Splunk deployment planning - Splunk Tutorial

- [Instructor] A successful Splunk Deployment means upfront planning. Thinking about your environment and how Splunk is going to serve you in your analytics and your visualization requirements based on ingested data. So let's think about what we would deploy in our environment to get Splunk up and running. The first thing to think about is whether you should be using Splunk Enterprise or Splunk Cloud, or perhaps both. Now remember, the distinction between the two. Splunk Enterprise can be a manual installation of the Splunk Enterprise software that you download on physical or virtual machines, whether they're on premises or in the cloud. In the case of the Amazon Web Services cloud for example, you can quickly deploy Splunk Enterprise by using an Amazon Machine Image, an AMI, an A-M-I. An AMI deployment means you basically choose a Splunk Enterprise operating system image and quickly deploy the virtual machine, but it still gives you full configuration flexibility as if you had done a manual installation. You have full access to the OS and of course to the Splunk software. And it also means you have command-line or CLI support if you want to do some configurations or searches at the command-line. But with Splunk Cloud, what we have is something different. We don't have to worry about the underlying infrastructure, the network set up, the virtual machines. Splunk Cloud means we have a managed cloud service where the underlying infrastructure and the installation is already done for us. So it's a very quick way to get up and running with Splunk. You can sign up for a free Splunk Cloud platform trial. However, you have limited configuration flexibility compared to enterprise, such as at the operating system level and the Splunk Cloud platform does not support a CLI, command-line interface environment. So which type of installation would you use? Would you be going with Splunk Enterprise where you have full configuration flexibility or Splunk Cloud? Now remember, you might still have forwarders on premises in virtual machines in the cloud for your apps, for Microsoft Active Directory, for web servers, all of that stuff can forward gathered data to either Splunk Enterprise or Splunk Cloud. Maybe you might even consider using Splunk Cloud as a testing or sandbox solution and Splunk Enterprise for production. You don't have to do that, but it is a possibility. Now, in order to plan your deployment, you need to know your existing network environment, whether it's on premises or whether it's in the cloud, doesn't make a difference. Network diagrams can be very helpful if you're not already familiar with the network environment. A network diagram means you should know things like the locations of your various networks, whether they're on premises, in branch offices, whether they're in different regions in the cloud. You should understand the IP addressing that's currently in use, and any firewalls that might be in place because Splunk uses certain ports, such as Port 9997 on an indexer to receive forwarded data that firewalls would have to allow for that to work properly. You should be aware of how many app servers used for a production environment you have out there, where they are, the nature of the apps running on them, and their log files. You should also think about physical or virtual servers where you would install Splunk components. Things like universal forwarders or Splunk Enterprise installations. And of course, in your network, think about the data sources for ingestion. We've already alluded to that with app servers and logs, but what about things like intrusion detection devices on your network? Maybe you want to capture statistics for failed log-ons on a VPN concentrator on your network. So you have to know what's on your network in order to be able to do this correctly. So data collection means identifying those data sources and thinking about the amount and type of data that we want to collect. Now, if you want to filter the data before it's sent to an indexer to be indexed and ultimately searched, then you would need a heavy forwarder. You need a Splunk Enterprise installation. Otherwise, you could install a universal forwarder which is a different installation. You should think about how many indexes you want. For example, do we want to take our VPN appliance ingested data and store that in its own index or should it just go along with other things in the default main index? Remember that having multiple indexes can help things separated a little bit because you can search through particular indexes, but users can also be assigned roles that have access to only certain indexes. You should think about index data retention policies. Once data is ingested, how long should it be retained in the index? So think about the data sources on your network. What type of data do they result in? Do you need to filter it at the source? Or maybe you'll be importing older data files such as historic log files that you want to analyze inside of the Splunk environment. The next thing is to think about whether you need a deployment server a DS. Now, a Splunk deployment server is optional. What is its purpose? Well, it's used when you want to manage groups of forwarders. A forwarder is a Splunk instance that ingests data and then forwards it or sends it either to an intermediary forwarder or maybe directly to an indexer. But if you have a lot of forwarders perhaps, and you want to configure the same type of data ingestion input settings, you could use a deployment server to centralize that configuration of those types of settings, such as for inputs.conf or the outputs.conf on forwarders where it's directing where the data is to be sent to, even apps. You can have that centrally configured on the deployment server where forwarders will reach out, and in this case the forwarders are called deployment clients, and pull that data to them. Now, think about what platform you're going to use because if you have a Linux deployment server, will it support the centralized configuration of Windows and Linux forwarder clients? A Windows deployment server only supports Windows forwarder clients. Here we have a sample Splunk Enterprise deployment diagram where we have a deployment server on the left that would manage our three forwarders. Now, we might have a universal forwarder running Linux where it gathers data from a web server from Linux syslog. We might have a universal forwarder running on Windows that might monitor active directory and certain files. We might have a heavy forwarder, which is really just a Splunk Enterprise installation with Windows and web server data it's gathering, and that might even be sent through a centralized intermediary forwarder. Doesn't have to be, but it can be. And that intermediary forwarder could then send that data to an indexer. Now, if you're going to be dealing with large amounts of data, then you might cluster your indexers for high availability and ultimately you would search through a search head. You could even have search head clusters for busy environments. The other thing to plan for in your deployment are how users and roles will be treated. Now, you can create Splunk user accounts directly in Splunk and you can assign them roles. Now, you might create custom roles based on your needs because a role is how users get permissions. You might have a role, for example, that allows access to search through a particular index and only that index. Now, you also could have external Splunk authentication. In other words, you could link through an LDAP configuration, your Splunk environment to an active directory environment. So users could continue to use their existing credentials and gain access to Splunk. You can configure a password policy in Splunk. You can enable single sign-on and also multi-factor authentication for enhanced security. Now, what about your network? Are you running Microsoft Active Directory or some other centralized LDAP compliant directory service for authentication? Would you want to use those users that you already have created for authenticating into Splunk primarily for things like IT technicians, Splunk admins? Or would you just create the Splunk accounts separately in Splunk as a separate entity? So users might already have their existing accounts like Microsoft Active Directory, but they might have an additional account in Splunk for Splunk administration. There's no right or wrong answer, but it depends on what your needs are in your environment. And so planning will go a long way in ensuring that you have the smoothest possible deployment rollout of Splunk.