Many Splunk customers wish to compartmentalize their IT data. Among the reasons for this requirement are the desire to limit access of one business unit's data to only employees of that unit.
Along with this requirement for data segregation, there is often a companion requirement for the central business unit to have the ability to search the IT data in each sub-unit.
Most customers also wish to deploy the minimum amount of hardware that is feasible given the volume of IT data they are indexing and searching per day.
It is possible to create a unique index for each business unit on a single Splunk instance and limit each business unit to search only their specific business unit's index.
However, Splunk is not currently capable of role-based typeahead or _internal and _audit index configuration, causing potential information leaks.
Additionally, it is not currently possible for Splunk to simultaneously search across multiple indexes; as such, meeting the requirement for corporate to search across all IT data is not easily facilitated
The preferred solution is to create a unique instance of Splunk per business unit.
Creating a unique instance of Splunk per business unit facilitates thorough IT data compartmentalization, including the siloing of typeahead and internal indexes.
Since each instance is completely independent of the others, there is no risk of information leaks via typeahead, internal indexes, or other user information gathering techniques.
This deployment approach also meets the requirement for the central business unit to perform a search across all corporate IT data.
This capability is made possible by leveraging Splunk's distributed search feature. A corporate instance of Splunk is set up that distributes search requests to each business unit's Splunk instance.
Since distributed search is configured on a per-instance basis, it is not transitively possible for the sub-units to distribute search requests to the corporate or other sub-unit instances.
Finally, in many cases each business unit's instance will only be indexing a few GB per day.
Assuming that network bandwidth is not severely limited, there is no reason not to install several Splunk instances on the same hardware to keep costs down while maximizing hardware utilization.
The following hardware was used in this deployment:
As a soft limit, it is not recommended that more than ten instances of Splunk are installed on a given physical machine. However, given the disparity between low and high-end commodity hardware, it is recommended that each deployment be staged and tested to determine limits to scalability. Data sources, input methods, and indexing volumes
The data sources and their respective input methods for this deployment were as follows:
To get these estimates, we analyzed the available archive data and calculated daily averages. In some cases, there was approximately one week of archive data available, while in other cases more thorough archive data was available.
Using the estimates above, each instance is projected to index approximately 2.6 GB per day.
Since smaller sites are likely to index slightly less than this while larger sites might index slightly more, a fair estimate of total indexing volume is 18.2 GB per day. This would dictate a 20 GB license divided into six 3 GB licenses and one 2 GB licenses.
The licensing and input assumptions should be validated during the first 30 days in production. It is a low risk endeavor, as Splunk's licensing model will never terminate forwarding or indexing, and furthermore will only disable search if the license is violated 7 times within a 30 day rolling window.
Server installation was performed using the standard linux tarball downloaded from http://www.splunk.com/download. The Splunk binaries and logs will go under /opt, while the data store will go on the SAN storage which is mounted at /mnt/i01. The exported IFS volume from each mainframe is mounted under /mnt/ifs/site_name. Many of the steps below can be automated using simple shell, python, or perl scripts.
Note: In many cases, it is not advisable to index directly to a SAN; however, in this case performance was benchmarked and tested under load before implementing in production.
The bash script below achieves the same end:
#!/bin/bash
LIC=( "empty0" "<license1>" "<license2>" "<license3>" "<license4>" "<license5>" "<license6>" "<license7>"
for (( i=1;i<=7;i+=1 )) ;
do
cd /opt;
mkdir /mnt/i01/splunk_$i;
cp -R ./splunk ./splunk_$i;
echo -e "\$SPLUNK_HOME=/opt/splunk_$i\n\$SPLUNK_DB=/mnt/i01/splunk_$i\n" > ./splunk_$i/etc/splunk-launch.conf;
echo -e "${LIC[i]}" > ./splunk_$i/etc/splunk.license;
rm -rf ./splunk;
done
To ensure that each business unit's Splunk users can only log in to their intended Splunk instance, we configured Splunk to authenticate to Active Directory(AD) and mapped security groups from AD to roles within Splunk.
The configuration below was taken from the CHI Splunk instance's /opt/splunk/system/local/authentication.conf:
[CHI] Admin = CORP_splunk_admin; Power = CHI_splunk_power, CORP_splunk_power; User = CHI_splunk_user, COPR_splunk_user; SSLEnabled = 0 bindDN = cn=svc_splunk,ou=service_accounts,ou=users,dc=corp,dc=local bindDNpassword = failsafeLogin = admin failsafePassword = groupBaseDN = ou=splunk,ou=security_groups,dc=corp,dc=local; groupBaseFilter = (objectclass=*) groupMappingAttribute = dn groupMemberAttribute = member groupNameAttribute = cn host = corpdc01 pageSize = 800 port = 389 realNameAttribute = name userBaseDN = ou=users,dc=corp,dc=local userBaseFilter = (objectclass=*) userNameAttribute = sAMAccountName _actions = new,edit,delete [auth] authSettings = CHI authType = LDAP
Each instance must have at least three unique TCP ports and one unique UDP port to bind to. In this deployment, the following ports were decided upon:
| Instance name | SplunkWeb port | Splunkd port | Splunk data port | Syslog Port |
| splunk_1 | 8001 | 8091 | 9991 | 511 |
| splunk_2 | 8002 | 8092 | 9992 | 512 |
| splunk_3 | 8003 | 8093 | 9993 | 513 |
| splunk_4 | 8004 | 8094 | 9994 | 514 |
| splunk_5 | 8005 | 8095 | 9995 | 515 |
| splunk_6 | 8006 | 8096 | 9996 | 516 |
| splunk_7 | 8007 | 8097 | 9997 | 517 |
To force each instance of Splunk to listen on the selected ports on startup, /opt/splunk_n/system/local/web.conf and /opt/splunk_n/system/local/inputs.conf were created before the initial startup. While we are editing inputs.conf, we added the tailed IFS directory as well.
For example, /opt/splunk_1/system/local/web.conf contained the following:
[settings] mgmtHostPort = localhost:8091 httpport = 8001
/opt/splunk_1/system/local/inputs.conf contained the following:
[splunktcp://9991] disabled = false queue = parsingQueue sourcetype = tcp-9991 [udp://511] disabled = false sourcetype = syslog [tail:///mnt/ifs/chi/] disabled=false followTail=1
After configuring each instance of Splunk as such, start the instance and accept the license agreement:
/opt/splunk_1/bin/splunk start --accept-license
After changing the network devices of each business unit to direct its syslog output to the correct UDP port, we installed Splunk in a lightweight forwarder configuration on the Windows servers as follows (the examples below assume the target instance is splunk_1 on server Splunk1):
c:\program files\splunk\bin> splunk.exe disable webserver c:\program files\splunk\bin> splunk.exe set server-type forwarder
queue=indexQueue
[tcpout:splunk_1] server=Splunk1:9991
c:\program files\splunk\bin> splunk.exe restart
c:\program files\splunk\bin> splunk.exe edit user admin -password fflanda
After configuring all Windows forwarders as detailed above, we verified that each Splunk index server received new events from the domain controller event logs, network devices, and (the next day) the mainframe reports from the IFS share.
Aside from meeting all the project requirements, there are substantial maintenance benefits to this deployment model:
In a multi-tenant environment such as a managed service provider (MSP), there are the following additional benefits: