Deployment Architecture

Distributed deployment to subsidiary companies

bkcarter
Path Finder

I have been researching Splunk for a couple of weeks now and I am in need of some guidance.

I work for an organization that has 8 subsidiary companies.
I was hired in February from one of the subsidiaries to oversee IT Security for the entire organization.

The subsidiaries range from very small single IT person shops to large corporations with billions in assets. Their networks support small web sites and also sites that receive millions of hits per day.

I am trying to put together a plan to manage logging from the parent company level. I need to be able to gather the data from each organization quickly (high speed networks interlink most of them), and be able to analyze the data so I can return reports to them in a timely manner.

In looking at Splunk, I realize that the data forwarders can be used as an option, however I am trying to avoid requiring them to install an additional element in their networks. Many of them already have syslog servers, windows event logs, etc, but they are not gathered to a central repository. Support for Windows, Linux, Solaris, Cisco, Foundry, Brocade, VMware may be required. PCI comp liane is also a requirement in some organizations.

I want to be able to have each company gather logs on their network, and then send them to the parent where they will be indexed, analyzed, and stored for historical reporting.

I realize this is a broad question, but I am attempting to get some initial direction with these constraints in mind. Can you please share your ideas with me as to what methods to look at?

I would appreciate any and all comments that will help me attain a centralized, managed solution, that can be non intrusive into each environment.

Thanks in advance for the help.

Bryan Carter

Tags (3)
0 Karma

kristian_kolb
Ultra Champion

Well, that is a tough one to give a complete answer to. I'll give you some thoughts though.

  • Centralization.
    You don't need to send all logs to a central location. You can have a centralized & decentralized solution so-to-speak, by installing Splunk indexers in each of the subsidiaries, so that local IT staff can benefit from having their log data available for fast searches etc etc. Then you can configure a central Splunk instance that can search all subsidiaries's indexed log data.

  • Impact on existing infrastructure. If you already have a syslog environment where you collect logs, you can keep on doing that. Just install a splunk forwarder on the syslog servers, which reads and transmits log data as it gets written to disk. As for Windows Event logs, a forwarder is more or less necessary, even though you can gather log data over network through WMI without installing anything on the host generating the log. That is not really the best way to do it, though, so forwarders are the way to go. Other text based logs can be read off of network shares that are mounted from the indexer (or a forwarder).


UPDATE:

To send WinEventlogs via syslog, you'd need some kind of agent, since syslog is not an option native to Windows. That agent can be snare, syslog-ng or a Splunk forwarder.

If the Windows machines are already part of a syslog setup, then it's probably easier to install a forwarder on the receiving syslog server.

There are no really good reasons to break something that works well, just to have Splunk all the way.

If the Windows machines don't have agents, then go with Splunk forwarders. Depending on your planned architecture you can control and remotely configure the forwarders through the Deployment Server.

That was a starter, hope it helps you a little bit.

/Kristian

kristian_kolb
Ultra Champion

see update above. /k

0 Karma

bkcarter
Path Finder

Thanks for the ideas. Some of these companies are so small that I don;t want to cause an impact, but the have to have it for PCI compliance. I have been looking at solutions that would send Windows Events to a Syslog server that has the forwarder on it. What are the pros and cons of that type of solution?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...