Thomas

Thomas

The author works at and owns Mint Security, a mean and lean security company founded in 2015. No fuzz (literally - we do not fuzz, there are companies better equipped to do that).

Mint Security has a set of predefined delivery models to choose from. These are based on best practices and experience. Of course, there’s always the option to customize and pick and choose from each of them. Every delivery starts by scoping and defining the needs of the customer based on the pro’s and con’s of each model. This makes the designing and deciding the architecture much smoother.

Splunk delivery models

On-prem or "in-IaaS"

On-prem or ”in-IaaS” is very similar.  Although an IaaS environment essentially is a cloud delivery model, you will be hosting the servers yourself. For that reason, we deliver both our on-prem and our in-Iaas solutions in a very similar manner.  It is important to understand the difference between Splunk Cloud (which is a SaaS service without any server maintenance responsibilities) and Splunk installed in an IaaS environment.

Our deliveries are based around Linux servers that are manageable and enterprisey. In practice, our predefined on-prem  and in-IaaS delivery models are based on CentOS or Red Hat Enterprise Linux.

Standard

  • Components: Splunk binaries and additional apps and TA’s
  • Suggested sizing: 1-3 servers and less than 10G indexed data / day

Basic installation and configuration. Search Head, Indexer and a Heavy forwarder can be distributed across separate hardware. Any downtime will result in at least delay of data input, potentially also data loss. Installation may be automated using Ansible.

Splunk Standard
Splunk Standard

Resilient

  • Components: Splunk binaries and additional apps and TA’s
  • Suggested sizing: 8-15 servers and more than 10G indexed data / day

Search Head clustering requires at least 3 servers. Indexer clustering requires at least 3 servers. Clustering in itself requires additional utility servers – deployer and master. Installation is resilient to loss of servers and adds confidence that no log data is lost. Simplifies upgrades and configuration and server management. Enables easy scalability based on future indexing needs.

Splunk Resilient
Splunk Resilient

Managed

  • Components: Ansible for configurations and Deployment Server for forwarder management.
  • Suggested sizing: Standard or Resilient + 1-3 servers

Adds tools to manage all configuration files centrally as well as installations and updates of all components. Offers possibility to run remote commands on managed servers. Deployment server is used for centrally managing forwarder applications – the deployment server itself is managed by Ansible.

Splunk Managed
Splunk Managed

Hardened

  • Components: pfSense & HAProxy (or existing load-balancing components like F5), Keycloak Authentication (or existing SAML2 IDP)
  • Suggested sizing: Standard or Resilient + 3-6 servers

Adds centralized user authentication and permission management connected to external directories for Splunk users (Keycloak). Highly available, secured and hardened Search Head access with HAProxy (or similar).

Splunk Hardened
Splunk Hardened

Splunk Cloud based models (SaaS)

Splunk Cloud

If a SaaS cloud based delivery is possible, and the SaaS limitations are acceptable, then this is the way to go. The key limitation is that all configurations MUST be done through the management web-interface. No customization of configuration files is practically possible. This is a quick and simple setup, where the biggest challenges are around data communications to get log data into the system – log data has to travel outside your network perimeter to the cloud service.

Splunk Plain SaaS Delivery
The architecture of a plain SaaS Splunk delivery model.

Mint über hybrid

The Mint über hybrid builds upon the SaaS cloud service. For more configuration options and better management of UDP-based syslogs and resiliency to data communications loss between your log sources and the SaaS service, this is the model that must be chosen. Depending on the exact needs, custom components will be added to the setup. In the simplest hybrid model, only one Heavy Forwarder (HF) is added. In more complex setups, the HF is resilient. With more custom components, even the on-prem managed model can offer some solutions.

Splunk Mint Hybrid Delivery
The architecture of a Mint hybrid Splunk delivery model.

Sizing

We have a custom über-excel that allows os to simulate sizing needs both for performance and over time. Sizing includes servers, CPU, storage and data communications.

All of this directly correlates with the cost of running your Splunk deployment.

On-prem & in-IaaS comparison table

Splunk Delivery Models
Splunk header

Minted by Splunk

Mint Security provides a vast range of überconsulting for Splunk. From a single server to clustered multisite setups with integrated SSO and 2FA.

Lue lisää »

SIEM, Splunk ja lokienhallinta

SIEM ja lokitapahtumienhallinta lyhyesti Tilannekuva on yksi suurimmista ”hypesanoista” tällä hetkellä. Yksinkertaisimmin tilannekuva tarkoittaa parista lokilähteestä generoitua graafista esitystä. Parhaiten toteutettuna tilannekuva pitää sisällään sovelluslokeja,

Lue lisää »
Thomas

Thomas

The author works at and owns Mint Security, a mean and lean security company founded in 2015. No fuzz (literally - we do not fuzz, there are companies better equipped to do that).

ota yhteyttä

Pyydä rohkeasti lisätietoa. Vastaamme todennäköisesti nopeammin kuin osasit kuvitella.