Splunk Insights Into Windows Environments

Welcome!

Your presenters…

Nick BlackRob Silver &

12 midday Introduction12:10 Grab lunch12:15 Tech Talk & demo’s

* Splunk App for Microsoft Infrastructure* Splunk App for Microsoft Exchange* Splunk & Web Analytics* Gemini SBOX

13:30 The bundles13:45 Questions14:00 Close

Agenda

Rivium is a leader in getting Splunk deployments right. With experience delivering over a hundred Splunk engagements Australia wide we know what a brilliant Splunk environment looks like.

Our Rapid Deployment Splunk Bundle for Microsoft environments is a tailored solution to quickly enable you to monitor, audit, secure and analyse your Windows Infrastructure and workloads in one place, in real time.

Rapid Insights into Windows Environments

Rapid DeploymentSplunk Bundles for Microsoft

Splunk offers the leading platform for operational intelligence making machine data accessible, usable and valuable to everyone.

Software, Hardware and ServicesRapid Deployment Bundles for Microsoft Environments

TECHNOLOGY

Gemini SBOX is a purpose-built appliance that can dramatically reduce the cost to deploy Splunk compared to commodity hardware.

INFRASTRUCTURE

Rivium is a Splunk Professional Services partner with extensive experience in deploying Splunk solutions.

EXPERTISE

Analyse information on all the critical Windows events: CPU, memory,

physical disk, LogicalDisk, network interface, application crashes,

application installs and Windows updates.

Understand and analyse uncharacteristic usage patterns and

failed attempts by users to log onto a specific domain.

Visualise information on the health, configuration and performance of domains, sites, domain controllers, DNS servers and DNS zones that

belong to the Active Directory.

Events, Performance & System Monitoring

Anomalous Logons & User Logon Failures

Domain & DNS Services Monitoring

Splunk App for Windows

Infrastructure

Monitor, audit, secure and analyseyour Windows IT infrastructure and workloads in one place, in real time. Avoid service degradations with granular insights into server event data, performance metrics, configurations, alerts and registry changes in Active Directory including users, groups, machines and group policy objects. Gain real-time visibility into your email service health and performance across the entire messaging infrastructure, including diverse message delivery components and the supporting infrastructure.

Reduce downtime through real-time service health and performance

monitoring across the entire messaging infrastructure.

With granular composite health scores across the entire service path

you can analyse critical metrics across Exchange service components, giving you instant visibility into which service components are affecting the

health of your email service.

Provides you with deep visibility into the health and performance of your Microsoft Exchange environment;

from Edge and Hub Transport servers to the Client Access servers and the

Mailbox Store itself.

Service-Centric Monitoring Service Analyzer Deep Visibility

Splunk App for Microsoft Exchange

Gain insights into your messaging infrastructure and non-Exchange devices and services with a unified view of the entire service infrastructure. The Splunk App for Microsoft Exchange consumes logs from your Microsoft Exchange systems to give you deep visibility into the health and performance of your Microsoft Exchange environment—from Edge and Hub Transport servers to the Client Access servers and the Mailbox Store itself.

Create actionable insights that are critical in solving customer,

website/mobile and multi-channel analytics challenges and enrich digital

data with CRM or offline data.

Derive unique insights by combining client and server side data in real time

to analyse and improve customer experience.

Get meaningful insights and visualisations with unlimited

segmentation and full data drill down on real-time and historical data.

Actionable Insights Analyse Customer Experience Digital Data Visualisations

Splunk App for

Web AnalyticsOrganisations need a deep understanding of customer interactions and product/feature usage to create the best website or mobile user experience.

The Splunk App for Web Analytics provides an end-to-end view of your Microsoft IIS environment providing visibility of customer interactions across various digital channels.

Centralised management of Gemini sbox appliances and platforms makes

it easy to tweak network configurations, orchestrate tasks,

schedule activities and even visualise your topology. All in one intuitive,

easy-to-use interface.

An intuitive setup wizard allow easy customisation and optimisation for

your needs, minimizing the burden on IT operations. Includes direct attached high performance disks, optimizing IO operations and eliminating the need

for expensive SAN storage.

Designed from the ground up to minimize attack surfaces and

vulnerability. Contains proprietary, purpose-built OS extensions optimised for security and a

streamlined operating environment that eliminates unnecessary services.

Ease of Management Rapid Provisioning Security Hardened

Gemini SBOX Splunk

Appliance

Gemini SBOX makes it easy to scale and manage your big data deployment. Gemini allows you to manage a Splunk appliance from a single interface and seamlessly delivers turn key solutions from leading organisations via the Gemini Integration Center.

SBOX integrates high-performance storage, an optimised and security hardened operating system, and an easy to use GUI that simplifies the deployment and day to day operations of big data software.

Tech Talks

Splunking Windows

Common Windows Pain Points

Silo’d systems

Exchange -- Messages not being received- Capacity planning- Message tracking- Behaviour anomolies- Mailbox DB size issues- Exchange sync issues

Performance monitoring

Security Overview

Systems overview

Active Directory monitoring

Many helpdesk jobs

Locked out accounts

DB connection issues

Windows Update failures

App crashes

Network errors

Print operations

Event errors

Computer audits

Group policy changes

Sample Deployment DiagramSplunking Windows

Search HeadIndexersDeployment Clients

Windows Hosts (…)

AD Domain Controller

Windows DNS

Data flow

Splunk App for Microsoft Exchange

Splunk Add-ons for Microsoft Exchange

Splunk Add-ons for Active Directory/DNS

Splunk Supporting Add-on for Active Directory

Splunk Add-on for Windows

“Send to Indexer”

Exchange Server

Databases

Cloud services

The NeedSplunking Windows

SLA’s

ChangeManagement

Compliance

Oneplatformthatsupportseveryone

ServerManagement

Exchange

o Splunk App for Microsoft Windows Infrastructure

o Splunk App for Microsoft Exchange *o DB Connect 3o Splunk Enterprise Security *o uberAgent *o Splunk App for Web Analytics

Common Splunk Apps & Add-onsSplunking WIndows15

o Splunk Add-on for Microsoft Cloud Services

o Splunk Add-ons for Microsoft Exchange

o Splunk Add On for Active Directoryo Splunk Add-on for DNSo Splunk Add-on for Windows

Apps Add-ons

Splunk App for Microsoft Windows Infrastructure

o Identify infrastructure problems, such as non-running services and load issues

o Monitor the performance of all servers throughout your Windows environment

o Monitor security events, such as virus outbreaks and anomalous logonso Track administrative changes to the environmento Plan for capacity expansion

Why?Splunk App for Windows Infrastructure

What data?Splunk App for Windows Infrastructure

Performance Monitor Logs

Active Directory Logs(via Splunk Add-on for Windows and/or

Splunk Add-on for Active Directory suite)

Windows Information(Network, Host, Print Monitoring)

(via the Splunk Add-on for windows)

Windows Event Logs(Security & Application)

(via the Splunk Add-on for windows)

perfmon, windows, msad,

wineventlogindexes

Windowso Windows Eventso Performance Monitoringo Applications & Updateso Host/Print/Network Monitoringo Active Directory

Monitoring AreasSplunk App for Windows Infrastructure

Active Directoryo Domainso DC’so DNSo Userso Computerso Groupso Group Policyo OU

DEMOSplunk App for Windows Infrastructure

Splunk App for Microsoft ExchangePremium Splunk App

o Identify infrastructure problems, such as non-running services and load issues o Monitor the performance of all servers throughout your Exchange environment o Track messages throughout your messaging environment o Monitor client usage, including mobility usage via ActiveSync or Outlook

Anywhere o Monitor security events, such as virus outbreaks and anomalous logons o Track administrative changes to the environment o Analyze long-term mail operations trends Plan for capacity expansion o Monitor your organization's outbound email sender reputation

Why?Splunk App for Microsoft Exchange

What data?Splunk App for Microsoft Exchange

IIS Logs

Active Directory Logs(via Splunk Add-on for Windows and/or

Splunk Add-on for Active Directory suite)

Windows Information(Network, Host, Print Monitoring)

(via the Splunk Add-on for windows)

Windows Event Logs(Security & Application)

(via the Splunk Add-on for windows)

msexchange, perfmon indexes

Performance monitoring data

Service Analyzero At a glace states of all Exchange services within your Exchange deployment

Exchangeo Performance & Throttlingo Hosts & Mailbox Databaseso Message Activityo User Behaviouro Usage and Capacity Planningo Administrative Reports

Monitoring AreasSplunk App for Microsoft Exchange

DEMOSplunk App for Microsoft Exchange

Splunk & Website Analytics

Web analytics is the measurement, collection, analysis and reporting of web data for purposes of understanding and

optimizing web usage

What can we do in Splunk to help with this?

o Real-time visibility—search, correlate and monitor live events in real time as they occur across your online ecosystem.

o High-performance search and navigation—find what you’re looking for anywhere in your environment quickly and easily. Search across billions of events in seconds on a single commodity server. Splunk scales to the largest of data volumes.

o Powerful historical analytics—analyze important trends, statistics and metrics about nearly any aspect of behavior. Custom dashboards help you to analyze the behavior of your customers, users, transactions, applications, web servers, app servers and networks.

What can Splunk offer?Splunk & Web Analytics

o Optimizing User Experienceo Comprehensive Web Analyticso Trending Analysiso End-to-end Visibility

Use Cases?Splunk & Web Analytics

DEMOSplunk & Web Analytics

Other Notable Apps

uberAgentOther Windows Apps

o Tells you exactly about everything relevant to user experienceo Helps you identify trends that otherwise would have gone unnoticedo Simplifies troubleshooting by showing you what you need to know in one placeo Shows you which applications are used wheno Makes help desk and IT operations more effectiveo Supports IT pros with information they need for deep troubleshootingo Makes physical and virtual environments (VDI) comparableo Provides rich information vital for information security

Splunk DB Connect 3Other Windows Apps

o Allows you to import tables, rows, and columns from a database directly into Splunko Enables you to output data from Splunk Enterprise back to your relational databaseo Performs database lookupso allows you to directly use SQL in your Splunk searches and dashboards

Splunk and SBOX

o SBOX delivers an optimized, secured SplunkAppliance that is simple to manage easy toconfigure and fast to deploy.

PurposeSBOX

Current Splunk Infrastructure ChallengesSBOX

Inconsistent Hardware Environments

Varying OS patch and security requirements

Time Consuming and resource intensive build.

Standardized environments make deployment, support and Development Infinitely easier

Can’t Standardize

Increased Time to Value

Inefficient & Unsecure

Even More ChallengesSBOX

I need to use 3rd party Versioning tools

Patching and updates are manual

Every Customer has a different environment

Time Spent Managing and Learning Diverse Environments is Time That Could Have been Spent Implementing and Using Splunk

More Bench Time Learning New Products

Support and Maintenance Is Time Consuming and Costly

Time Wasted Managing And Tracking 3rd Party Updates

Commodity HardwareSBOX

1) Purchase servers

3) Configure and secure servers

2) Purchase OS licenses

7) ….and (finally) install Splunk.

4) Patch and update their OS

5) Attach servers to ‘not quite as fast as I thought’ SAN

6) Get Security to approve their configuration

> > > Enter Gemini SBOX

Rapid DeploymentDeploy big data

platforms in minutes, not weeks. Optimized for

on prem or cloud deployments.

Simplified Management

Focus on Security and Operational Intelligence instead of infrastructure

management. Easily manage complex clusters of nodes

and configurations.

Faster Time To Value

Purpose-built big data appliance reduces total cost of ownership and

integrated solutions make your team more efficient.

Deploy on prem or in the cloud.

Big Data ApplianceEngineered to simplify the deployment and daily operations of big data platforms such as Splunk and Hadoop.

Designed from the ground up to provide a secure, robust operating environment based on industry best-practices and years of practical experience.

o Secure, hardened OSo Easy Intuitive web based administration for all appliance

functions (storage, network, NTP, updates)o Fast Time to Value: simple to install and configureo Lower Total Cost of Ownership: compared to commodity

hardwareo High Performance: Appliances are tuned to deliver the

optimal Splunk (and Hadoop) performance

SBOX appliancesSBOX

o Get Splunk Implemented faster without having to source appropriate hardware

o Remove IT ops from the equation. No need to configure an OS or Storage.

o SBOX are easy to work with and can have direct conversations with you and/or your customers.

o Peace of Mind! SBOX design their hardware specifically with Splunk in mind and can provide 4 hour onsite fix or replace support for SBOX hardware.

Why do we recommend SBOX?SBOX

DEMOSBOX

The Bundles

$5,356per month

including GST

10GB per day(2GB Exchange Data)

12 month data retention

1 Power User Training

3 Year Contract

20GB per day(5GB Exchange Data)

12 month data retention

2 Power User Training

50GB per day(10GB Exchange Data)

12 month data retention

2 Power User Training

Splunk Enterprise SubscriptionSplunk App for Exchange SubscriptionSplunk App for Windows InfrastructureSplunk App for Web AnalyticsSplunk App for Microsoft SQLSplunk Add-on for Windows DHCPSplunk Add-on for Windows DNSSplunk Add-on for Active DirectoryTwo additional source types and Apps

What your environment includes:

Small environment includes the A240 Appliance and the M1000 Management Appliance.

Medium environment includes the A240 Appliance, S1000 Search Head, and M1000 Management Appliance.

Large environment includes A540 Appliance, S1000 Search Head, M1000 Management Appliance.

SBOX Appliance

$8,572per month

including GST

3 Year Contract

$14,146per month

including GST

3 Year Contract

Splunk SBOX Rapid Deployment OptionsOptions for On-Premise

SMALL MEDIUM LARGE

Includes Implementation Includes Implementation Includes Implementation

Pricing does not include the ongoing management of your Splunk environment and may be subject to change based on currency fluctuations.

$5,709 per month

including GST

10GB per day(2GB Exchange Data)

90 day data retention

1 Power User Training

3 Year Contract

20GB per day(5GB Exchange Data)

90 day data retention

2 Power User Training

50GB per day(10GB Exchange Data)

90 day data retention

2 Power User Training

$8,259 per month

including GST

3 Year Contract

$13,945 per month

including GST

3 Year Contract

Splunk Cloud Rapid Deployment OptionsOptions for Cloud

SMALL MEDIUM LARGE

Includes Implementation Includes Implementation Includes Implementation

Splunk Enterprise SubscriptionSplunk App for Exchange SubscriptionSplunk App for Windows InfrastructureSplunk App for Web AnalyticsSplunk App for Microsoft SQLSplunk Add-on for Windows DHCPSplunk Add-on for Windows DNSSplunk Add-on for Active DirectoryTwo additional source types and Apps

What your environment includes:

All environments includes the F1000 Forwarder Appliance and the M1000 Management Appliance.

SBOX Appliance

Pricing does not include the ongoing management of your Splunk environment and may be subject to change based on currency fluctuations.

Every customer is different, and there are many factors that can influence the amount of data your environment will generate per day.With Rivium’s experience with the deployment of many Splunk environments, we have found that the following metrics can be usefulas a guide.

What size is right for me?Splunk is licensed by data volume ingested per day

10GB 20GB 50GB

Number of staff 50 200 500

Windows Servers 30 60 200

IIS Servers 100 500 1000

Database Servers 2 4 6

Exchange Hosts 2 4 6

Active Directory Hosts 2 4 6

For more accurate guidance on the right size for your organisation, Rivium will undertake a data source assessment to providerecommentations on the most appropraie rapid deployment bundle for your environment.

A: Level 14, 380 St Kilda Road, Melbourne VIC 3004T: 1300 360 886

W: www.rivium.comE: info@rivium.com.au

xxx

Q&A

Thanks for your time!