Mint Security has a set of predefined delivery models to choose from. These are based on best practices and experience. Of course, there’s always the option to customize and pick and choose from each of them. Every delivery starts by scoping and defining the needs of the customer based on the pro’s and con’s of each model. This makes the designing and deciding the architecture much smoother.
Splunk delivery models
On-prem or "in-IaaS"
On-prem or ”in-IaaS” is very similar. Although an IaaS environment essentially is a cloud delivery model, you will be hosting the servers yourself. For that reason, we deliver both our on-prem and our in-Iaas solutions in a very similar manner. It is important to understand the difference between Splunk Cloud (which is a SaaS service without any server maintenance responsibilities) and Splunk installed in an IaaS environment.
Our deliveries are based around Linux servers that are manageable and enterprisey. In practice, our predefined on-prem and in-IaaS delivery models are based on CentOS or Red Hat Enterprise Linux.
Standard
- Components: Splunk binaries and additional apps and TA’s
- Suggested sizing: 1-3 servers and less than 10G indexed data / day
Basic installation and configuration. Search Head, Indexer and a Heavy forwarder can be distributed across separate hardware. Any downtime will result in at least delay of data input, potentially also data loss. Installation may be automated using Ansible.
Resilient
- Components: Splunk binaries and additional apps and TA’s
- Suggested sizing: 8-15 servers and more than 10G indexed data / day
Search Head clustering requires at least 3 servers. Indexer clustering requires at least 3 servers. Clustering in itself requires additional utility servers – deployer and master. Installation is resilient to loss of servers and adds confidence that no log data is lost. Simplifies upgrades and configuration and server management. Enables easy scalability based on future indexing needs.
Managed
- Components: Ansible for configurations and Deployment Server for forwarder management.
- Suggested sizing: Standard or Resilient + 1-3 servers
Adds tools to manage all configuration files centrally as well as installations and updates of all components. Offers possibility to run remote commands on managed servers. Deployment server is used for centrally managing forwarder applications – the deployment server itself is managed by Ansible.
Hardened
- Components: pfSense & HAProxy (or existing load-balancing components like F5), Keycloak Authentication (or existing SAML2 IDP)
- Suggested sizing: Standard or Resilient + 3-6 servers
Adds centralized user authentication and permission management connected to external directories for Splunk users (Keycloak). Highly available, secured and hardened Search Head access with HAProxy (or similar).
Splunk Cloud based models (SaaS)
Splunk Cloud
If a SaaS cloud based delivery is possible, and the SaaS limitations are acceptable, then this is the way to go. The key limitation is that all configurations MUST be done through the management web-interface. No customization of configuration files is practically possible. This is a quick and simple setup, where the biggest challenges are around data communications to get log data into the system – log data has to travel outside your network perimeter to the cloud service.
Mint über hybrid
The Mint über hybrid builds upon the SaaS cloud service. For more configuration options and better management of UDP-based syslogs and resiliency to data communications loss between your log sources and the SaaS service, this is the model that must be chosen. Depending on the exact needs, custom components will be added to the setup. In the simplest hybrid model, only one Heavy Forwarder (HF) is added. In more complex setups, the HF is resilient. With more custom components, even the on-prem managed model can offer some solutions.
Sizing
We have a custom über-excel that allows os to simulate sizing needs both for performance and over time. Sizing includes servers, CPU, storage and data communications.
All of this directly correlates with the cost of running your Splunk deployment.
On-prem & in-IaaS comparison table
Mint Splunk Consulting Services
Mint Security tarjoaa Splunkia käyttäville erilaisia lisäarvollisia Splunk konsultointipalveluita jolla saadaan omasta ympäristöstä kaikki irti – turvallisesti.
Minted by Splunk
Mint Security provides a vast range of überconsulting for Splunk. From a single server to clustered multisite setups with integrated SSO and 2FA.
SIEM, Splunk ja lokienhallinta
SIEM ja lokitapahtumienhallinta lyhyesti Tilannekuva on yksi suurimmista ”hypesanoista” tällä hetkellä. Yksinkertaisimmin tilannekuva tarkoittaa parista lokilähteestä generoitua graafista esitystä. Parhaiten toteutettuna tilannekuva pitää sisällään sovelluslokeja,
