Symantec 年会内部稿件_9-优化数据管理价值-splunk IT 搜索引擎最佳实践

1.SplunkIT搜索引擎最佳实践MatthewLinChannelSalesDirector,APAC2.先来看看我们过去都是怎么处理IT的问题?3.IT的问题在哪里状况类别问题在哪里网络断线OperationTroubleshooting防火墙出问题?Router出问题?Switch出问题?DNS?DHCP?主机无法联机OperationTroubleshooting网络问题?主机本身问题?操作系统问题?应用程序问题?交易失败或延迟OperationTroubleshootingPerformanceAnalysis网络问题?服务器问题?操作系统问题?交易系统问题?效能问题?数据库问题?交易所问题?券商的问题?其它厂商的问题?还是精诚的问题?4.IT的问题在哪里状况类别问题在哪里发生安全事件Forensics&investigation攻击者从哪里来?那个服务器被攻击?哪些使用者受害?黑客动了什么手脚?稽核Compliance有没有服务器登入/注销纪录?防火墙通联记录?业务&营销资料分析BusinessIntelligence业绩贡献?毛利贡献?对原厂下单多少?部门、个人销售分析?网站访客分析?5.5过去…为了管理IT过去企业必须使用多种解决方案来管理与使用不同的IT数据6.过去…IT出了问题…..…..IT人员通常需要login并查询多种Apps,Device,Server才能判断与解决问题7.过去…领导或销售单位需要一份数据或报表•IT人员通常得要协助:•捞数据库(SQLSELECT)•查询ERP、CRM、Logfiles•写程序、客制化•作报表(Excel?CrystalReport?WebTrends?…etc)•…8.过去…都是这样解决问题的•开启多个窗口/面板•登入多种系统、服务器、设备•分析多种的记录文件或数据•使用多种诊断工具•写程序来捞数据或处理数据•用Excel或其它报表工具产生报表9.Compliance“Theauditorswanttoseealluseraccessandconfigurationchangesoneverysystem.”Operations“Ourwebsiteisdownandwehavetofindandfixtheproblem,butwheredowelook?”BusinessIntelligence“Canyoutraceallthetransactionsforaspecifictypeofcustomeroverthepast30days?”RJAuburnCTOSecurity“Weneedtoquicklyinvestigateapotentialbreachandthedataisscatteredeverywhere.”JohnToppTechnicalDirector“WehavecaughtbadguysbyusingSplunk--immediately.Analystscansearchgigabytes,eventerabytesofdatainseconds.”MikeDanleyMgr.FoundationServices“SplunkeliminatedhoursofmanualanalysisperticketforourglobalteamacrossournowhaveSOAinfrastructure.”SearchyourITinfrastructureJ2EEexceptionLast60minutesfail*passwordsshdLast30minutesLast60minutesLast3hoursLast24hoursLast7daysAlltimeLast24hoursPeteBassillGroupSecurityOfficer“SplunkgivesusgranularinformationandconcisereportsfromalllogsandITdatastreamstomeetPCIcompliance”filemodifyANDsourcetype=configurationLast30minutesLast60minutesLast3hoursLast24hoursLast7daysLast30daysLast7daysLast30daystransactionfield=customer-voip-numberLast30minutesLast60minutesLast3hoursLast24hoursLast7daysLast30days“Splunkenabledustounlockthebusinessinformationburiedinourvoiceplatform’sactivitylogs.”10.Splunk–IT搜索引擎metricstraps&alertsstacktracesmessagesconfigurationslogsscripts&codeactivityreportsITDatanavigatesearchreportalertshare11.Googlevs.Splunkmetricstraps&alertsstacktracesmessagesconfigurationslogsscripts&codeactivityreportsITDataWebContentnavigatesearchreportalertshare12.用Vi开启用Vi开启找出问题点找出问题点LogsLogs人工解读人工解读傳統方式使用Splunk找出问题点找出问题点Splunk可以主动监控异常,并发出主动通知Splunk可以主动监控异常,并发出主动通知用辅助工具分析Ex:Excel用辅助工具分析Ex:ExcelLogsLogsLogsLogsLogsLogsLogsLogsLogsLogsLogsLogsLogsLogs用Vi开启用Vi开启用Vi开启用Vi开启用Vi开启orgrep用Vi开启orgrep人工解读人工解读人工解读人工解读人工解读人工解读不同的系统之间,往往监控工具不一致,不互相支持不同的系统之间,往往监控工具不一致,不互相支持SearchyourITinfrastructureJ2EEexceptionLast30minutesLast60minutesLast3hoursLast24hoursLast7daysAlltimeLast24hoursSplunk与传统作业的差异–ITOperation13.Deployment‹DownloadandInstallin5minutes‹IndexITdatafromanysource‹Getlocalandgetmore‹DistributedSearch14.Deployment‹ControlAccess‹StoreDataEfficiently‹AutomateArchiving15.搜寻告警报表分享视觉16.Splunk应用面17.SplunkforChangeManagementDetectandreacttounauthorizedchangesandresolvechangerelatedincidentsfasterNavigatefromchangestosystembehaviorwithallthedatayouneedinoneplaceandpre-builtsearches,alertsandreportsforchangelifecycle•ChangeAuditing-makeitaneffortlessdailyroutine•ChangeDetection-adaptivedetectionandremediation•ChangeReporting-seechangeacrossallyourITinfrastructurecomponents•ChangeValidation-closethelooponchange•IncidentResponse-linkchangetosystembehavior18.18SplunkforVirtualizationSearchandnavigateacrossthecompletevirtualandphysicalstackGuestOperatingSystemsVirtualizedApplicationsHypervisorVirtualServerAPIsLogsConfigurationsMetricsPre-builtsearches,alertsandreportstomanagevirtualenvironmentsSearchphysicalnetwork,servers,hypervisors,VMs,guestOSandappsIndexdatafromtheleadingVMmanagementAPIsRetainperishableopsandsecuritydatafromVMsandguestsessions19.19SplunkforNetworkSecurityMovefromeventandalertoverloadtoSituationalAwareness•Firewallaccess(ports,sources,destinations,services,traffic)•IDS(eventtypes,attacktraffic,signatures,sources,destinations,targets,malware,recon)•OperatingSystem(hostshutdown,listeningservices,logging)•Authentication(accountchanges,brutforcelogins,failures,successes,changestousers,groups,permissions)•NetworkSecurity(insecuretraffic,trojanactivities,trojanports)Pre-builtsearches,alertsandreportsfornetworksecurityincidents.20.20SplunkforWindowsManagementWindowshasneverbeeneasierwitheverythinginoneplace.•Pre-definedsearches,alerts,reportsanddashboardstoaccelerateWindowsmanagementtasks•IndexallthedatageneratedbyyourWindowsdesktops,serversandapplications•eventlogs•registrykeys•performancemetrics•applicationlogs•WMIsupportforagent-lessremoteindexingofeventlogandperformancedata•IntegrationwithSystemCenterOperationsManager2007providingsingleclicksearchfromMOMconsole21.21SplunkforPCIComplianceAddressthecompleterangeofPCIDSSlogandITdataissuesandrequirements•PCIControlReporting(allrequirements)•SecureCentralLogCollection(Requirement10.5)•DailyLogReview(Requirement10.6)•FileIntegrityMonitoring(Req