fortune, then spend a few minutes discovering our Splunk alternative!

Splunk Background

Splunk is software specialized in Big Data developed by a software house of the same name. The company has clients in 74 countries and is headquartered in San Francisco, California, USA. It went public in 2012 and by 2018 had a market capitalization of more than $14 billion… And that’s a very big and huge amount of money!

But how can Pandora FMS be a Splunk alternative? To be able to answer this question we must analyse what Splunk does.

Saying exactly what Splunk does is somewhat difficult because Splunk is actually the server, a product, and its partner uberAgent, as its name suggests, is installed on the client side and is a separate product. At the same time these two products allow a large number of third-party applications grouped under the name Splunkbase. From my point of view I see this as a confederation of applications and companies, so we must first acquire Splunk, then uberAgent, and then acquire and/or develop specialized applications (if necessary).

Technology

uberAgent for Microsoft Windows was released in 2013 and for MacOS in 2018, and these are the two major platforms for this software agent. Remember that a software agent are small pieces of software that are installed in operating systems and remain running on them to extract monitoring information and send it to the corresponding server on a regular basis.

In the case of Splunk, it needs uberAgent Software, which fulfils an important function: the Unix subsystem within the machine to be monitored. It communicates directly with the Splunk server and has very limited harvesting functions.

The next step is to download, upon registration of our personal data, the uberAgent Universal Forwarder, which is responsible for managing all communications, and then we can install the plug-in for Microsoft Windows ® to collect the events of OS updates, hard drive usage, network traffic, user logins (successful, failed), device work time, etc.. Pandora FMS is an alternative to Splunk because it has a WMI (Windows Management Instrumentation) server only for this purpose, which we can even run on a separate machine if we have a large number of devices with this operating system. The WMI server is only one of the fourteen (some of them only in the Enterprise version) that make up a Pandora FMS server; they don’t necessarily all have to run in the same computer, that’s why I’m talking about a “centralization” that isn’t such.

Splunk offers a demo version, which Wikipedia identifies as free but is actually limited to 500 megabytes for a single device per day. Here, Pandora FMS also imposes itself as an alternative to Splunk, because its community version is fully functional and has many basic complements developed by the community in free software and open source: except for a digital identifier for purely statistical purposes and version updates, it runs completely independent (“standalone”), without any other limitation.

Architectures

Pandora FMS stands out for its flexibility; besides, it has a modular architecture divided in two components: server and console, and it has modules that we can install according to our needs. While I recognize that Splunk has a fairly simplified architecture, supported by applications that can run independently, it does not reflect the real world with its large number of network topologies.

For example, uberAgent Universal Forwarder performs almost the same function as a Pandora FMS broker agent for many devices, while uberAgent Universal Forwarder is only for the device where it is installed. The latter can be configured to accept data from specific addresses, but there I note another point where Pandora FMS can be an alternative to Splunk: the Tentacle secure protocol, a technology developed in-house to ensure the privacy of our data while going from one site to another.

splunk alternative 1

Caption: Splunk Architecture, Creative Commons License

In addition, Pandora FMS enterprise version has the satellite server, which allows monitoring networks inaccessible from the “central” server and can also work without software agents; it also includes protocols such as SNMP for concentrators, routers, etc.

Installation

Both applications use common methods: both servers are “centralized” by a network administrator and the software agents independently or by means of their corresponding server. Let’s remember that now there are many technologies of third companies or organizations that allow to deploy massively both servers and applications, and even complete operating systems (case of Docker, for example).

Log monitoring

I must admit that the capacity of this software is amazing: it absorbs terabytes of data without any problem! If you have enough money in hardware I don’t see any problem in it. I think Splunk’s approach is to collect everything massively, placing filtering and sorting either on the client or server side. I mean, if you have enough infrastructure, then go! As the reality is different, Splunk offers the storage service on the Internet, which represents an additional cost, but that is logical given the nature of Splunk.

While Splunk goes from major to minor,
Pandora FMS goes from minor to major.

How does Pandora FMS overcome this great challenge to be a Splunk alternative? It looks like a fight between David and Goliath… Yes, there’s a small but powerful “weapon”, and I’ll explain.

The Pandora FMS team has done its homework all these years. Since version 7.0 NG 712 (September 2017), the log
storage and display system is no longer file-based. For this, it uses a combined technology of LogStash with ElasticSearch, but for it I recommend two different physical servers and well equipped (in the link are the values); the greater the volume of data the greater the amount of equipment needed. For this reason, I affirm that Pandora FMS presents a Splunk alternative because, apart from equipping in the collection of logs, it presents the advantage of a single product to be installed and configured, with the consequent saving of money, and time!

Regarding the rest of the metrics (for example Goliat, the enterprise web verification server or the prediction server, small component of artificial intelligence), they can be configured in a high availability environment, a fear always present in network administrators to depend on few servers; this is possible thanks to the modular design and flexibility of Pandora FMS.

Before saying goodbye, remember that Pandora FMS is a flexible monitoring software, capable of monitoring devices, infrastructures, applications, services and business processes.

Do you want to know better what Pandora FMS can offer you? Find out here.

If you have more than 100 devices to monitor you can contact the Pandora FMS team through the following form.

Also, remember that if your monitoring needs are more limited you have at your disposal the OpenSource version of Pandora FMS. Find more information here.

Don’t hesitate to send your queries. Pandora FMS team will be delighted to assist you!


Written by:



Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.