![]() Re-using a Splunk license violatesthe AUP and breaks distributed search as well as other Splunk-to-Splunk activities PRE-4.2 Use a different Splunk licenseon each indexer. This generally equates to a more successful implementation. Additionally, much of the deployment of Splunk requires an intimate understanding of its intended use and therefore it is recommended that the team who will be the major user of Splunk should also manage its deployment. ![]() A single team should be responsible for Splunk instead of having this split across multiple departments, divisions, or entities. The Splunk Universal Forwarder doesn't have these limitations and can be used to reliably and efficiently collection Windows events from a large distributed Enterprise. Many Windows event collection tools have various limitations such as the truncation of events at 512 or 1024 bytes. Carefully plan the deployment of Windows event collection (Event logs and Performance data) to ensure success.Use a consistent naming scheme on the Splunk Search Heads, Indexers to ensure accuracy and reduce troubleshooting time. ![]() All of this makes your Splunk deployment more extensible, provides better access control options, and allows for fine-grained troubleshooting and analysis Such as: management, log collection, web UI/search head and use separate IPs for different major sourcetypes. Use separate IP addresses whenever possible.This will improve the search head's speed in accessing the events. Try to keep search heads as close to indexers as possible.These events can be collected with an Intermediate Heavy Forwarder, and then sent to indexers which may be a central location. Try to collect events as close (in terms of geography and network location) as possible.See this great blog-post on Sourcetype namin g. If the events are generated by the same device and are in the same format, they should most likely be one sourcetype. Use sourcetypes to group data by their similarity.Indexes and sourcetypes assist in data management. These two things will be difficult to change later. Here are your best practices for those of you who are either considering implementing Splunk or who have already implemented Splunk and are having issues getting it to do what you need it to. A few simple practices can make a huge difference when it comes time to audit, analyze, or debug. Splunk puts power in your hands if you know how to use it right to get the most out of it.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |