Jordan is quickly becoming a log guru amongst mortals. Keep an eye on logstash! I'm definitely looking forward to an alternative to Splunk, which is great -- but incredibly expensive at large scale.
I've found that it's great for a sort of RAD tool, but the functionality ends there because licensing and scalability are so expensive. The other problem is that it's so generally purposed that it reaches a point where integration with existing sort of FCAPS compliant setups is more of a chore than anything. Best put, it sort of reminds me of a Oracle Application Express for logs. I can do most anything with it quickly to get a good handle on things, but in the end I'm going to take those ideas and make something better with them.
I use Splunk, and am a big fan of everything except the cost. It works well, but it gets very expensive, very quickly when you grow beyond the 500MB/day free limit. I'm basically only collecting very limited usage log type information, because of that limit.
It's not just the size limit that's a problem in Splunk, the user accounting is only in the paid version - the free version is completely open for anybody to browse and it's up to you to secure it.
Granular access controls are nice under certain scenarios, but adding a basic ACL isn't hard. "Can use Splunk" and "Can't use Splunk" is enough control for me at the moment, fortunately.
logstash doesn't currently support saved queries (if you mean letting you save queries you like for later, easy recall), but I'm open to all feature suggestions.
I'm not going to have any time for the next few weeks to try it out but I'm really interested in using this as an open source alternative to logrhythm or arcsight for forensics, incident response and intrusion detection.
Believe me, if you can pull this off you will have a massively disruptive tool on your hands.
Interesting.
Finally someone implements a efficient, common sense approach to log searching/querying.
I'll give it a try and who knows I can finally stop using the dinosaur age 'less' command :)