Splunk
1. Overview
1.1 Splunk Enterprise Overview
Splunk Enterprise Features
a) Index
-Source data from websites, applications, servers, databses and more
-Index your IT data into Splunk
b) Search
-Primary way you will navigate youre data in splunk
-Search can also be used as report to power dashobard panels
c) Alerts
-Get notified when search results meet specific conditions
-Alert actions can spend an email, post to an RSS feed, or execute a script
d) Dashoboards
-Combine panels into a wholistic view of your data
-Panels can contain search boxes, fields, charts, and more
e) Pivot
-Map attributes to a table, chart, or data visualization
-Can be saved as raports and added to dashboards
f) Reports
-Save searches as pivot reports and then add reports to dashboards as panels
-Run them ad-hoc or on a schedulde
Splunk Enterprise Components
a) Forwarder
-Collects and forwards data to an indexer
-Low resource usage allowing them to reside on many machines with little impact
b) Indexer
-Indexes data received from a forwarder
-Searches indexed data when requested by a search head
c) Search Head
-Interacts with users by directing search requests to indexer
-merges search results when directing multiple indexers
2. Deploy
2.1 Splunk Enterprise Installation Recommendations
Installation Requirements
a) Platforms
- Vms are not recommended and will decrease performance
- Network File Systems (NFS) are not recommended
-Containers are supported with Docker Enterprise or docker Community Edition
b) 64-bit OS
-Linux with kernel versions 2.6, 3.x, and 4.x
-Windows Server 2012, 2012 R2, and 2016
c) Recommended hardware
-Two 6-core processors at or above 2 GHz
-12 GB of RAM
-RAID 0 or RAID 10 storage
*Should be capable of 800 IOPS
*Solid state drivers will provide the most performance
-1GB NIC with network latency under 100 ms between Splunk nodes
d) Supported File Systems
-Linux: ext3, ext4, btrfs, XFS, NFS
-Windows: NTFS, FAT32
Optimazation: striping storage
Capacity Planning
a) Considaration
-How much data do you expect to index daily?
-How much data do you need to retain and for how long?
-How many users do you expect to search through the data at any one time?
-Do you plan to use certain specific searches more than once?
-Do you need to use a Splunk app to present or manipulate your data?
search speed - depend on hardware
search throuput - depend on breath of hardeare, how many indexers, how many peaople can search at thi same time?
b) Storage
-Experiment with indexing data saples and checking the size of the Splunk DB
-Rawdata file is about 10% of the size of the incoming data
-Index files can range from 10% to 110% of the rawdata file depending on the amount of unique terms
2.2 Standalone Splunk
2.3 Installing Splunk Enterprise
3. Secure
3.1 Secure Enterprise Security Overview
3.2 Secure Splunk Enterprise
3.3 Securing Splunk
4. Monitor
4.1 Splunk Enterprise Monitoring Console
4.2 Splunk Enterprise Alerting
4.3 Monitoring Splunk Enterprise
5. Index
5.1 Splunk Enterprise Data Indexing with Splunk Enterprise
1.1 Splunk Enterprise Overview
Splunk Enterprise Features
a) Index
-Source data from websites, applications, servers, databses and more
-Index your IT data into Splunk
b) Search
-Primary way you will navigate youre data in splunk
-Search can also be used as report to power dashobard panels
c) Alerts
-Get notified when search results meet specific conditions
-Alert actions can spend an email, post to an RSS feed, or execute a script
d) Dashoboards
-Combine panels into a wholistic view of your data
-Panels can contain search boxes, fields, charts, and more
e) Pivot
-Map attributes to a table, chart, or data visualization
-Can be saved as raports and added to dashboards
f) Reports
-Save searches as pivot reports and then add reports to dashboards as panels
-Run them ad-hoc or on a schedulde
Splunk Enterprise Components
a) Forwarder
-Collects and forwards data to an indexer
-Low resource usage allowing them to reside on many machines with little impact
b) Indexer
-Indexes data received from a forwarder
-Searches indexed data when requested by a search head
c) Search Head
-Interacts with users by directing search requests to indexer
-merges search results when directing multiple indexers
2. Deploy
2.1 Splunk Enterprise Installation Recommendations
Installation Requirements
a) Platforms
- Vms are not recommended and will decrease performance
- Network File Systems (NFS) are not recommended
-Containers are supported with Docker Enterprise or docker Community Edition
b) 64-bit OS
-Linux with kernel versions 2.6, 3.x, and 4.x
-Windows Server 2012, 2012 R2, and 2016
c) Recommended hardware
-Two 6-core processors at or above 2 GHz
-12 GB of RAM
-RAID 0 or RAID 10 storage
*Should be capable of 800 IOPS
*Solid state drivers will provide the most performance
-1GB NIC with network latency under 100 ms between Splunk nodes
d) Supported File Systems
-Linux: ext3, ext4, btrfs, XFS, NFS
-Windows: NTFS, FAT32
Optimazation: striping storage
Capacity Planning
a) Considaration
-How much data do you expect to index daily?
-How much data do you need to retain and for how long?
-How many users do you expect to search through the data at any one time?
-Do you plan to use certain specific searches more than once?
-Do you need to use a Splunk app to present or manipulate your data?
search speed - depend on hardware
search throuput - depend on breath of hardeare, how many indexers, how many peaople can search at thi same time?
b) Storage
-Experiment with indexing data saples and checking the size of the Splunk DB
-Rawdata file is about 10% of the size of the incoming data
-Index files can range from 10% to 110% of the rawdata file depending on the amount of unique terms
2.2 Standalone Splunk
2.3 Installing Splunk Enterprise
3. Secure
3.1 Secure Enterprise Security Overview
3.2 Secure Splunk Enterprise
3.3 Securing Splunk
4. Monitor
4.1 Splunk Enterprise Monitoring Console
4.2 Splunk Enterprise Alerting
4.3 Monitoring Splunk Enterprise
5. Index
5.1 Splunk Enterprise Data Indexing with Splunk Enterprise
Komentarze
Prześlij komentarz