Splunk for Effective Monitoring of IT Security on Multiple Environments

A US based global solutions provider for aerospace and defence, energy and chemicals, intel and data science, and federal and civilian markets. The company has a revenue of over USD 4 billion and employees 40k personnel across consulting, technology, engineering and construction solutions. The company is publicly raded on New York Stock Exchange.

Citrus Consulting Services Implements Splunk for effective monitoring of IT security on several applications/devices in multiple environments (Cisco, Juniper, Office 365, remote servers and network devices).

To implement and configure Splunk log monitoring solution, build security use cases and dashboards to monitor client’s environment.

The client aimed to utilize Splunk to proactively and continuously monitor, analyse and investigate any potential malicious activity on their network. Thus, ensuring confidentiality, integrity and availability of their IT environment.

A standalone instance was implemented as search head, indexer, syslog server, license master and deployment server.

The Endpoint devices like firewalls, routers, switches send syslog to the Splunk server. Splunk internal file monitor method is used to fetch data from the stored syslog files. Splunk then parse the data files and store them in indexes to be used in searches.

Splunk add-on for office 365 used to fetch and parse the data from exchange servers. Linux and Windows servers are sending system and audit logs to Splunk using the universal forwarder.

As mentioned in the previous section, the architecture deployed is an example of single instance deployment where a single instance is working search head, indexer, syslog server, license master and deployment server

Linux machines are sending audit and system logs to Splunk through universal forwarder. Universal forwarder is a Splunk agent installed on the remote server where the logs are being generated. There is a Splunk supported add-on for Unix/Linux server configured for the input and parsing purpose. It is always the best practice to consider Splunk supported add-ons and apps from the Splunk base only.

On Windows too, we are collecting audit and windows events to Splunk server using windows compatible universal forwarder.

Cisco Devices, ESXi hosts, network firewalls and switches are sending their logs via syslog to the Splunk server. Syslog-ng was used to capture these logs. With syslog-ng, we used Splunk monitor inputs option and source specific Splunk add-ons and apps to fetch the logs and parsing.

Exchange server is sending message trace API logs through a Splunk add-on for Office365.

The Splunk implementation was completed in 8 weeks and comprised of activities like setting up the base environment infrastructure, testing environments structured to test various scenarios and versions of the application. The staging environment acted as a platform between the non-production environment and the production environment and was used for application testing. The project was concluded by setting up the production environment and going live with business application.

• Complete and successful alpha, beta and user-acceptance Testing of dashboards including functionality of the entire monitoring system.
• Successful completion of stress testing for the application and supporting infrastructure.
• ‘Single window’ for security visibility and real time alerts.
• Proactive and continuous monitoring of network through dashboards
• Centralization of system logs
• Successful alpha, beta, user-acceptance and stress testing of scenarios and subsequent casesZero penetration points for the application and supporting infrastructure