Types of SPLUNK Deployments and Configuration

0

OVERVIEW

In general deployment and configuration plays a vital role in every organization, it is a mapping of a logical architecture to a physical environment. As similar Splunk deployment and configuration required some additional skills, hence it includes predefined planning, mapping, illustrating the entire infrastructure, prioritizing the asset, and much more. 


Splunk deployment generally classified into four major types 

  • Stand-alone deployment
  • Distributed deployment
  • Clustered deployment
  • Cloud deployment

This topic discusses some major differences between stand-alone, distributed deployment, and clustered deployment.

Prioritizing/classifying the deployment types

Splunk deployment differs based on their deployment scaling and size 

  • Departmental 
  • Small enterprise
  • Medium enterprise
  • Large enterprise

Also Read: Splunk Architecture: Forwarder, Indexer, And Search Head

Types of Deployments

Stand-alone / Single Deployment

A single instance that combines indexing and searches managed by a Standalone Deployment [single instance], includes basic features like

  1. Searching 
  2. Indexing
  3. Parsing
  4. Reporting
  5. Aslerting
  6. Dashboard and many

Single instance deployment is typically used when there are a limited number of users and a very limited amount of data flowing into Splunk.

 Stand-alone / Single Deployment
Stand-alone / Single Deployment
Indexing VolumeUserNo of forwarderIndexer count
0-20GB< 10MIN 10MAX 1001

Generally, single/stand-alone instances are majorly used for deployment for a lab or test environment, or a small system with one or two users running concurrent searches.

Also Read: Free Automated Malware Analysis Sandboxes for Incident Response

Distributed Deployment

A distributed deployment includes instances across multiple machines, achieve high availability, and ensure disaster recovery with data replication and multisite deployment

 Distributed Deployment
Distributed Deployment
Indexing VolumeUserNo of forwarderSearch headIndexer count
20-100GB< 100MIN 100MAX 20012 to 3

Generally distributed deployments are majorly used for deployment for medium-scale organizations to monitor all internal activity.

Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes

Clustered Deployment

A clustered deployment allows users to share the resources across the set of search heads, helping to boost both indexing and searching capacity. It’s usually deployed with medium and large-scale organizations.

 Clustered Deployment
Clustered Deployment
Indexing VolumeUserNo of forwarderSearch headIndexer count
300 – TBs[per day]> 100MIN 10MAX 10003+10 +

Generally distributed deployments are majorly used for large-scale organizations.

Cloud deployment

The process of migrating on-premise deployment to Splunk cloud platform, which includes a similar deployment process as on-premise setup functionality includes 

  • Collecting 
  • Searching
  • Monitoring 
  • Reporting 
  • Analyzing all of your real-time and historical machine data using a cloud service that is centrally and uniformly delivered by Splunk to its large number of cloud customers
  • Active Directory/Single sign-on integration
  • Allow list and deny list IP addresses
  • Send data securely using Splunk Universal Forwarder and more
 Cloud deployment
Cloud deployment
Indexing VolumeUserNo of forwarderSearch headIndexer count
As per contract
As per contractAs per contractAs per contractAs per contract

Generally, cloud deployments are majorly used for managing machine data using a cloud service that is centrally and uniformly delivered by Splunk to its large number of cloud customers.

Conclusion

The blog details explain the various deployment in SPLUNK with the basic differences between different deployments, on the upcoming blog we are gone discuss the Challenges in SPLUNK Deployment & Configuration.


Previous articleThreat Hunting Using Windows Event ID 5143
Next articleSoc Interview Questions and Answers – CYBER SECURITY ANALYST
A Cyber Security Aspirant Security Researcher | Red-Teamer |

LEAVE A REPLY

Please enter your comment!
Please enter your name here