Case Study Splunk Implementation & Splunk dashboard studio
A wellness company with dual headquarters in Amman, Jordan, and Dubai, UAE. The customer mainly specializes in the production of wellness and hygienic products, including sterilized facial tissues, kitchen towels, and toilet paper, baby and adult diapers, as well as natural, healthy beverages, and the recent addition of personal protective equipment (PPE), germ protection solutions and nutrition supplements.
Headquarters location: Amman and Dubai
To implement and configure Splunk log monitoring solution and build security use cases and dashboards to monitor client’s environment.
The customer aims to utilize Splunk to proactively monitor, analyze and investigate any potential malicious activity taking place at their organization. Thus, helping in ensuring Confidentiality, Integrity, and Availability of their IT environment.
A standalone Splunk architecture is implemented. The single instance is currently being used as search head, indexer, syslog server, license master and deployment server.
The Endpoint devices like firewalls and other network devices send syslog to the Splunk server. Splunk internal file monitor method is used to fetch data from the stored syslog files. Splunk then parse the data files and store them in indexes to be used in searches.
Linux and Windows servers are sending system and audit logs to Splunk using the universal forwarder.
Splunk built Details
As mentioned in the previous section, Splunk here is an example of single instance deployment where a single instance is working search head, indexer, syslog server, license master and deployment server
Linux machines are sending audit and system logs to Splunk through universal forwarder. Universal forwarder is a Splunk agent installed on the remote server where the logs are being generated. There is a Splunk supported add-on for Unix/Linux server configured for the input and parsing purpose. It is always the best practice to consider Splunk supported add-ons and apps from the Splunk base only.
On Windows too, we are collecting audit and windows events to Splunk server using windows compatible universal forwarder.
Palo Alto, Fortigate, Intermapper are sending their logs via syslog to the splunk server. Syslog-ng could be used to capture these logs. In case, you need to use syslog-ng, we can use splunk monitor inputs option and source specific splunk add-ons and apps to fetch the logs and parsing.
An advanced dashboard view was created using the Splunk dashboard studio. We utilized the dashboard studio to draw the network diagrams showcasing all the network and security devices present in a site.
The Splunk implementation project for the client was completed in 15 PS days, in turn subdivided into varied milestones for setting up the base environment infrastructure, testing environments structured to test the varied scenarios and versions of the application. This staging environment was a platform between the non-production environment and the production environment where in the application was tested by the end customers in a directed environment. Finally, the project was concluded by setting up the production environment and going live with business application by July 2021.
Complete and successful Alpha, Beta and User Acceptance Testing of all the dashboards check the functionality of the entire monitoring system.
Meticulous analysis and rigorously performed stress testing for the application and infrastructure.
Having system logs to be present in a centralized location was achieved.
Achieved continuous monitoring through dashboards.
Achieved 100% successful alpha, beta, user-acceptance and stress test scenarios and subsequent cases.
Achieved 0% penetration points for the application and infrastructure.