The enterprise's infrastructure monitoring needs have evolved drastically over the years; more often, firms need operational intelligence regarding the health and performance of a myriad of IT assets: physical/virtual servers, applications/services, security devices, and more. System Center Operations Manager (SCOM) and Splunk are two leading solutions on the market for monitoring datacenter health and performance; let's see how they compare for keeping the enterprise IT ship afloat.
It's worth noting that although Splunk is quite proficient in IT operations monitoring, it isn't exactly a monitoring tool per se—the solution focuses on providing search, monitoring, and analysis capabities for log files and other types of machine data. Many firms will pair Splunk's analytics and trending capabilities with open source solutions like Nagios for monitoring and alerting.
In fact, a Splunkbase add-on even exists for integrating Splunk with SCOM. The component essentially fetches SCOM events/alert data and forwards it to Splunk, thereby making it possible to search and report on SCOM event/alert data from within the platform.
Much of an organization's operational and security intelligence can be derived from server and device-generated logfiles. But without an efficient mechanism for traversing and making sense out of this sea of data, firms are crippled in their ability to prevent outages and data breaches. Splunk's reputation as the "Google for logfiles" stems from its unification of logfile data from a myriad of systems and devices across an IT environment into a single interface.
The Splunk UI. Source: splunk.com.
With Splunk's platform, IT admin and operators can get a single pane of glass view into the collective state of their systems. And with over 1000 apps and add-ons in its Splunkbase library, the platform is capable of accomodating a wide array of data sources.
Acquired from Mission Critical Software in 2000, SCOM is a relatively newer addition to Microsoft's line of data center management tools. The flagship infrastructure monitoring solution uses an agent-based architecture to track the performance and availability of pre-defined "objects" in the environment: server hardware, system services, operating systems, hypervisors, or applications. Using SCOM, IT admin and operators can monitor these objects via a streamlined management console.
The SCOM UI. Source: microsoft.com.
It's worth noting that the product was completely rewritten in 2007 and now comes as part of System Center 2016. Systems Center 2016 includes other tools such as Configuration Manager for managing/enforcing configurations, Orchestrator for automating datacenter tasks, and Service Manager for incident response and change control.
Side-by-Side Scoring: Splunk vs. SCOM
1. Capability Set
Both solutions offer powerful monitoring capabilities for the enterprise, with specific benefits that vary per organization. For Microsoft shops, SCOM certainly offers more comprehensive monitoring coverage—even Office365 and Azure apps are covered. Organizations with a disparate toolset and heterogeneous environment may find Splunk a better fit.
2. Ease of Use
Splunk is relatively easy to deploy and use, offering users a set of dashboards with easily accessible features and intuitive configuration options. In contrast, SCOM is notoriously complex to and difficult to configure, run and maintain. That said, its interface will be immediately familiar to Windows-based IT admins and operators.
3. Community Support
Splunk boasts a large community of users and supporters and provides resources such as its Answers database and User Groups. SCOM have Technet resources at their disposal but not much else, save for Reddit and Google.
4. Release Rate
Both solutions have seen regular releases over the years: Splunk's enterprise offering is currently at version 6.5; as mentioned previously, SCOM was completely overhauled in 2007 and now comes as part of System Center 2016. Full release histories for SCOM and Splunk are available on the respective vendors' websites.
5. Pricing and Support
Both offerings are decidely enterprise-focused and priced according. Splunk's pricing structure is based on the volume of data processed: from a 1 GB/day perpetual license for $4,500 ($1,800 annually) to 100 GB/day for $1,500 ($600 annually). So the more data your organization processes with Splunk, the bigger the discount is.
System Center 2016/SCOM uses a core-based licensing schema that assumes a 16-core 2 processor server. 2 year licenses are available for the Datacenter and Standard Editions at $3,607 and $1,323, respectively.
6. API and Extensibility
SCOM does not provide an updated REST API, though SCOM 2012 offers an SDK for automate and extending its features and creating custom applications that access/manage its data. In contrast, Splunk's well-documented REST API gives developers over 200 endpoints for accessing every feature in the product, along with SDKs for popular languages.
7. 3rd Party Integrations
Splunk features over 1000 add-ons and apps in its Splunkbase app portal organized into 6 categories: DevOps, IT operations, security/fraud/compliance, business analytics, IoT/industrial data, and utilities. SCOM/Systems Center offers fewer options in this regard, but does provide integration packs for integrating with other vendors' products.
8. Companies that Use It
SCOM is in use by enteprises across the globe—ING, Vodaphone, Fibabanka, Infosys, MPhasis, and Equifax, among others. Similarly, Splunk counts over 12,000 enterprises and 80 of the Fortune 100 as its customers: Adobe, BlackRock, Coca-Cola, ING, Tesco, AAA, Staples, to name a few.
9. Learning Curve
Despite its intuitive SaaS interface, Splunk poses a moderate learning curve, especially when it comes to building expertise for carrying out more specialized analyses. This, however, pales in comparison to SCOM—from learning its terminology to managing/fine tuning alerts and reporting, novices should expect some difficulty gaining expertise with the platform.
Splunk scores a strong CSTAR score of 879—its otherwise good website perimeter security and strong resilience posture are only marred by lack of HTTP strict transport security and missing DNSSEC. SCOM's 689 CSTAR score is a result of various security flaws: server information leakage, lack of secure cookies, missing DNSSEC, and more.
Scoreboard and Summary
|Ease of Use|
|Pricing and Support|
|API and Extensibility|
|3rd Party Integrations|
|Companies that Use It|
|Total||4.4 out of 5||3.8 out of 5|
Enterprises with predominantly Windows-based environments will find System Center/SCOM in closer alignment with their needs, though again—many organizations have chosen to integrate the two, pushing SCOM events/alert data to Splunk for analysis and reporting. For tighter integration with other IT operations management and security tools, and in heterogenous environments, Splunk is a safer bet. In either case, be prepared to shell out a pretty penny for world-class infrastructure monitoring.
Monitoring tools have come a long way since the early days of Big Brother. Today's solutions have evolved into powerful software troubleshooting and performance analytics platforms capable of deconstructing and analyzing the entire application stack—infrastructure up—for bugs and issues.
As perimeter-based cyber protection falls to the wayside, a new breed of continuous security solutions are emerging that combine traditional endpoint protection with newer technologies like security information and event management (SIEM) and crowdsourced threat intelligence.