Thomas

Thomas

The author works at and owns Mint Security, a mean and lean security company founded in 2015. No fuzz (literally - we do not fuzz, there are companies better equipped to do that).
Share on facebook
Share on twitter
Share on linkedin
Share on xing
Share on whatsapp

Mint Security has a set of predefined delivery models to choose from. These are based on best practices and experience. Of course, there’s always the option to customize and pick and choose from each of them. Every delivery starts by scoping and defining the needs of the customer based on the pro’s and con’s of each model. This makes the designing and deciding the architecture much smoother.

Splunk delivery models

On-prem or "in-IaaS"

On-prem or “in-IaaS” is very similar.  Although an IaaS environment essentially is a cloud delivery model, you will be hosting the servers yourself. For that reason, we deliver both our on-prem and our in-Iaas solutions in a very similar manner.  It is important to understand the difference between Splunk Cloud (which is a SaaS service without any server maintenance responsibilities) and Splunk installed in an IaaS environment.

Our deliveries are based around Linux servers that are manageable and enterprisey. In practice, our predefined on-prem  and in-IaaS delivery models are based on CentOS or Red Hat Enterprise Linux.

Standard

  • Components: Splunk binaries and additional apps and TA’s
  • Suggested sizing: 1-3 servers and less than 10G indexed data / day

Basic installation and configuration. Search Head, Indexer and a Heavy forwarder can be distributed across separate hardware. Any downtime will result in at least delay of data input, potentially also data loss.

Splunk Standard Delivery
The architecture of a standard Splunk delivery model.

Resilient

  • Components: Splunk binaries and additional apps and TA’s
  • Suggested sizing: 8-15 servers and more than 10G indexed data / day

Search Head clustering requires at least 3 servers. Indexer clustering requires at least 3 servers. Clustering in itself requires additional utility servers – deployer and master. Installation is resilient to loss of servers and adds confidence that no log data is lost. Simplifies upgrades and configuration and server management. Enables easy scalability based on future indexing needs.

Splunk Resilient Delivery
The architecture of a resilient Splunk delivery model.

Managed

  • Components: Spacewalk (CentOS) or Satellite Server (RedHat) for configuration management, Deployment Server for forwarder management.
  • Suggested sizing: Standard or Resilient + 1-3 servers

Adds tools to manage all configuration files centrally as well as installations and updates of all components. Offers possibility to run remote commands on managed servers. Deployment server is used for centrally managing forwarder applications – the deployment server itself is managed by Spacewalk or Satellite Server.

Splunk Managed Delivery
The architecture of a managed Splunk delivery model.

Hardened

  • Components: pfSense & HAProxy (or existing load-balancing components like F5), Keycloak Authentication (or existing SAML2 IDP) and FreeIPA (CentOS) or IPA (RedHat)
  • Suggested sizing: Standard or Resilient + 3-6 servers

Adds centralized user authentication and permission management connected to external directories for both Splunk users (Keycloak) as well as server operators (FreeIPA or IPA). Highly available, secured and hardened Search Head access with HAProxy (or similar)e

Splunk Hardened Delivery
The architecture of a hardened Splunk delivery model.

Splunk Cloud based models (SaaS)

Splunk Cloud

If a SaaS cloud based delivery is possible, and the SaaS limitations are acceptable, then this is the way to go. The key limitation is that all configurations MUST be done through the management web-interface. No customization of configuration files is practically possible. This is a quick and simple setup, where the biggest challenges are around data communications to get log data into the system – log data has to travel outside your network perimeter to the cloud service.

Splunk Plain SaaS Delivery
The architecture of a plain SaaS Splunk delivery model.

Mint über hybrid

The Mint über hybrid builds upon the SaaS cloud service. For more configuration options and better management of UDP-based syslogs and resiliency to data communications loss between your log sources and the SaaS service, this is the model that must be chosen. Depending on the exact needs, custom components will be added to the setup. In the simplest hybrid model, only one Heavy Forwarder (HF) is added. In more complex setups, the HF is resilient. With more custom components, even the on-prem managed model can offer some solutions.

Splunk Mint Hybrid Delivery
The architecture of a Mint hybrid Splunk delivery model.

Sizing

We have a custom über-excel that allows os to simulate sizing needs both for performance and over time. Sizing includes servers, CPU, storage and data communications.

All of this directly correlates with the cost of running your Splunk deployment.

On-prem & in-IaaS comparison table

Splunk delivery model comparison table
Thomas

Thomas

The author works at and owns Mint Security, a mean and lean security company founded in 2015. No fuzz (literally - we do not fuzz, there are companies better equipped to do that).
Share on facebook
Share on twitter
Share on linkedin
Share on xing
Share on whatsapp

contact us

Please do contact us. We most likely respond faster than you thought,