IT Operations Breakout Session

Download IT Operations Breakout Session

Post on 16-Jul-2015




2 download

Embed Size (px)


<ul><li><p>How Splunk is used at EDUs </p></li><li><p>2 </p><p>About Me James Donn Senior Sale Engineer </p><p> ~ 3 Years working at Splunk 5 Year Splunk customer </p><p> 4.5 years at Harvard University .5 years at MITRE </p><p> Focus on Network and Systems Management </p><p>2 </p></li><li><p>3 </p><p>Agenda " What is Splunk? " Architectural Components Overview " Splunk Demo " Higher EducaPon Examples " How we do it in the Cloud today " Extra Demo </p></li><li><p>What is Splunk? </p></li><li><p>5 </p><p>A PlaSorm For Machine Data </p></li><li><p>6 </p><p>Powerful PlaSorm for Developers </p></li><li><p>7 </p><p>Powerful Developer PlaSorm on Hadoop </p></li><li><p>Architectural Components </p></li><li><p>9 </p><p>Overview </p></li><li><p>10 </p><p>Ge[ng Data IN </p><p> Any UDP Port Syslog Any TCP Port WMI Watching ies or directories Logs Scripted Inputs API connecPvity into any App Modular Inputs </p><p>- DB Connect - Stream - Many more on haps:// </p></li><li><p>11 </p><p>Service FuncPons </p></li><li><p>12 </p><p>Forwarders " Collects data from machines " Sends data to a Splunk indexer in Splunk format " Install onto the remote system for data ingesPon " Low impact - basically reads in data for transmission " Full vs. Light vs. Universal? </p></li><li><p>13 </p><p>" Low prole = forwarding only " Python/Splunkweb removed " Searching/Indexing removed " Deployment server removed " LWF (4.1 and earlier) ~ UF </p><p>Universal Forwarder </p></li><li><p>14 </p><p>Indexers " Processes raw data and stores it onto disk " Input Processing </p><p> Parsing (char set determinaPon, linebreaking) Merging (line merging, Pme extracPon) Typing (punctuaPon, anonymizaPon) </p><p>" Indexer Pipe Write to disk (compressed) Assigns 4 chunks of meta data </p><p>" Performs HEAVY liking for searches! </p></li><li><p>15 </p><p>Search Heads " Spawns search process (splunkd-search) </p><p> 1:1 raPo of search process to CPU core Splunkweb communicates via REST API (haps) </p></li><li><p>16 </p><p>Cluster Master " Required for Index ReplicaPon " Tells Indexes where to replicate to " Tells Search heads where the data is at " Search Anity </p></li><li><p>17 </p><p>Brief Summary " Forwarders: send data to the indexer for indexing " Indexers: heavy liking (index AND search) " Searchers: spawn the iniPal search distribute as necessary " Cluster Master: for data replicaPon </p></li><li><p>Demo! </p></li><li><p>Higher EducaPon Examples </p></li><li><p>20 </p><p>MRTG to Splunk </p></li><li><p>21 </p><p>Track-A-Mac </p><p>" Used by Students via self service web portal " Police Department is alerted when MACs from stolen laptops appear on network </p></li><li><p>22 </p><p>OperaPonal Tool </p></li><li><p>23 </p><p>OperaPonal Tool </p></li><li><p>24 </p><p>OperaPonal Tool </p></li><li><p>25 </p><p>Data VisualizaPon </p></li><li><p>26 </p><p>Data VisualizaPon </p></li><li><p>27 </p><p>VPN usage </p></li><li><p>28 </p><p>Business AnalyPcs </p></li><li><p>29 </p><p>Business AnalyPcs </p></li><li><p>30 </p><p>RegistraPon </p></li><li><p>How We Do It in the Cloud </p></li><li><p>32 </p><p>Splunk Oerings in AWS </p></li><li><p>33 </p><p>Splunk is exible! </p></li><li><p>Extra Demo! </p></li><li><p>AddiPonal Info </p></li><li><p>36 </p><p>AddiPonal Info " " " " Free Download " Free Online Sandbox </p></li><li><p>Thank you!! </p><p> </p></li><li><p>38 </p><p>University Use Cases " Use Case 1 Student Harassment/Death Threat </p><p> University reported they got a call from campus police that a female student reported she was ge[ng threaPng email and text messages from her ex-boy friend. </p><p>" Use Case 2 VPN Abuse A University on the east coast reported by using Splunk they were quickly able to </p><p>idenPfy when their VPN was being abused </p><p>" Use Case 3 Direct Deposit Fraud Hackers are targePng universiPes using malware telling people they need conrm/</p><p>change their Direct deposit informaPon. When someone does the hackers wait unPl right before payday and make a change. Once the funds are transferred to the new bank account the funds are gone. This was happening mulPple Pmes a month. </p></li><li><p>39 </p><p>University Use Cases " Use Case 4 Copyright </p><p> UniversiPes are using Splunk to nd who is downloading/sharing illegal content. </p><p>" Use Case 5 Quickly idenPfy a Student in the area A university using Splunk to help conrm if a student has been seen on </p><p>campus recently. They had a case were a parent contacted the school saying they hadnt heard from their student in 2 weeks. </p><p>" Use Case 6 View acPve wireless connecPons on campus UniversiPes can plot where wireless connecPons are on a campus map. This </p><p>can help understand where the most students are or if the number of students in the area is normal. </p></li><li><p>40 </p><p>University Use Cases " Use Case 7 Track AD changes/Access </p><p> UniversiPes can see when someone is added to a group or given root access and who granted the access. </p><p>" Use Case 8 Student acPvity/cheaPng UniversiPes can set alerts for various events including posPng homework to </p><p>mulPple accounts from a single IP address </p><p>" Use Case 9 User account informaPon posted online/social media One University scans social media for students who post their login on </p><p>credenPals out for the world to use. </p></li><li><p>41 </p><p>University Use Cases " Use Case 10 Find Fraud rings collecPng Financial Aid </p><p> Sign up for nancial aid register collect a check never show for class. " Use Case 11 Stack rank Security Risk by department </p><p> Whose keep up with Security risks and who isnt. List of shame. " Use Case 12 Understanding online course registraPon </p><p> What are the most popular classes and Pme. Who has wriaen a script to try and get in a class as soon as it opens. </p><p>" Use Case 13 the go to tool if the FBI or Law enforcement call " Use Case 14 IdenPfy when one of your accounts is spamming within 5 minutes </p></li></ul>