Currently a bit confused on how many servers I would need to deploy Splunk with Enterprise Security in our environment.
This is what I know so far:
Enterprise Security - Dedicated Search Head (Can this also be the Indexer or this should be separate from the indexer?)
Splunk Search Head - Currently sizing about 22 Users and could be adding more in the future maybe 5 additional users- Would it be sufficient enough to have 4 CPU's with 6 cores/cpu = 24 cores total?
Indexer - same question above; can this be where I would install Enterprise Security or should it be separate?
Deployment Server - mini search head - Not sure what apps should be installed, how much hardware would I need for this?
Syslog Server - Not sure if this is necessary; what do I need this for? what are it's benefits? (recommended syslog-ng) how much hardware would I also need for this?
So far I am at 3 Physical Servers (ES Dedicated Search Head, Indexer, Splunk Search Head)
The other two servers can be VM's as I was told.
Additional info: Indexing about 150GB of data with retention of 6 months (searchable logs) = 15TB of SAN space needed 3 months would be just 8TB of SAN space then logs can be archived right after (Do I need more space for Archive logs?)
My thoughts here are:
Hello Just wondering if there is anyone who can guide me in the right direction, mainly in regards to the indexer. Can the indexer also be where I install my Splunk App for Enterprise Security?