Deployment Architecture

Small Deployment Splunk for SOC

gibranduatiga
New Member

Now I want to learn to make Splunk on a small scale for SOC, but before that, let me give you a picture of the topology that I will make at home.

It's topology is right to build? and is this possible to run accordingly?

For Details:
SH : 192.168.1.20
IDX : 192.168.1.21
UF1 : 192.168.1.30 | UF2 : 192.168.1.31 | HF1 : 192.168.1.32

Of all this, what I really need is to get data from snort.. I want to use Firegen for Snort App but that requires the help of the Splunk DB Connect App that I will install on HF. That way, later the DB Connect App will be connected toanyard2's MySQL in snort.

Please.. teach me and give me advice.. I want to learn more about Splunk.
Thank you

Links:

  1. DB Connect App - https://splunkbase.splunk.com/app/2686/
  2. Firegen for Snort App - https://splunkbase.splunk.com/app/4118/
  3. Splunk Docs - https://docs.splunk.com/Documentation/DBX/3.1.4/DeployDBX/HowSplunkDBConnectworks
  4. Firegen Readme File - https://pastebin.com/VDXkR71n
0 Karma
1 Solution

adonio
Ultra Champion

hello there,
plenty of information is missing, examples:
how much data (gp per day) do you plan to ingest?
what are the indexer and search head specs? (CPU, Memory, Disk)
how may concurrent users (searches) are you anticipating?
do you plan to scale in the future?

however, your overall topology makes sense and seems like a good start
good luck, and please share your progress and challenges and we would love to assist on your journey

hope it helps

View solution in original post

0 Karma

adonio
Ultra Champion

hello there,
plenty of information is missing, examples:
how much data (gp per day) do you plan to ingest?
what are the indexer and search head specs? (CPU, Memory, Disk)
how may concurrent users (searches) are you anticipating?
do you plan to scale in the future?

however, your overall topology makes sense and seems like a good start
good luck, and please share your progress and challenges and we would love to assist on your journey

hope it helps

0 Karma

gibranduatiga
New Member

I am sorry for late reply..

I want to process data as much as 20-50 GB per day.
for IDX & SH specifications for example:
Intel i7-5820K CPU 3.30GHz CPU
32GB RAM with RAID

for the future maybe I will add a scale to a larger one as the needs are needed.

by the way, what about dns loadbalance? do I have to implement it too?

thank you..... @adonio

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...