Post on 21-May-2020
transcript
Splunk Insights Into Windows Environments
Welcome!
Your presenters…
Nick BlackRob Silver &
12 midday Introduction12:10 Grab lunch12:15 Tech Talk & demo’s
* Splunk App for Microsoft Infrastructure* Splunk App for Microsoft Exchange* Splunk & Web Analytics* Gemini SBOX
13:30 The bundles13:45 Questions14:00 Close
Agenda
Rivium is a leader in getting Splunk deployments right. With experience delivering over a hundred Splunk engagements Australia wide we know what a brilliant Splunk environment looks like.
Our Rapid Deployment Splunk Bundle for Microsoft environments is a tailored solution to quickly enable you to monitor, audit, secure and analyse your Windows Infrastructure and workloads in one place, in real time.
Rapid Insights into Windows Environments
Rapid DeploymentSplunk Bundles for Microsoft
Splunk offers the leading platform for operational intelligence making machine data accessible, usable and valuable to everyone.
Software, Hardware and ServicesRapid Deployment Bundles for Microsoft Environments
TECHNOLOGY
Gemini SBOX is a purpose-built appliance that can dramatically reduce the cost to deploy Splunk compared to commodity hardware.
INFRASTRUCTURE
Rivium is a Splunk Professional Services partner with extensive experience in deploying Splunk solutions.
EXPERTISE
Analyse information on all the critical Windows events: CPU, memory,
physical disk, LogicalDisk, network interface, application crashes,
application installs and Windows updates.
Understand and analyse uncharacteristic usage patterns and
failed attempts by users to log onto a specific domain.
Visualise information on the health, configuration and performance of domains, sites, domain controllers, DNS servers and DNS zones that
belong to the Active Directory.
Events, Performance & System Monitoring
Anomalous Logons & User Logon Failures
Domain & DNS Services Monitoring
Splunk App for Windows
Infrastructure
Monitor, audit, secure and analyseyour Windows IT infrastructure and workloads in one place, in real time. Avoid service degradations with granular insights into server event data, performance metrics, configurations, alerts and registry changes in Active Directory including users, groups, machines and group policy objects. Gain real-time visibility into your email service health and performance across the entire messaging infrastructure, including diverse message delivery components and the supporting infrastructure.
Reduce downtime through real-time service health and performance
monitoring across the entire messaging infrastructure.
With granular composite health scores across the entire service path
you can analyse critical metrics across Exchange service components, giving you instant visibility into which service components are affecting the
health of your email service.
Provides you with deep visibility into the health and performance of your Microsoft Exchange environment;
from Edge and Hub Transport servers to the Client Access servers and the
Mailbox Store itself.
Service-Centric Monitoring Service Analyzer Deep Visibility
Splunk App for Microsoft Exchange
Gain insights into your messaging infrastructure and non-Exchange devices and services with a unified view of the entire service infrastructure. The Splunk App for Microsoft Exchange consumes logs from your Microsoft Exchange systems to give you deep visibility into the health and performance of your Microsoft Exchange environment—from Edge and Hub Transport servers to the Client Access servers and the Mailbox Store itself.
Create actionable insights that are critical in solving customer,
website/mobile and multi-channel analytics challenges and enrich digital
data with CRM or offline data.
Derive unique insights by combining client and server side data in real time
to analyse and improve customer experience.
Get meaningful insights and visualisations with unlimited
segmentation and full data drill down on real-time and historical data.
Actionable Insights Analyse Customer Experience Digital Data Visualisations
Splunk App for
Web AnalyticsOrganisations need a deep understanding of customer interactions and product/feature usage to create the best website or mobile user experience.
The Splunk App for Web Analytics provides an end-to-end view of your Microsoft IIS environment providing visibility of customer interactions across various digital channels.
Centralised management of Gemini sbox appliances and platforms makes
it easy to tweak network configurations, orchestrate tasks,
schedule activities and even visualise your topology. All in one intuitive,
easy-to-use interface.
An intuitive setup wizard allow easy customisation and optimisation for
your needs, minimizing the burden on IT operations. Includes direct attached high performance disks, optimizing IO operations and eliminating the need
for expensive SAN storage.
Designed from the ground up to minimize attack surfaces and
vulnerability. Contains proprietary, purpose-built OS extensions optimised for security and a
streamlined operating environment that eliminates unnecessary services.
Ease of Management Rapid Provisioning Security Hardened
Gemini SBOX Splunk
Appliance
Gemini SBOX makes it easy to scale and manage your big data deployment. Gemini allows you to manage a Splunk appliance from a single interface and seamlessly delivers turn key solutions from leading organisations via the Gemini Integration Center.
SBOX integrates high-performance storage, an optimised and security hardened operating system, and an easy to use GUI that simplifies the deployment and day to day operations of big data software.
Tech Talks
Splunking Windows
Common Windows Pain Points
Silo’d systems
Exchange -- Messages not being received- Capacity planning- Message tracking- Behaviour anomolies- Mailbox DB size issues- Exchange sync issues
Performance monitoring
Security Overview
Systems overview
Active Directory monitoring
Many helpdesk jobs
Locked out accounts
DB connection issues
Windows Update failures
App crashes
Network errors
Print operations
Event errors
Computer audits
Group policy changes
Sample Deployment DiagramSplunking Windows
Search HeadIndexersDeployment Clients
Windows Hosts (…)
AD Domain Controller
Windows DNS
Data flow
Splunk App for Microsoft Exchange
Splunk Add-ons for Microsoft Exchange
Splunk Add-ons for Active Directory/DNS
Splunk Supporting Add-on for Active Directory
Splunk Add-on for Windows
“Send to Indexer”
Exchange Server
Databases
Cloud services
The NeedSplunking Windows
SLA’s
ChangeManagement
Compliance
Oneplatformthatsupportseveryone
ServerManagement
Exchange
o Splunk App for Microsoft Windows Infrastructure
o Splunk App for Microsoft Exchange *o DB Connect 3o Splunk Enterprise Security *o uberAgent *o Splunk App for Web Analytics
Common Splunk Apps & Add-onsSplunking WIndows15
o Splunk Add-on for Microsoft Cloud Services
o Splunk Add-ons for Microsoft Exchange
o Splunk Add On for Active Directoryo Splunk Add-on for DNSo Splunk Add-on for Windows
Apps Add-ons
Splunk App for Microsoft Windows Infrastructure
o Identify infrastructure problems, such as non-running services and load issues
o Monitor the performance of all servers throughout your Windows environment
o Monitor security events, such as virus outbreaks and anomalous logonso Track administrative changes to the environmento Plan for capacity expansion
Why?Splunk App for Windows Infrastructure
What data?Splunk App for Windows Infrastructure
Performance Monitor Logs
Active Directory Logs(via Splunk Add-on for Windows and/or
Splunk Add-on for Active Directory suite)
Windows Information(Network, Host, Print Monitoring)
(via the Splunk Add-on for windows)
Windows Event Logs(Security & Application)
(via the Splunk Add-on for windows)
perfmon, windows, msad,
wineventlogindexes
Windowso Windows Eventso Performance Monitoringo Applications & Updateso Host/Print/Network Monitoringo Active Directory
Monitoring AreasSplunk App for Windows Infrastructure
Active Directoryo Domainso DC’so DNSo Userso Computerso Groupso Group Policyo OU
DEMOSplunk App for Windows Infrastructure
Splunk App for Microsoft ExchangePremium Splunk App
o Identify infrastructure problems, such as non-running services and load issues o Monitor the performance of all servers throughout your Exchange environment o Track messages throughout your messaging environment o Monitor client usage, including mobility usage via ActiveSync or Outlook
Anywhere o Monitor security events, such as virus outbreaks and anomalous logons o Track administrative changes to the environment o Analyze long-term mail operations trends Plan for capacity expansion o Monitor your organization's outbound email sender reputation
Why?Splunk App for Microsoft Exchange
What data?Splunk App for Microsoft Exchange
IIS Logs
Active Directory Logs(via Splunk Add-on for Windows and/or
Splunk Add-on for Active Directory suite)
Windows Information(Network, Host, Print Monitoring)
(via the Splunk Add-on for windows)
Windows Event Logs(Security & Application)
(via the Splunk Add-on for windows)
msexchange, perfmon indexes
Performance monitoring data
Service Analyzero At a glace states of all Exchange services within your Exchange deployment
Exchangeo Performance & Throttlingo Hosts & Mailbox Databaseso Message Activityo User Behaviouro Usage and Capacity Planningo Administrative Reports
Monitoring AreasSplunk App for Microsoft Exchange
DEMOSplunk App for Microsoft Exchange
Splunk & Website Analytics
Web analytics is the measurement, collection, analysis and reporting of web data for purposes of understanding and
optimizing web usage
What can we do in Splunk to help with this?
o Real-time visibility—search, correlate and monitor live events in real time as they occur across your online ecosystem.
o High-performance search and navigation—find what you’re looking for anywhere in your environment quickly and easily. Search across billions of events in seconds on a single commodity server. Splunk scales to the largest of data volumes.
o Powerful historical analytics—analyze important trends, statistics and metrics about nearly any aspect of behavior. Custom dashboards help you to analyze the behavior of your customers, users, transactions, applications, web servers, app servers and networks.
What can Splunk offer?Splunk & Web Analytics
o Optimizing User Experienceo Comprehensive Web Analyticso Trending Analysiso End-to-end Visibility
Use Cases?Splunk & Web Analytics
DEMOSplunk & Web Analytics
Other Notable Apps
uberAgentOther Windows Apps
o Tells you exactly about everything relevant to user experienceo Helps you identify trends that otherwise would have gone unnoticedo Simplifies troubleshooting by showing you what you need to know in one placeo Shows you which applications are used wheno Makes help desk and IT operations more effectiveo Supports IT pros with information they need for deep troubleshootingo Makes physical and virtual environments (VDI) comparableo Provides rich information vital for information security
Splunk DB Connect 3Other Windows Apps
o Allows you to import tables, rows, and columns from a database directly into Splunko Enables you to output data from Splunk Enterprise back to your relational databaseo Performs database lookupso allows you to directly use SQL in your Splunk searches and dashboards
Splunk and SBOX
o SBOX delivers an optimized, secured SplunkAppliance that is simple to manage easy toconfigure and fast to deploy.
PurposeSBOX
Current Splunk Infrastructure ChallengesSBOX
Inconsistent Hardware Environments
Varying OS patch and security requirements
Time Consuming and resource intensive build.
Standardized environments make deployment, support and Development Infinitely easier
Can’t Standardize
Increased Time to Value
Inefficient & Unsecure
Even More ChallengesSBOX
I need to use 3rd party Versioning tools
Patching and updates are manual
Every Customer has a different environment
Time Spent Managing and Learning Diverse Environments is Time That Could Have been Spent Implementing and Using Splunk
More Bench Time Learning New Products
Support and Maintenance Is Time Consuming and Costly
Time Wasted Managing And Tracking 3rd Party Updates
Commodity HardwareSBOX
1) Purchase servers
3) Configure and secure servers
2) Purchase OS licenses
7) ….and (finally) install Splunk.
4) Patch and update their OS
5) Attach servers to ‘not quite as fast as I thought’ SAN
6) Get Security to approve their configuration
> > > Enter Gemini SBOX
Rapid DeploymentDeploy big data
platforms in minutes, not weeks. Optimized for
on prem or cloud deployments.
Simplified Management
Focus on Security and Operational Intelligence instead of infrastructure
management. Easily manage complex clusters of nodes
and configurations.
Faster Time To Value
Purpose-built big data appliance reduces total cost of ownership and
integrated solutions make your team more efficient.
Deploy on prem or in the cloud.
Big Data ApplianceEngineered to simplify the deployment and daily operations of big data platforms such as Splunk and Hadoop.
Designed from the ground up to provide a secure, robust operating environment based on industry best-practices and years of practical experience.
o Secure, hardened OSo Easy Intuitive web based administration for all appliance
functions (storage, network, NTP, updates)o Fast Time to Value: simple to install and configureo Lower Total Cost of Ownership: compared to commodity
hardwareo High Performance: Appliances are tuned to deliver the
optimal Splunk (and Hadoop) performance
SBOX appliancesSBOX
o Get Splunk Implemented faster without having to source appropriate hardware
o Remove IT ops from the equation. No need to configure an OS or Storage.
o SBOX are easy to work with and can have direct conversations with you and/or your customers.
o Peace of Mind! SBOX design their hardware specifically with Splunk in mind and can provide 4 hour onsite fix or replace support for SBOX hardware.
Why do we recommend SBOX?SBOX
DEMOSBOX
The Bundles
$5,356per month
including GST
10GB per day(2GB Exchange Data)
12 month data retention
1 Power User Training
3 Year Contract
20GB per day(5GB Exchange Data)
12 month data retention
2 Power User Training
50GB per day(10GB Exchange Data)
12 month data retention
2 Power User Training
Splunk Enterprise SubscriptionSplunk App for Exchange SubscriptionSplunk App for Windows InfrastructureSplunk App for Web AnalyticsSplunk App for Microsoft SQLSplunk Add-on for Windows DHCPSplunk Add-on for Windows DNSSplunk Add-on for Active DirectoryTwo additional source types and Apps
What your environment includes:
Small environment includes the A240 Appliance and the M1000 Management Appliance.
Medium environment includes the A240 Appliance, S1000 Search Head, and M1000 Management Appliance.
Large environment includes A540 Appliance, S1000 Search Head, M1000 Management Appliance.
SBOX Appliance
$8,572per month
including GST
3 Year Contract
$14,146per month
including GST
3 Year Contract
Splunk SBOX Rapid Deployment OptionsOptions for On-Premise
SMALL MEDIUM LARGE
Includes Implementation Includes Implementation Includes Implementation
Pricing does not include the ongoing management of your Splunk environment and may be subject to change based on currency fluctuations.
$5,709 per month
including GST
10GB per day(2GB Exchange Data)
90 day data retention
1 Power User Training
3 Year Contract
20GB per day(5GB Exchange Data)
90 day data retention
2 Power User Training
50GB per day(10GB Exchange Data)
90 day data retention
2 Power User Training
$8,259 per month
including GST
3 Year Contract
$13,945 per month
including GST
3 Year Contract
Splunk Cloud Rapid Deployment OptionsOptions for Cloud
SMALL MEDIUM LARGE
Includes Implementation Includes Implementation Includes Implementation
Splunk Enterprise SubscriptionSplunk App for Exchange SubscriptionSplunk App for Windows InfrastructureSplunk App for Web AnalyticsSplunk App for Microsoft SQLSplunk Add-on for Windows DHCPSplunk Add-on for Windows DNSSplunk Add-on for Active DirectoryTwo additional source types and Apps
What your environment includes:
All environments includes the F1000 Forwarder Appliance and the M1000 Management Appliance.
SBOX Appliance
Pricing does not include the ongoing management of your Splunk environment and may be subject to change based on currency fluctuations.
Every customer is different, and there are many factors that can influence the amount of data your environment will generate per day.With Rivium’s experience with the deployment of many Splunk environments, we have found that the following metrics can be usefulas a guide.
What size is right for me?Splunk is licensed by data volume ingested per day
10GB 20GB 50GB
Number of staff 50 200 500
Windows Servers 30 60 200
IIS Servers 100 500 1000
Database Servers 2 4 6
Exchange Hosts 2 4 6
Active Directory Hosts 2 4 6
For more accurate guidance on the right size for your organisation, Rivium will undertake a data source assessment to providerecommentations on the most appropraie rapid deployment bundle for your environment.
A: Level 14, 380 St Kilda Road, Melbourne VIC 3004T: 1300 360 886
W: www.rivium.comE: info@rivium.com.au
xxx
Q&A
Thanks for your time!