We have a multi-site (Production - Site 1, DR - Site 2) Enterprise Security deployment with clustered indexing. Search clustering is not enabled since we have 1 ES SH + 1 Ad-Hoc SH, each in Prod and DR. We'll pursue clustering at a later point in time once more users begin adopting Splunk and requirements grow more stringent.
We're trying to come up with a solution to make the transition from Prod --> DR simpler in the event of a disaster. If traffic needs to get routed to the Cluster Master, Deployment Server, License Master, and Monitoring Console located on the DR site in the event that they are unavailable, where should I configure the CNAME and map that to the DR hostnames for these Splunk components?
Creating the CNAME DNS records for the CM, DS, LM, MC is the easy part but we're just unsure if the CNAMEs need to be identified in a conf file or elsewhere...
On the Splunk side, you just need to configure everything with your DNS names, and use name resolution. For the DNS side, you can update your CNAMES in DR. CNAMEs just point to A records.
This is very common.
E.g.,
Primary Hosts-
DNS A Record : splunk-cm-live 10.1.1.1 with CNAME splunk-cm
DNS A Record : splunk-sh-live 10.1.1.2. with CNAME splunk-sh
For the DR Sites
DNS A Record : splunk-cm-dr 10.2.1.1
DNS A Record : splunk-sh-dr 10.2.1.2
Once a failover occurs, you update the CNAMEs to reflect the DR A records. This can be automated, and usually is. SSL Certs would be sticky point here, if they are host name based.
Splunk config files point to the cnames.
Thanks so much for your reply - this is very helpful. Specifically, which Splunk conf. files would need to point to the CNAMEs?