SlideShare a Scribd company logo

.conf 2015 - Splunking Distributed Logs for IT Policy Alignment

Allen Tucker
Allen Tucker

Splunking Distributed Logs for IT Policy Alignment

Technology
1 of 42
Indiana University: Splunking Distributed Logs for IT Policy Alignment
Allen Tucker Manager, HELPnet Central Systems Team Kelly Zimmerman Systems Administrator, HELPnet Central Systems Team Daniel Daily Systems Administrator, HELPnet Central Systems Team
Disclaimer During the course of this presentation, we may make forward looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in the this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release.
• Background and Culture • Infrastructure • Scalable Architecture • Multi-Tenant onboarding • Phases • Expansion of service • Q&A
Background and Culture
Indiana University, est. 1820 • $3.3B enterprise • Partnered with $6B IU Health system • 115,000 Students • 1.3M Credit Hours per semester • >20,000 Degrees per year • $1.1B in Financial Aid • $450M in research grants • 8,000 Acres • 882 buildings, 36M square feet • >600,000 living Alumni • 10,500 Faculty and Staff
CENTRALIZED enterprise I.T. with DECENTRALIZED departmental I.T. 109 Departmental IT Groups 5213 Total Servers within IU
Safeguards IU I.T. Policy – IT-12 list of ‘best practices’ for system management IU Internal Audits – In depth departmental checks for IT operations – Alignment with IT policies Log management in IT-12 – Success/Failed User Logons, Success/Failed File Accesses
Implications Costs associated with log review – Its overwhelming  Different log sources,  many servers  TONs of logs. – Costly if departments DIY – Staff time is at a premium  Admins can make much better use of your time being impactful to their departments
Service Timeline
Internal HELPnet Deployment • 120 Servers Initial Departmental Offering Departmental Growth & UITS Interest •20 Departments •Many Regionals •~375 servers Issues with Scalability New Product Testing & PoC Proposal to Cabinet •Approval in August 2014 Deployment •Training •Certification •Build of Architecture •App Development Customer Onboarding (Since June) •42 Departments •2000 Active Servers
Infrastructure
100% Virtual
Indiana University Storage and Virtualization Team 2014 VMware Innovation Award Winners
Physical Hardware  Dell PowerEdge M620 - Intel Xeon E5-2690 Processors - 20 CPU cores @ 3GHz  512GB DDR3 RAM VMware ESX Hosts  Hitachi VSP G1000 SAN Storage
Bloomington Indianapolis Multi-campus Deployer Deployment License Master Forwarders Department A Forwarders Department B Forwarders Department C Indexing Search Cluster
Performance Statistics  IOPS > 1062 via Bonnie++  ~270,000 events per second dense search in smart mode  ~5400 events per second sparse search in smart mode
Bloomington Indianapolis Multi-campus Deployer Deployment License Master Forwarders Department A Forwarders Department B Forwarders Department C Indexing Search Cluster
Scalable Architecture
Search Head Cluster Use of a deployer Knowledge object replication Ease of additional search head expansion Deployer Search Cluster
Indexing Deployment Server Houses all important Splunk configurations – Indexer configurations – Configuration push to 2000+ servers (For a team that never touches the GUI) Deployment Forwarders
Departmental on-boarding
Deployer Deployment License Master Forwarders Department A Forwarders Department B Forwarders Department C Indexing Search Cluster
Data Silos by Tenant Each Department Has a Unique Index Department A Department B Department C
Making Deployment Easier
Simplify Onboarding Using an Onboard Script to clone our apps • Checks user logon • Asks for location, OS type (user input phase) • Adds server classes and indexes • Copies source application template • Replaces department variables • Assigns roles (authorize.conf, authentication.conf) • Assigns a default_namespace
Overcoming Distributed IT Administration NO ADMIN RIGHTS – Solution: Each department gets a shared Box folder  Splunk Universal Forwarder  Installation scripts  How to docs MS ConfigMan (Windows) or Ansible (Linux) helps a great deal The magic of deploymentclient.conf
Script Details • Executes the .msi silently / stops the splunk service Defines location, OS, Department & Host –injects them into the deploymentclient.conf file - Assigns the deployment server Starts the service so it can phone home Verifies if Splunk is installed Also configures Deploymentclient.conf Modifies auditd.conf for splunk access Sets ownership and permissions Configures splunk to start on boot Differences • Dropping all unnecessary event IDs • Ingesting full auditd
Script to deploy to many One script to install them all Mass deployment of forwarder to 600+ servers remotely.
App Dev Phases
VERSION 1
VERSION 1
 Training  I2 Training credits*  Optimizing Searches  Data Inputs  Reporting Lessons Learned
VERSION 2
VERSION 2
Expansion of Services
Down the Road Further development IT-12 application for departments – Devices not checking in – Alerting for failed user attempts – Filter for network access vs file access – More Linux distros Expand UITS I.T. Ops. – Kuali – VMware – Active Directory – IIS / Apache for IU Central Web Services – Multiple Security Apps
CAS & Shibboleth
Questions?

Recommended

IT Change Management in ServiceDesk Plus
IT Change Management in ServiceDesk PlusIT Change Management in ServiceDesk Plus
IT Change Management in ServiceDesk Plus
ManageEngine
 
Serena Software Overview - Orchestrating the Release Process
Serena Software Overview - Orchestrating the Release ProcessSerena Software Overview - Orchestrating the Release Process
Serena Software Overview - Orchestrating the Release Process
Serena Software
 
Resume
ResumeResume
Resume
Sunil Kumar D
 
Virtualization impact in software testing
Virtualization impact in software testingVirtualization impact in software testing
Virtualization impact in software testing
vodQA
 
XP to Windows 7 with MDT
XP to Windows 7 with MDTXP to Windows 7 with MDT
XP to Windows 7 with MDT
Stephen Rose
 
Using IBM Rational Change as an Enterprise-Wide Error Management Solution – ...
Using IBM Rational Change as an Enterprise-Wide Error Management Solution – ... Using IBM Rational Change as an Enterprise-Wide Error Management Solution – ...
Using IBM Rational Change as an Enterprise-Wide Error Management Solution – ...
Contribyte
 
Carlos Lopez Resume_11-13-14
Carlos Lopez Resume_11-13-14Carlos Lopez Resume_11-13-14
Carlos Lopez Resume_11-13-14
Carlos Lopez
 
Manage infrastructure and deploy services with ease using Dell Active System ...
Manage infrastructure and deploy services with ease using Dell Active System ...Manage infrastructure and deploy services with ease using Dell Active System ...
Manage infrastructure and deploy services with ease using Dell Active System ...
Principled Technologies
 

Recommended

IT Change Management in ServiceDesk Plus
IT Change Management in ServiceDesk PlusIT Change Management in ServiceDesk Plus
IT Change Management in ServiceDesk Plus
ManageEngine
 
Serena Software Overview - Orchestrating the Release Process
Serena Software Overview - Orchestrating the Release ProcessSerena Software Overview - Orchestrating the Release Process
Serena Software Overview - Orchestrating the Release Process
Serena Software
 
Resume
ResumeResume
Resume
Sunil Kumar D
 
Virtualization impact in software testing
Virtualization impact in software testingVirtualization impact in software testing
Virtualization impact in software testing
vodQA
 
XP to Windows 7 with MDT
XP to Windows 7 with MDTXP to Windows 7 with MDT
XP to Windows 7 with MDT
Stephen Rose
 
Using IBM Rational Change as an Enterprise-Wide Error Management Solution – ...
Using IBM Rational Change as an Enterprise-Wide Error Management Solution – ... Using IBM Rational Change as an Enterprise-Wide Error Management Solution – ...
Using IBM Rational Change as an Enterprise-Wide Error Management Solution – ...
Contribyte
 
Carlos Lopez Resume_11-13-14
Carlos Lopez Resume_11-13-14Carlos Lopez Resume_11-13-14
Carlos Lopez Resume_11-13-14
Carlos Lopez
 
Manage infrastructure and deploy services with ease using Dell Active System ...
Manage infrastructure and deploy services with ease using Dell Active System ...Manage infrastructure and deploy services with ease using Dell Active System ...
Manage infrastructure and deploy services with ease using Dell Active System ...
Principled Technologies
 
Sdt and lmx sam newsletter final
Sdt and lmx sam newsletter finalSdt and lmx sam newsletter final
Sdt and lmx sam newsletter final
sedunham
 
Talent management pp
Talent management ppTalent management pp
Talent management pp
sedunham
 
Untitled Presentation
Untitled PresentationUntitled Presentation
Untitled Presentation
CS3Technology
 
Development of a sociopathy scale (psychometrics paper)
Development of a sociopathy scale (psychometrics paper)Development of a sociopathy scale (psychometrics paper)
Development of a sociopathy scale (psychometrics paper)
sedunham
 
hsc4910_pp_gaines.
hsc4910_pp_gaines.hsc4910_pp_gaines.
hsc4910_pp_gaines.
Shana Gaines
 
Vance v ball st. pp
Vance v ball st. ppVance v ball st. pp
Vance v ball st. pp
sedunham
 
Pirce list
Pirce listPirce list
Pirce list
sara wei
 
John
JohnJohn
John
meriramoss
 
Stacy_Fawn Summit Certificate of Attendance and Addenda-1
Stacy_Fawn Summit Certificate of Attendance and Addenda-1Stacy_Fawn Summit Certificate of Attendance and Addenda-1
Stacy_Fawn Summit Certificate of Attendance and Addenda-1
Stacy Fawn
 
Maximizing satisficing paper
Maximizing satisficing paperMaximizing satisficing paper
Maximizing satisficing paper
sedunham
 
Grady final paper
Grady final paperGrady final paper
Grady final paper
sedunham
 
Chuong ia dong phan
Chuong ia dong phanChuong ia dong phan
Chuong ia dong phan
Linh Linh
 
JIT Scheduling
JIT SchedulingJIT Scheduling
JIT Scheduling
Przemek Nawrot
 
Research proposal presentation
Research proposal presentationResearch proposal presentation
Research proposal presentation
sedunham
 
JIT Scheduling + Kanban + JIT Services
JIT Scheduling + Kanban + JIT ServicesJIT Scheduling + Kanban + JIT Services
JIT Scheduling + Kanban + JIT Services
Przemek Nawrot
 
Dina Gamal Farid
Dina Gamal FaridDina Gamal Farid
Dina Gamal Farid
Dina Farid
 
Getting Started with Splunk Enterprises
Getting Started with Splunk EnterprisesGetting Started with Splunk Enterprises
Getting Started with Splunk Enterprises
Splunk
 
Webinar - Devops platform for the evolving enterprise
Webinar - Devops platform for the evolving enterpriseWebinar - Devops platform for the evolving enterprise
Webinar - Devops platform for the evolving enterprise
DBmaestro - Database DevOps
 
Automate Yourself Out of a Job: Safely Delegate the Management of your Azure...
Automate Yourself Out of a Job: Safely Delegate the Management of your Azure...Automate Yourself Out of a Job: Safely Delegate the Management of your Azure...
Automate Yourself Out of a Job: Safely Delegate the Management of your Azure...
Rundeck
 
Anusaa_Qlikview
Anusaa_QlikviewAnusaa_Qlikview
Anusaa_Qlikview
anusha vemuri
 
Getting Started with Splunk Enterprise Hands-On
Getting Started with Splunk Enterprise Hands-OnGetting Started with Splunk Enterprise Hands-On
Getting Started with Splunk Enterprise Hands-On
Splunk
 
Southeast Michigan AUG - April 25 2018
Southeast Michigan AUG - April 25 2018Southeast Michigan AUG - April 25 2018
Southeast Michigan AUG - April 25 2018
Daniel Eads
 

More Related Content

Viewers also liked

Sdt and lmx sam newsletter final
Sdt and lmx sam newsletter finalSdt and lmx sam newsletter final
Sdt and lmx sam newsletter final
sedunham
 
Untitled Presentation
Untitled PresentationUntitled Presentation
Untitled Presentation
CS3Technology
 
Development of a sociopathy scale (psychometrics paper)
Development of a sociopathy scale (psychometrics paper)Development of a sociopathy scale (psychometrics paper)
Development of a sociopathy scale (psychometrics paper)
sedunham
 
hsc4910_pp_gaines.
hsc4910_pp_gaines.hsc4910_pp_gaines.
hsc4910_pp_gaines.
Shana Gaines
 
Pirce list
Pirce listPirce list
Pirce list
sara wei
 
Stacy_Fawn Summit Certificate of Attendance and Addenda-1
Stacy_Fawn Summit Certificate of Attendance and Addenda-1Stacy_Fawn Summit Certificate of Attendance and Addenda-1
Stacy_Fawn Summit Certificate of Attendance and Addenda-1
Stacy Fawn
 
Dina Gamal Farid
Dina Gamal FaridDina Gamal Farid
Dina Gamal Farid
Dina Farid
 

Viewers also liked (16)

Sdt and lmx sam newsletter final
Sdt and lmx sam newsletter finalSdt and lmx sam newsletter final
Sdt and lmx sam newsletter final
 
Talent management pp
Talent management ppTalent management pp
Talent management pp
 
Untitled Presentation
Untitled PresentationUntitled Presentation
Untitled Presentation
 
Development of a sociopathy scale (psychometrics paper)
Development of a sociopathy scale (psychometrics paper)Development of a sociopathy scale (psychometrics paper)
Development of a sociopathy scale (psychometrics paper)
 
hsc4910_pp_gaines.
hsc4910_pp_gaines.hsc4910_pp_gaines.
hsc4910_pp_gaines.
 
Vance v ball st. pp
Vance v ball st. ppVance v ball st. pp
Vance v ball st. pp
 
Pirce list
Pirce listPirce list
Pirce list
 
John
JohnJohn
John
 
Stacy_Fawn Summit Certificate of Attendance and Addenda-1
Stacy_Fawn Summit Certificate of Attendance and Addenda-1Stacy_Fawn Summit Certificate of Attendance and Addenda-1
Stacy_Fawn Summit Certificate of Attendance and Addenda-1
 
Maximizing satisficing paper
Maximizing satisficing paperMaximizing satisficing paper
Maximizing satisficing paper
 
Grady final paper
Grady final paperGrady final paper
Grady final paper
 
Chuong ia dong phan
Chuong ia dong phanChuong ia dong phan
Chuong ia dong phan
 
JIT Scheduling
JIT SchedulingJIT Scheduling
JIT Scheduling
 
Research proposal presentation
Research proposal presentationResearch proposal presentation
Research proposal presentation
 
JIT Scheduling + Kanban + JIT Services
JIT Scheduling + Kanban + JIT ServicesJIT Scheduling + Kanban + JIT Services
JIT Scheduling + Kanban + JIT Services
 
Dina Gamal Farid
Dina Gamal FaridDina Gamal Farid
Dina Gamal Farid
 

Similar to .conf 2015 - Splunking Distributed Logs for IT Policy Alignment

Automate Yourself Out of a Job: Safely Delegate the Management of your Azure...
Automate Yourself Out of a Job: Safely Delegate the Management of your Azure...Automate Yourself Out of a Job: Safely Delegate the Management of your Azure...
Automate Yourself Out of a Job: Safely Delegate the Management of your Azure...
Rundeck
 
Anu_Sharma2016_DWH
Anu_Sharma2016_DWHAnu_Sharma2016_DWH
Anu_Sharma2016_DWH
Anu Sharma
 
Utilizing SVN Jenkins to Manage Multi-line Development to Deployments
Utilizing SVN Jenkins to Manage Multi-line Development to DeploymentsUtilizing SVN Jenkins to Manage Multi-line Development to Deployments
Utilizing SVN Jenkins to Manage Multi-line Development to Deployments
Teresa Garcia-Bovenmyer ☁
 

Similar to .conf 2015 - Splunking Distributed Logs for IT Policy Alignment (20)

Getting Started with Splunk Enterprises
Getting Started with Splunk EnterprisesGetting Started with Splunk Enterprises
Getting Started with Splunk Enterprises
 
Webinar - Devops platform for the evolving enterprise
Webinar - Devops platform for the evolving enterpriseWebinar - Devops platform for the evolving enterprise
Webinar - Devops platform for the evolving enterprise
 
Automate Yourself Out of a Job: Safely Delegate the Management of your Azure...
Automate Yourself Out of a Job: Safely Delegate the Management of your Azure...Automate Yourself Out of a Job: Safely Delegate the Management of your Azure...
Automate Yourself Out of a Job: Safely Delegate the Management of your Azure...
 
Anusaa_Qlikview
Anusaa_QlikviewAnusaa_Qlikview
Anusaa_Qlikview
 
Getting Started with Splunk Enterprise Hands-On
Getting Started with Splunk Enterprise Hands-OnGetting Started with Splunk Enterprise Hands-On
Getting Started with Splunk Enterprise Hands-On
 
Southeast Michigan AUG - April 25 2018
Southeast Michigan AUG - April 25 2018Southeast Michigan AUG - April 25 2018
Southeast Michigan AUG - April 25 2018
 
Service intelligence hands on workshop
Service intelligence hands on workshopService intelligence hands on workshop
Service intelligence hands on workshop
 
Service Intelligence hands on workshop
Service Intelligence hands on workshopService Intelligence hands on workshop
Service Intelligence hands on workshop
 
Service intelligence hands on workshop
Service intelligence hands on workshopService intelligence hands on workshop
Service intelligence hands on workshop
 
Anu_Sharma2016_DWH
Anu_Sharma2016_DWHAnu_Sharma2016_DWH
Anu_Sharma2016_DWH
 
Splunk in Rakuten: Splunk as a Service for all
Splunk in Rakuten: Splunk as a Service for allSplunk in Rakuten: Splunk as a Service for all
Splunk in Rakuten: Splunk as a Service for all
 
Df14 Maintaining your orgs setup for optimal efficiency for dist
Df14 Maintaining your orgs setup for optimal efficiency for distDf14 Maintaining your orgs setup for optimal efficiency for dist
Df14 Maintaining your orgs setup for optimal efficiency for dist
 
Build Consumer-Facing Apps with Heroku Connect
Build Consumer-Facing Apps with Heroku ConnectBuild Consumer-Facing Apps with Heroku Connect
Build Consumer-Facing Apps with Heroku Connect
 
Lakshmankumar_Resume
Lakshmankumar_ResumeLakshmankumar_Resume
Lakshmankumar_Resume
 
Technology Primer: Save Money and Improve Service by Replacing "Free" Native ...
Technology Primer: Save Money and Improve Service by Replacing "Free" Native ...Technology Primer: Save Money and Improve Service by Replacing "Free" Native ...
Technology Primer: Save Money and Improve Service by Replacing "Free" Native ...
 
Why use trace cloud to manage your requirements (includes audio)
Why use trace cloud to manage your requirements (includes audio)Why use trace cloud to manage your requirements (includes audio)
Why use trace cloud to manage your requirements (includes audio)
 
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
 
Utilizing SVN Jenkins to Manage Multi-line Development to Deployments
Utilizing SVN Jenkins to Manage Multi-line Development to DeploymentsUtilizing SVN Jenkins to Manage Multi-line Development to Deployments
Utilizing SVN Jenkins to Manage Multi-line Development to Deployments
 
Getting Started with Splunk Enterprise Hands-On
Getting Started with Splunk Enterprise Hands-OnGetting Started with Splunk Enterprise Hands-On
Getting Started with Splunk Enterprise Hands-On
 
Webinar: Cut that Clutter! Maintain a Clean Org and Improve Productivity
Webinar: Cut that Clutter! Maintain a Clean Org and Improve ProductivityWebinar: Cut that Clutter! Maintain a Clean Org and Improve Productivity
Webinar: Cut that Clutter! Maintain a Clean Org and Improve Productivity
 

Recently uploaded

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 

.conf 2015 - Splunking Distributed Logs for IT Policy Alignment

  • 1. Indiana University: Splunking Distributed Logs for IT Policy Alignment
  • 2. Allen Tucker Manager, HELPnet Central Systems Team Kelly Zimmerman Systems Administrator, HELPnet Central Systems Team Daniel Daily Systems Administrator, HELPnet Central Systems Team
  • 3. Disclaimer During the course of this presentation, we may make forward looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in the this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release.
  • 4. • Background and Culture • Infrastructure • Scalable Architecture • Multi-Tenant onboarding • Phases • Expansion of service • Q&A
  • 6. Indiana University, est. 1820 • $3.3B enterprise • Partnered with $6B IU Health system • 115,000 Students • 1.3M Credit Hours per semester • >20,000 Degrees per year • $1.1B in Financial Aid • $450M in research grants • 8,000 Acres • 882 buildings, 36M square feet • >600,000 living Alumni • 10,500 Faculty and Staff
  • 7. CENTRALIZED enterprise I.T. with DECENTRALIZED departmental I.T. 109 Departmental IT Groups 5213 Total Servers within IU
  • 8. Safeguards IU I.T. Policy – IT-12 list of ‘best practices’ for system management IU Internal Audits – In depth departmental checks for IT operations – Alignment with IT policies Log management in IT-12 – Success/Failed User Logons, Success/Failed File Accesses
  • 9. Implications Costs associated with log review – Its overwhelming  Different log sources,  many servers  TONs of logs. – Costly if departments DIY – Staff time is at a premium  Admins can make much better use of your time being impactful to their departments
  • 11. Internal HELPnet Deployment • 120 Servers Initial Departmental Offering Departmental Growth & UITS Interest •20 Departments •Many Regionals •~375 servers Issues with Scalability New Product Testing & PoC Proposal to Cabinet •Approval in August 2014 Deployment •Training •Certification •Build of Architecture •App Development Customer Onboarding (Since June) •42 Departments •2000 Active Servers
  • 14. Indiana University Storage and Virtualization Team 2014 VMware Innovation Award Winners
  • 15. Physical Hardware  Dell PowerEdge M620 - Intel Xeon E5-2690 Processors - 20 CPU cores @ 3GHz  512GB DDR3 RAM VMware ESX Hosts  Hitachi VSP G1000 SAN Storage
  • 16. Bloomington Indianapolis Multi-campus Deployer Deployment License Master Forwarders Department A Forwarders Department B Forwarders Department C Indexing Search Cluster
  • 17. Performance Statistics  IOPS > 1062 via Bonnie++  ~270,000 events per second dense search in smart mode  ~5400 events per second sparse search in smart mode
  • 18. Bloomington Indianapolis Multi-campus Deployer Deployment License Master Forwarders Department A Forwarders Department B Forwarders Department C Indexing Search Cluster
  • 19.
  • 21. Search Head Cluster Use of a deployer Knowledge object replication Ease of additional search head expansion Deployer Search Cluster
  • 22. Indexing Deployment Server Houses all important Splunk configurations – Indexer configurations – Configuration push to 2000+ servers (For a team that never touches the GUI) Deployment Forwarders
  • 24. Deployer Deployment License Master Forwarders Department A Forwarders Department B Forwarders Department C Indexing Search Cluster
  • 25. Data Silos by Tenant Each Department Has a Unique Index Department A Department B Department C
  • 27. Simplify Onboarding Using an Onboard Script to clone our apps • Checks user logon • Asks for location, OS type (user input phase) • Adds server classes and indexes • Copies source application template • Replaces department variables • Assigns roles (authorize.conf, authentication.conf) • Assigns a default_namespace
  • 28. Overcoming Distributed IT Administration NO ADMIN RIGHTS – Solution: Each department gets a shared Box folder  Splunk Universal Forwarder  Installation scripts  How to docs MS ConfigMan (Windows) or Ansible (Linux) helps a great deal The magic of deploymentclient.conf
  • 29. Script Details • Executes the .msi silently / stops the splunk service Defines location, OS, Department & Host –injects them into the deploymentclient.conf file - Assigns the deployment server Starts the service so it can phone home Verifies if Splunk is installed Also configures Deploymentclient.conf Modifies auditd.conf for splunk access Sets ownership and permissions Configures splunk to start on boot Differences • Dropping all unnecessary event IDs • Ingesting full auditd
  • 30. Script to deploy to many One script to install them all Mass deployment of forwarder to 600+ servers remotely.
  • 34.  Training  I2 Training credits*  Optimizing Searches  Data Inputs  Reporting Lessons Learned
  • 38. Down the Road Further development IT-12 application for departments – Devices not checking in – Alerting for failed user attempts – Filter for network access vs file access – More Linux distros Expand UITS I.T. Ops. – Kuali – VMware – Active Directory – IIS / Apache for IU Central Web Services – Multiple Security Apps
  • 40.
  • 41.

Editor's Notes

  1. How many in attendance are in Higher Education?
  2. Large organization: $3.3B enterprise 115,000 students 10,500 faculty and staff. 8 campuses 882 separate buildings over 8000 acres Given the scale, what does the I.T. landscape look like?
  3. Central enterprise I.T. organization called UITS that handles management of core services Active Directory, Exchange, Networks, Wireless, Web Hosting, etc. Departmental I.T. providing hands on support directly to individual departments. 109 Separate IT groups Total servers = 5213 servers (UITS and Departmental) Obviously this means that IU has a large cyber security attack surface. Because of this, IU has implemented some safeguards to combat these issues.
  4. IT12 – Best Practices Admin rights, network security, firewalling, as well as log management There are also Internal Audits that take place. Very public results (deans, directors, CIO, President, Board of Trustees) unfortunately, a consistent finding is log management.
  5. Manual log review is very costly Time consuming Costly to build a utility to automate it Staff time is at a premium where they could be more helpful by direct support and innovation in their direct department. Departments - “If we have to review our logs because of IT policy, UITS should provide enterprise utility to make it easier” - We set out to provide a clear cut time saving utility that directly aligns with IT policy in order to wipe the slate clean on log review being an issue.
  6. 3 years ago, HELPnet brought hardware log management online for internal use to meet IT12 requirements Started offering it at a small scale to other departments. Proposal approved in August by CIO Brad Wheeler to hopefully reduce these findings from Internal Audit.
  7. Indiana University has a world class Storage and Virtualization team - vmware innovation award. - pushing the boundries of what virtualization can do
  8. Indiana University has a world class Storage and Virtualization team that has earned vmware innovation awards. Multi-tier storage (low tier)
  9. This is our initial infrastructure based on the initial service offering and based off of our current deployment needs Discuss search heads / Indexers Discuss locations
  10. Explain what IOPS are and what Bonnie ++ is
  11. With dozens and dozens of configuration files and the ability to expand with virtualized hardware, what does Splunk offer to help manage these servers?
  12. So I am going to talk about the things we did to make our admin of splunk easier How we: Save Countless hours of staff time (primary example being an onboarding script) Reduce the administration of end points (no need to touch every server or forwarder in the environment) Quickly recover servers and stand up new servers --be it an additional SH or IDXR Take advantage of this extra time? --More hands on time with departments and development of apps ( spend time getting data into Splunk) esp non it12 data --Training our users to be power users So what features did we decided to introduce? first up our search head cluster- next slide
  13. The star of your cluster is the deployer Single point of administration It’s the best place to back up all your configurations To deploys all your apps & configurations to the cluster It’s the job scheduler ….Brains! KO replication Joe power user…. (Senario) (Gotcha: Local configurations) Magic of this…? File precedence … GUI configurations... plan the role of your deployer carefully Scripting a new search head member gets a lot easier when all you have to do is spin up a new VM and assign it to the cluster (and the LB) and the let the deployer push base line configurations. Stuff replicates it’s a thing of beauty. Don’t confuse this cluster technology with MS clusters… Next up Deployment server….next slide
  14. Deployment server is optimal BUT its a must It is a centralized administration point like that of the cluster deployer, however it pushes configs to indexers, and universal forwarders. Without it you would have to administer the configurations of your splunk components one system at a time. No one has time for that! -Adding indexers- The real beauty is the management of forwarders. Say you have a forwarder already on a system….you can increase/decrease the amount of data coming to the indexers by just editing the settings on the deployment server, once the forwarder checks in it picks up the changes.
  15. So what happens when an IU department comes to us to start using Splunk? Most are seeking basic alignment services for IT12 policy alignment Some are seeking additional splunk apps and data collection…next slide
  16. I want to revisit this architecture slide to discuss departments at IU. We have over 50 and any of them could be potentially sending different types of data not just server security logs for it12) and they don’t want to see each others data. To facilitate this we siloed data into indexes. WHY? Next slide
  17. SECURITY SECURITY SECURITY Role Based Administration- AD groups. User A from dept A logs in….(scenario) Since we are pushing this configuration from the deployment server Indexer replication (and the lack there of) Reporting tool not a repository tool
  18. So how do we make deployment easier?
  19. For IT12 -- It starts on the back end getting our app copied and configs in place for the forwarder to phone home for the first time and sync So Dainel built a script to do the heavy lifting for us. Confirms your logged on as Splunk Asks for location (user input) Asks for OS type (user input) Adds the needed server classes (assign deployment apps in serverclass.conf) Adds the needed indexes (assign indexes in indexes.conf- homepath, coldpath, thawedpath etc.) Copies our application template Replaces department variables Assigns roles (authorize.conf) Assigns an AD group reference (authentication.conf) Assigns a default_namespace Gets fancy with the cron job wiz (looks to Daniel) Each night we push the splunk shculster-bundle cmd to prevent restarts during the day Okay so how do we get the forwarder to the departments??
  20. Then we have to get the forwarder to the servers….and one does not simply walk into Mordor and just receive admin rights. Linux packaged tar.gz PowerShell Launches Splunk Forwarder msi
  21. No tool to deploy … no problem Script the script deployment!
  22. Reports saved every 2 hours Provide a high level overview for all four policy alignment pieces Limited access
  23. Typical drilldown functionality takes you to a search bar Note multi-select File Path box
  24. Training – Get some! Optimizing Searches – Refine everything at the beginning, avoid heavy utilization items like transactions appends, and additional searches to searched data Data Inputs – Make sure to use search time data manipulation vs index/forwarder time data manipulation Reporting – Initially we tried to set up saved searches to show data, and update it every 2 hours. Use report acceleration without a schedule.
  25. Removed the activity dropdown from the splunk bar Added a new drop down menu with all for drilldown dashboards Added tables Removed all scheduled searches, and set the searches to on demand with report acceleration Emailed reports 
  26. Added in additional exclude multi select boxes Added behind the scenes options like optimized searches, auto populated drill down functionality, on demand searches
  27. Main two areas for items down the road. Usability expansions of IT12 App Devices not checking in, Alerting, Filtering of network / console traffic Expand IT OPS Kuali, VMware, AD, Web Services, Security App, First development outside of IT12 is for CAS and Shibboleth.