Running a TrackMe Proof of Concept

Running a TrackMe Proof of Concept (POC) is surely the best way to demonstrate the key values of the product, and how it can help you tackle your monitoring challenges. This document aims to guide you through the main steps to run a successful POC.

  • We stand by to help you at any time, so please do not hesitate to reach out to us if you need any assistance: contact@trackme-solutions.com

  • TrackMe has different licensing modes, with no licences TrackMe is running in Community Edition, which implies slight limitations on its features, in the context of the POC which can eventually lead to buying the product, restricting to the community Edition would be very unfortunate and a missed chance for you, and for us.

  • Instead, contact us and we will be delighted to provide you a full temporary licence, which can cover at least 60 days of usage, which could eventually be renewed for a further 30 days if the buying process is still ongoing.

  • TrackMe is a very rich and powerful solution, you may not test every single feature or capability during the POC, but we recommend you to focus on the key features that are most relevant to your monitoring challenges.

Identifying the Key Use Cases

TrackMe can handle many different use cases, bellow is a non exhaustive list of the most common use cases that TrackMe can help you tackle:

  • Feeds tracking: Monitor any kind of feeds making to Splunk, from the data source perspective (index / sourcetype / additional Metadata if needed), from the event host perspective, and more.

  • Scheduled search and Splunk Enterprise Security correlation searches: Track the scheduled activity of your Splunk environment, detect scheduled anomalies and investigate capacity planning, TrackMe as your single pane of glass.

  • TrackMe Flex Objects, monitor your Splunk deployment, configuration, perform SIEM controls, anything!: Use TrackMe Flex objects, locally or remotely, and monitor any layer of Splunk, from Search Head Cluster and Indexer Clusters health and activity, Knowledge bundle size, licence usages and literally anything you can think of.

Identify where to deploy TrackMe

Review TrackMe requirements and identify where to deploy TrackMe:

  • Review the main installation documentation: Installation

  • For the purpose of a POC, you may want to prioritise a deployment on a standalone server for simplicity, good candidates are usually a standalone Search Head that is already used for monitoring purposes, or the utility node running the Splunk Monitoring Console. (eg. DMC)

  • If you are a Splunk Cloud customer, then there are not any questions and TrackMe will run on the ad-hoc Search Head tier.

  • You can always at a later time decide to migrate TrackMe to a definitive Search Head layer target.

Service account and permissions

  • By default, TrackMe runs as the Splunk nobody user (eg. splunk-system-user), it is not strictly required to create a dedicated service account for TrackMe.

  • However, it is recommendable to create a service account for TrackMe as a good configuration practice, review: Configuration

  • In the context of a POC, you may totally skip this step and save more time to focus on the use cases instead.

  • If this is however a strong requirement and especially in some specific contexts, this can be done since day 1 easily by following the documentation above.

Roles Based Access Control (RBAC)

  • TrackMe supports Roles Based Access Control, relying on Splunk native capabilities with our implementation.

  • TrackMe comes with 3 builtin Splunk Roles: trackme_admin, trackme_power, trackme_user.

  • TrackMe also requires its users to have TrackMe capabilities. (which are provided by the roles above)

  • Review: Role Based Access Control and ownership

Install TrackMe

  • Installing TrackMe is straightforward, Review the main installation documentation: Installation

  • Ensure you are meeting application dependencies requirements

  • Ensure you have defined and published TrackMe indexes in your indexing layer, notably for Splunk Enterprise customers. (in Splunk Cloud, this is automated once the application is deployed)

  • Remember that TrackMe does not do anything at all once installed and until you start creating TrackMe Virtual Tenants and trackers, so it is fully safe to have TrackMe installed ahead of time.

  • Also, pay attention to TrackMe new releases, we aim at publishing new releases at least once per month, fixing, enhancing and adding new features to enrich the product.

  • We also recommend to install and enable the TrackMe Configuration Manager app (TCM), this allows registering each administrative action in TrackMe (such as the creation of tenants or trackers) and replay these eventually later on, this is also a good mean for you to understand how TrackMe works underneath!

  • Review TrackMe TCM: TrackMe CI/CD management (TCM)

Register a TrackMe licence for the POC

  • In the context of a POC, we advise you to contact us to get a temporary licence for an extended period of time.

  • You can also generate a TrackMe trial licence for 30 directly in TrackMe. (requires your Search Head to have external traffic connectivity with our public licence API services, https/443 outgoing)

  • Bellow are the different TrackMe offering and their features and restrictions:

TrackMe Enterprise Edition:

  • Up to 6 Virtual Tenants limited

  • Up to 8 remote deployments

  • Splunk feeds tracking

  • Up to 16 Hybrid Trackers

  • Unlimited Elastic trackers

  • Machine Learning Outliers detection for all components

  • Splunk Workload

  • Common Information Model compliance tracking (16 trackers)

  • Flex Object Tracking (32 trackers)

  • Premium support (24 hours SLA, 8.am to 8.pm UK time)

TrackMe Unlimited Edition:

  • Unlimited number of Virtual Tenants

  • Unlimited remote deployments

  • Splunk feeds tracking

  • Unlimited number of Hybrid Trackers

  • Unlimited Elastic trackers

  • Machine Learning Outliers detection for all components

  • Splunk Workload

  • Common Information Model compliance tracking

  • Flex Object Tracking

  • Premium support (24 hours SLA, 8h AM to 8h PM UK time)

TrackMe Community Edition:

  • 2 Virtual Tenants limited

  • 1 remote Splunk deployment limited

  • Splunk feeds tracking

  • 2 Trackers per component (6 total)

  • Unlimited Elastic trackers

  • Machine Learning Outliers detection (Splunk feeds)

  • Best effort support, with no warranty

Remote deployment and multiple Search Head tiers

  • TrackMe provides native capabilities to interact with any remote Splunk deployment or instance, from Search Head tiers to utility nodes such as the Cluster Manager, or Heavy Forwarders.

  • When it comes to the TrackMe Workload component (monitoring of Splunk scheduling), we also use this feature to interact with the Splunk API for purposes such as the search versioning.

  • Review: Splunk remote deployments (splunkremotesearch)

  • For this, you should identify the targets, and get a bearer token created per target as well as satisfying basic networking requirements.

Design TrackMe tenants

  • Ahead of the POC or during the first phases, you will want to consider how tenants and the purpose of each tenant for your TrackMe deployments.

  • These decisions are usually influenced by your own technical / functional contexts, as well as the features you want to use in TrackMe.

  • A tenant can run multiple TrackMe component (example: splk-dsm for Data source tracking and splk-flx)

  • You can dedicate a TrackMe Virtual Tenant for a specific perimeter, or a specific team, or a specific use case, or a mix of all of these dependending on your needs.

  • Remember that you can experiment, a Virtual Tenant can be created, destroyed, disabled, etc!

A realistic example:

screen1.png

Design TrackMe at scale

  • A best practice when creating Tenants and for Feeds tracking is to create Hybrid Trackers after the creation of the Virtual Tenants rather than when creating the Tenants.

  • This allows more control and more flexibility, allowing to adopt scaling best practices and design performing and efficient Hybrid Trackers easily.

  • Remember that you can leverage various Splunk techniques easily in TrackMe, such as using Splunk indexed fields to filter out or influence TrackMe entities definition and reflect your data pipelines easily.

  • Review: Large Scale Environment and Best Practices Configuration Guide

screen05.png

  • Use out of the box TrackMe tooling to monitor the performing and costs of your Hybrid Trackers easily:

screen15.png screen16.png

Design your alerting strategy

TrackMe provides a flexible out of the box workflow when it comes to alerting:

  • On a per tenant basis, you can create in a very simple step a TrackMe alert

  • TrackMe alerts are designed to run automated TrackMe alert actions, such as generating TrackMe Notable events, performing automated Acknowledgements and run SmartStatus investigations.

  • A TrackMe architecture best practice for alerting is to rely on TrackMe notable events rather than implementing third party notifications from TrackMe alerts, allowing to perform further correlation, enrichment or filtering on the notable events.

  • Review: Alerting Architecture & Third Parties Integration

alert_diagram.png