![]() ![]() Another alternative is to build a full (Indexers + ES SHs) clusted infra in the cloud (AWS, Azure) but this won't be as "user friendly" for our Splunk users (like the SOC team) as they will have to switch between 2 or 3 different Splunk installations. Since hybrid search seems not possible, one alternative we have in mind is to forward log events from HFs in the cloud to our existing on-prem indexer cluster via our existing AWS Direct Connect lines but would like your feedback on feasibility, latency/performance, traffic costs. For indexing these cloud logs, one option we have is to build also a Splunk indexers cluster in AWS (and Azure later) but this won't allow our existing on-prem enterprise security SHs cluster to access that data (from what we can read, Hybrid search is only supporting one standalone on prem search head and not a cluster and premium apps like ES are explicitly not supported for hybrid search). We are now starting to use the cloud (AWS now and also Azure in the near future) for hosting some of our information systems and are defining the architecture for these log data ingestion also in the cloud (EG: CoudWatch to Firehose to ELB to several Splunk HFs in AWS) We have a clustered (Indexers and SHs) Splunk infrastructure on premise in our data center to centralize logs from on-premise computers and perform their security monitoring with Enterprise Security We are refining our Splunk hybrid (cloud + on-premise) architecture design and are looking for ideas and experience sharing in that particular area.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |