What is the DR approach of Splunk ES on AWS?

keffen611 · ‎10-17-2019

Hi everyone,

Assume the best practices of Splunk AWS is deployed on production AWS region (e.g. London).
How to design the DR of Splunk?
1. create another best practice design in another region (e.g. Paris) and extend the SH cluster and indexer cluster to the Paris region?
2. what if a hot-stanby is no required, is it able to take a whole of the Splunk (including VPC, AZ, subnets, Security groups, instances, EBS) and archive it in S3 bucket and restore it in Paris region manually?

Best Practice Architecture:
https://aws.amazon.com/quickstart/architecture/splunk-enterprise/

Thanks.

woodcock · ‎10-20-2019

This is a HUGE questions. What parts do you nee DRd? How much downtime can you have? Do you have budget/constraints?

adonio · ‎10-20-2019

the real question is, what is the problem you are trying to solve?
what is it you would like to protect against?
do you need DR for your search components? Index (data) components?
do you need HA?
Please share what is it that you would like to achieve

keffen611 · ‎10-20-2019

if the primary AWS region is down, we have to resume the SIEM in another AWS region within 4 hours.
no HA between AWS region is needed.
HA is required within same AWS region.
I need DR for search components and index components as the applications will also failover to the DR AWS region.

What is the DR approach of Splunk ES on AWS?

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team