Deployment Best PracHces for Splunk Apps Monitoring MicrosoK- based Infrastructure

Copyright 2013 Splunk Inc. Deployment Best PracHces for Splunk Apps Monitoring MicrosoK- based Infrastructure Sharad Kylasam Sr. Product Manager Jeff Bernt - SDET #splunkconf

Legal NoHces During the course of this presentahon, we may make forward- looking statements regarding future events or the expected performance of the company. We cauhon you that such statements reflect our current expectahons and eshmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward- looking statements, please review our filings with the SEC. The forward- looking statements made in this presentahon are being made as of the Hme and date of its live presentahon. If reviewed aker its live presentahon, this presentahon may not contain current or accurate informahon. We do not assume any obligahon to update any forward- looking statements we may make. In addihon, any informahon about our roadmap outlines our general product direchon and is subject to change at any Hme without nohce. It is for informahonal purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligahon either to develop the features or funchonality described or to include any such feature or funchonality in a future release. Splunk, Splunk>, Splunk Storm, Listen to Your Data, SPL and The Engine for Machine Data are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respeccve owners. 2013 Splunk Inc. All rights reserved. 2

About Us Sharad Kylasam:! At Splunk for 1 year! Product Manager responsible for Splunk on Windows and MicrosoK Apps! Previously at MicrosoK for 6 years as PM in Windows Networking working on Remote Access technologies Jeff Bernt:! At Splunk for ~ 6 months! QA responsible for MicrosoK Apps! Previously at Expedia; managed their enhre Splunk infrastructure 3

Agenda! Typical Distributed Deployment Architecture! Common Issues and Fixes! Common CustomizaHons! Summary 4

Deployment Architecture

Deployment Architecture Deployment server Collect and send data Retrieve data Universal forwarder Indexer Search head 6

What Goes Where Each Tier Splunk universal forwarder + appropriate add- ons NaHve inputs event log, Perfmon, etc. PowerShell scripts Splunk Enterprise + appropriate add- ons Knowledge layer extrachons Splunk Enterprise + appropriate apps Dashboards and visualizahons Search Hme extrachons 7

Examples for Supported Apps Splunk_TA_Windows TA- Exchange- <ver>- <role> TA- Windows- <ver>- Exchange- IIS (CAS only) TA- DomainController- NTx TA- DNSServer- NTx Splunk_TA_Windows Splunk_for_Exchange TA- SMTP- ReputaHon Splunk_for_AcHveDirectory Splunk App Microso/ SA- ldapsearch Splunk_TA_Windows 8

Common Deployment Issues and Fixes

IniHal Deployment of UF at Scale! Deploy- uf.cmd: msiexec.exe /i splunkforwarder.msi AGREETOLICENSE=Yes DEPLOYMENT_SERVER="spdeploy:8089" INSTALL_SHORTCUT=0 /quiet!! Can uhlize tools like Orca (Windows SDK) to create transforms (MST) files to push out via group policy for small scale deployments! Use tools such as SCCM, Puppet, or Chef for large scale deployments and management! Install as part of an image Configure the Splunk UF as required, deployment server, indexer(s), etc. Stop Splunk and run:./splunk clone- prep- clear- config, which will clear the forwarder specific items such as name and GUID LocaHon: $ 10

Deployment Server! On your deployment server, copy technology add- ons to etc\deployment- apps For Splunk App MicrosoK, add- ons are located at splunk_app_microsok\appserver\addons! Make all changes to configurahon within the etc\apps\<ta>\local\ folder! Make sure your serverclass.conf file appropriately matches the add- ons to the versions of the OS and technology [serverclass:exchange-cas-server]! whitelist.0 = 10.0.1.2! whitelist.1 = 10.0.3.5! [serverclass:exchange-cas-server:app:ta-exchange-2013-clientaccess]! [serverclass:exchange-cas-server:app:ta-windows-2008r2-exchange-iis]! [serverclass:exchange-cas-server:app:splunk_ta_windows]! All Technology Add- ons are published with the app LocaHon: $ 11

Universal Forwarder! Alter configurahon files to match your indexing scheme Message tracking logs alter for the actual locahon ê ê ê A: For Exchange 2013: TA- Exchange- 2013- Mailbox STA: For Exchange 2007 and 2010: TA- Exchange- <ExchangeVersion>- HubTransport Tample stanza for Exchange 2010: [monitor://c:\program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\MessageTracking]! whitelist=\.log$ \.LOG$! sourcetype=msexchange:2010:messagetracking! queue=parsingqueue! index=msexchange! disabled=false! IIS Logs alter for the actual locahon ê ê TA: TA- Windows- <WindowsVersion>- Exchange- IIS Sample stanza for Windows Server 2012 [monitor://c:\inetpub\logs\logfiles\w3svc1\*.log]! sourcetype=mswindows:2012:iis! queue=parsingqueue! index=msexchange! disabled=false! 12

Universal Forwarder! Enable PowerShell May need to install and/or enable via GPO Set- execuhonpolicy Unblock (if necessary) the downloaded PowerShell scripts hrp://docs.splunk.com/documentahon/achvedirectory/latest/deployad/ EnableAudiHngandPowerShellondomaincontrollers! Install a universal forwarder on all servers Domain user / local system privileges Open the advanced firewall (ports 8089 / 9997) if necessary! Connect forwarder to deployment server and indexing Her Control app and TA management Controls what to send to the indexer Controls where to send the data 13

Indexer! Indices perfmon for performance data msexchange for all other exchange data msad for all AD data winevents for eventlog data main for everything else! Configured by default by Splunk App MicrosoK Indexes.conf setng msexchange]! homepath = $SPLUNK_DB/msexchange/db! coldpath = $SPLUNK_DB/msexchange/colddb! thawedpath = $SPLUNK_DB/msexchange/thaweddb! maxdatasize = 10000! maxhotbuckets = 10! Index configurahon - hrp://docs.splunk.com/documentahon/splunk/5.0.4/indexer/configureindexstorage! Make sure your evenrypes match your indices Evenrypes.conf setngs [msexchange-index]! search = index=msexchange! 14

Preparing Your AcHve Directory Forest! Create a Splunk Search user Give user a non- expiring complex password Limit user to only log on from Splunk Search heads Used for achve directory lookups! Create a Splunk for achve directory GPO Use the normal group policy management console Specifics of the group policy are in the documentahon! Apply the Splunk for achve directory GPO to all domain controllers Link the group policy to the domain controllers container of each domain Use gpupdate to push out the policy to all domain controllers 15

Turn on Audit Logs! Impact of not having audit logs turned on? Reports/dashboards within the app do not return any results! How do you turn on audit logs? Create GPO that has audihng turned on Link to domain controller OU! Sample command to turn on audit on mailboxes Set- mailbox username - AuditEnabled $true 16

Common CustomizaHons

Exchange: Configuring TA- SMTP- ReputaHon! Needs to be on a machine which has global DNS access Recommend indexer as long it has internet access outbound If not, install on heavy forwarder Dependency on Python; cannot be on universal forwarder! Copy default/reputahon.conf to local/reputahon.conf! Add in your OUTBOUND mail servers GLOBAL IP ADDRESSES Example stanza in reputation.conf! [mailservers]! iplist = 180.222.96.138;195.50.106.142;202.86.5.36;202.86.5.88!! To modify the list of DNS blacklist servers to check against, modify the list located in \bin \check_my_reputahon.py; default shipping list below dnsbl_list = [! '0spam.fusionzero.com', access.redhawk.org', 'all.spamrats.com', 'b.barracudacentral.org', blackholes.five-ten-sg.com',! 'bl.blocklist.de', 'bl.emailbasura.org', 'bl.mailspike.org', 'bl.score.senderscore.com', 'bl.spamcannibal.org', 'bl.spamcop.net',! 'bl.spameatingmonkey.net', 'bogons.cymru.com', 'cbl.abuseat.org', 'cblplus.anti-spam.org.cn', 'combined.njabl.org',! 'db.wpbl.info', 'dnsbl-1.uceprotect.net', dnsbl-2.uceprotect.net', 'dnsbl-3.uceprotect.net', 'dnsbl.ahbl.org',! 'dnsbl.dronebl.org', 'dnsbl.inps.de', 'dnsbl.justspam.org', 'dnsbl.kempt.net', 'dnsbl.solid.net', 'dnsbl.sorbs.net',! 'dnsbl.tornevall.org', 'dnsbl.webequipped.com', 'dnsrbl.swinog.ch', 'fnrbl.fast.net', 'ips.backscatterer.org',! 'ix.dnsbl.manitu.net', 'korea.services.net', 'l2.apews.org', 'list.blogspambl.com', 'mail-abuse.blacklist.jippg.org',! 'psbl.surriel.com', 'rbl.choon.net', 'rbl.dns-servicios.com', 'rbl.efnetrbl.org', 'rbl.orbitrbl.com', 'rbl.polarcomm.net',! 'singlebl.spamgrouper.com', 'spam.abuse.ch', 'spam.dnsbl.sorbs.net', 'spam.pedantic.org', 'spamguard.leadmon.net',! 'spamrbl.imp.ch', 'spamsources.fabel.dk', 'spamtrap.trblspam.com', 'st.technovision.dk', 'tor.dan.me.uk',! 'tor.dnsbl.sectoor.de', 'truncate.gbudb.net', 'ubl.unsubscore.com', 'virbl.dnsbl.bit.nl' ]!! 18

Exchange: CustomizaHons Using Macros! `msgs- per- hr- gauge` Used to render the messages/hour gauge Gauge count 0 1000 3500 5000! `is- internal- ip(<ip- addr>)` Checks if a given ip address is internal By default, set to RFC- 1918 and FE80:: for internal 19

Configuring the LDAP Knowledge Component! Configure SA- ldapsearch/local/ldap.conf file [SPL]! server = 172.20.1.11! port = 636! ssl = true! basedn = dc=spl,dc=com! binddn = CN=Searcher,CN=Users,dc=spl,dc=com! password = {64}jpoej4jgi9ot4895tu49! [spl.com]! alias = SPL!! [DC=spl,DC=com]! alias = SPL!! 20

TroubleshooHng the LDAP Knowledge Component! Configure SA- ldapsearch/local/ldap.conf file If you see Errorcode = 1, there s a problem with ldap.conf (likely password incorrect) Ssl = true, and port 636, should ONLY be used when you have a CA and the necessary cerhficates Port = 389 and ssl = false, can be used for teshng unhl the cerhficates are set up Use a standard domain user account in ldap.conf; User needs a full LDAP string, cn=user1,cn=users,dc=domain1,dc=com AddiHonal security: encode your password with base64 and only use plaintext in teshng Note - Edit and save, no need to restart the search head 21

Other CustomizaHons! Modify the searches to improve performance E.g. Message tracking remove transachon cmd! LocalizaHon Perfmon Input.conf to use local language counters Event log and Perfmon via props and transforms 22

Summary

Key Takeaways! Deployment consists of mulhple moving parts Data collechon, indexing, searches/dashboards! Enterprise infrastructure may require configurahon changes to accommodate Splunk! Apps need to be customized to meet the enterprise requirements! Wealth of documentahon that describes the above aspects and can be found at - hrp://docs.splunk.com/documentahon 24

Next Steps 1 2 Download the.conf2013 Mobile App If not iphone, ipad or Android, use the Web App Take the survey & WIN A PASS FOR.CONF2014 Or one of these bags! 3 Go to the sessions listed on the next slide 25

AddiHonal Resources Related.conf2013 sessions:! Windows Inputs and Microso/ Apps Strategy Nolita 1, Level 4 October 3 rd, 10:15-11:15am! Technical Deep Dive: ODBC driver for Windows Brera 6, Level 3 October 3 rd, 1:45-2:45pm 26

QuesHons?