Deploying a campus-wide Splunk environment at UNC Chapel Hill
1. UNC CAUSE 2013
Brent Caison
Liam Greenwood
Michael Bacon
ITS Open Systems
University of North Carolina – Chapel Hill
2. What is Splunk?
Log aggregator
Customized views/dashboard
Data visualization
Monitoring and events
You can tell your boss you're doing
“Big Data!”
photo credit:
Stefan (Flickr)
3. Original Architecture
Search Head 1
Interactive
Users
Indexer 1
Forwarding
Hosts
Syslog Server
F5
BigIP
VIP
Syslog Server
Syslog Server
4. Split Architecture
Search Head 1
Interactive
Users
Interactive
Users
Forwarding
Hosts
Indexer 1
Forwarding
Hosts
Syslog Server
F5
BigIP
VIP
Search Head 1
Indexer 1
F5
BigIP
VIP
Syslog Server
Syslog Server
Syslog Server
Windows/AD
Admins
Search Head 2
Windows
Forwarders
Indexer 2
Syslog Server
Syslog Server
5. Multi-tenant Architecture
User
Population 2
User
Population 1
Forwarding
Hosts
User
Population 3
Search Head 2
User
Population 4
Search Head 3
Search Head 4
Search Head 1
Indexer 1
F5 BigIP VIP
Indexer 2
Syslog Server Syslog Server
Indexer 3
Syslog Server
6. Delegated Administration
Apache
Subpop admins modify membership
Groups may contain other groups
Admins for
Subpopulation A
Shibboleth SP
splunkweb service
Subpopulation A
Membership
splunkd service
Config
“ App”
Search Head for Population A
Splunk config
Files
Puppet
configuration
service
Splunk admins create roles
User
Subpopulation
A
Groups in LDAP match Splunk roles
Campussubpop-A
role
Grouper service
LDAP group
campus-subpop-A
under splunk tree
Campus Directory
(OpenLDAP)
Splunk confg fles “cooked” by
puppet, pushed to splunk service