deploying*the*splunk* app*for*microso>* exchange* · splunk*app*for*exchange* talsmtplreputaon*...
TRANSCRIPT
Copyright © 2014 Splunk Inc.
Deploying the Splunk App for Microso> Exchange Jeff Bernt – SDET
Disclaimer
2
During the course of this presentaHon, we may make forward-‐looking statements regarding future events or the expected performance of the company. We cauHon you that such statements reflect our current expectaHons and
esHmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements,
please review our filings with the SEC. The forward-‐looking statements made in the this presentaHon are being made as of the Hme and date of its live presentaHon. If reviewed a>er its live presentaHon, this presentaHon may not contain current or accurate informaHon. We do not assume any obligaHon to update any forward-‐looking statements we may make. In addiHon, any informaHon about our roadmap outlines our general product direcHon and is subject to change at any Hme without noHce. It is for informaHonal purposes only, and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligaHon either to develop the features or funcHonality described or to
include any such feature or funcHonality in a future release.
About Me
Jeff Bernt: ! At Splunk for ~ a year and a half ! QA responsible for Microso> Apps ! Previously at Expedia; managed their enHre Splunk infrastructure, end to end
! Microso> SDET before that, working on Exchange, SharePoint, and System Center
! TwiYer/IRC: DaGryph
3
Agenda ! Problem: You have Microso> Exchange issues, but they are difficult to locate
and resolve easily. The new Splunk App for Microso> Exchange can help you with these issues, but it requires a potenHally complex installaHon process in order to deploy fully.
! SoluHon: This talk will be about common pain points and resoluHons in order to get the app and add-‐ons deployed successfully.
! Why are we doing this? We want to make sure you are successful with our new app!
! Typical distributed deployment architecture ! Common issues and fixes ! Common customizaHons ! Summary
4
Deployment Architecture
Deployment Architecture
6
Universal Forwarder Indexer Search Head
Collect and send data Retrieve data
Deployment server
What Goes Where – Each Tier
7
• Splunk Universal forwarder + appropriate add-‐ons • NaHve inputs – Event log, Perfmon, etc. • PowerShell scripts
• Splunk Enterprise + appropriate add-‐ons • Knowledge layer extracHons
• Splunk Enterprise + appropriate Apps • Dashboards and VisualizaHons • Search Hme extracHons
Examples for Supported Apps
8
TA-‐Exchange-‐<ver>-‐<role> TA-‐Windows-‐<ver>-‐Exchange-‐IIS (CAS only) Splunk Add-‐on for Windows
Splunk App for Exchange TA-‐SMTP-‐ReputaHon Splunk Add-‐on for Windows
Splunk App for Windows Infrastructure Splunk_TA_Windows
TA-‐DomainController-‐NTx TA-‐DNSServer-‐NTx Splunk Add-‐on for Windows
Splunk Add-‐on for Windows
Splunk Add-‐on for Windows
Splunk Add-‐on for Windows
Splunk App for Microso> Exchange Splunk_TA_Windows
Splunk App for Windows Infrastructure Splunk_TA_Windows
Splunk_TA_vmware SA-‐UHls / SA-‐Hydra Splunk_TA_esxilogs
Splunk_TA_vcenter
Splunk App for VMware
Demo
9
Common Deployment Issues and Fixes
IniHal Deployment of UF
11
! How to install as part of an image – Configure the Splunk UF as required, deployment server, indexer(s), etc. – Stop Splunk and run: .\splunk clone-‐prep-‐clear-‐config, which will clear the
forwarder specific items such as name and GUID
Note: TA-‐Windows is required Splunk_TA_Windows comes turned off out of the package, you must configure and enable the inputs you’re looking for. Then, deploy Splunk_TA_Windows to forwarders, search heads, AND the indexers § LocaHon: $
Deployment Server
12
! Copy Add-‐ons FROM: C:\Program Files\Splunk\etc\splunk_app_microso>_exchange\appserver\addons
! TO: Deployment Server: C:\Program Files\Splunk\etc\deployment-‐apps ! Make all changes to configuraHon within the etc\apps\<TA>\local\ folder ! Don’t forget, SA-‐ModularInput-‐PowerShell requires addiHonal steps for architecture (x86
vs x64) ! Make sure your serverclass.conf file appropriately matches the add-‐ons to the versions
of the OS and Technology. All Technology Add-‐ons are published with the app
Universal Forwarder
13
! Alter configuraHon files to match your indexing scheme – Message Tracking Logs – alter for the actual locaHon
ê TA: For Exchange 2007 and 2010: TA-‐Exchange-‐<ExchangeVersion>-‐HubTransport ê TA: For Exchange 2013: TA-‐Exchange-‐2013-‐Mailbox
– IIS Logs – same idea for monitor path, my TwiYer account (@dagryph) has more info
PowerShell on the UF
14
! Enable PowerShell – May need to install and/or enable via GPO – Set-‐execuHonpolicy RemoteSigned – SA-‐ModularInput-‐PowerShell, if you get errors in the UI about PowerShell, or
things aren’t working, verify: ê Requirements: ê Windows Management Framework 3.0 ê .NET Framework 4.5 ê If using the 64bit version of the modinput, copy the SA-‐ModularInput-‐PowerShell\windows_x86_64\bin to SA-‐ModularIinput-‐PowerShell\bin, else copy the x86 version to the SA-‐ModularInput-‐PowerShell\bin folder.
– Unblock (if necessary) the downloaded PowerShell scripts, defaults to AllSigned – hYp://docs.splunk.com/DocumentaHon/AcHveDirectory/latest/DeployAD/
EnableAudiHngandPowerShellondomaincontrollers
Universal forwarder
15
! Install A Universal Forwarder on all servers – Domain user / Local system privileges – Open the Advanced Firewall (ports 8089 / 9997) if necessary
! Connect Forwarder to Deployment Server and Indexing Her – Control app and TA management – Controls what to send to the indexer – Controls where to send the data
Indexer
16
! Indices – perfmon for performance Data – msexchange for all other exchange data – msad for all AD data – wineventlog for Windows Eventlog data – main for everything else, though shouldn’t be needed – TA-‐windows indexes.conf, index issues, CIM compliancy
– Example: I’m not seeing all the data from our Exchange infrastructure with 100,000 users! ê Adjust the maxDataSize below to a larger value such as 500,000 (in megabytes) ê Verify permissions for adding users to role “exchange-‐admin”
– Index configuraHon -‐ hYp://docs.splunk.com/DocumentaHon/Splunk/6.1.3/Indexer/Configureindexstorage
Turn on Audit Logs
17
! Impact of not having audit logs turned on? – Reports/dashboards within the App do not
return any results. This is true for Windows data, AcHve Directory data, as well as Exchange data
! How do you turn on audit logs? – Create GPO in AcHve Directory that has audiHng
turned on – Link to Domain Controller OU
! Sample command to turn on audit on Mailboxes
Common CustomizaHons
Exchange: Configuring TA-‐SMTP-‐ReputaHon ! Needs to be on a machine which has Global DNS Access
– Recommend indexer as long it has internet access outbound – If not, install on heavy forwarder – Dependency on Python; cannot be on Universal forwarder
! Copy default/reputaHon.conf to local/reputaHon.conf ! Add in your OUTBOUND mail servers GLOBAL IP ADDRESSES
Exchange: CustomizaHons
20
! `Is-‐internal-‐ip(<ip-‐addr>)` – Checks if a given ip address is internal – By default, set to RFC-‐1918 and FE80:: for internal
! Roles and Permissions, authorize.conf changes – Windows-‐admin (default Windows index searching) – Winfra-‐admin (includes Windows, adds MSAD) – Exchange-‐admin (includes Windows, MSAD, Exchange)
New SA-‐LDAPSearch!
21
! Full session on this! ! IntegraHng AcHve Directory with Your Splunk Searches
Summary
Key Takeaways
! MulH-‐Hered deployments – Data collecHon, Indexing, Searches/Dashboards
! Highly customizable app to meet specific enterprise requirements ! Wealth of documentaHon with examples -‐ hYp://docs.splunk.com/DocumentaHon/MSExchange/3.0.1
23
AddiHonal Resources
Download Splunk App for Microso> Exchange – hYp://apps.splunk.com/app/1660/
Related .conf sessions – ! IntegraHng AcHve Directory with Your Searches Visit the Apps Showcase Microso> Booth – Talk to the experts!
24
QuesHons?
Special Offer: Try Splunk MINT Express for Free! Splunk MINT offers a fast path to mobile intelligence. How fast?
Find out with a 6-‐month trial*
• Register for your free trial: hYp://mint.splunk.com/conf2014offer
• Download the Splunk MINT SDKs • Add the Splunk MINT line of SDK code and publish**
• Start ge~ng digital intelligence at your fingerHps!
*Offer valid for .conf2014 a5endees and coworkers of a5endees only.
**Trial allows monitoring of up to 750,000 monthly acDve users (MAUs).
26
THANK YOU