Adoption of log integration/analysis functions is counter-proposed for the increase in logs and their effective utilization

Minamiashigara City is located at the western end of Kanagawa Prefecture, and is the smallest city in the prefecture, with a population of about 43,000 people and about 16,400 households, with a city area of about 12 km from east to west, about 9 km from north to south, and an area of 77.12 square km. In addition, Minamiashigara City Hall, which is in charge of city administration and city office work, is known as a top-class municipality in the prefecture for its advanced IT. Although there are only three staff members in charge of information system management, they have high IT skills, and by making active information gathering normal, they place importance on the vendor's ability to make proposals even when the information system is completely updated every five years. However, he has the ability to scrutinize the content of proposals strictly, and his attitude of not being passive is a factor behind his high evaluation.

In 2009, Minami-Ashigara City Hall reconstructed the "internal information system" operated in the government building and related facilities, sharing documents using a file server, and using groupware and e-mail for internal clerical work. is coming to an end, and the end of support for the server OS is approaching. In August 2013, we started studying each system, and in April 2014, we conducted an open call for proposals and issued RFPs to multiple system integrators.

Minami Ashigara City Hall Planning Department Planning Division Information Statistics Team Chief, Makoto Hasegawa, explains the basic stance of IT investment as follows. “Municipalities have strict budgets for each fiscal year, and it is difficult to make additional IT investments during the fiscal year. We thought that if we chose advanced technology, we would be able to build a low-cost, efficient system.”

The key point was efficient collection and analysis of logs. In the past, logs were accumulated, and when a problem occurred, it was necessary to go to the server rack, access the distributed logs for each system individually, collect them, and transfer them to Excel for confirmation, so it took a long time to find the problem. It is said that the problem was that it was hanging.

“The number of servers and network devices in the new internal information system has increased more rapidly than before, and it was expected that a large amount of logs would be output from them, but in the proposal from the SIer, all logs were integrated. It didn't include a function to generate a report based on the log," says Mr. Hasegawa, who strongly felt the need for an environment that could monitor logs in an integrated manner.

What attracted his attention was the Splunk seminar sponsored by Macnica. I deepened my interest in Splunk by attending the "Splunk Introduction Seminar" in May 2014, and also attended the "Splunk Hands-on Seminar" for half a day in June to gain basic information on log aggregation and analysis functions. He was able to do so.

"The demo experience at the Splunk seminar was particularly shocking. By inputting text-only CSV data without any design on the input side, it was possible to visualize it on the dashboard in real time. With this, you can easily report. I sensed that it was possible to transform

As long as you create an environment for collecting logs with Splunk, you will be able to generate reports depending on your ideas. The fact that no additional investment is required is also considered to be a major advantage.

“After confirming at the seminar that it is highly flexible and versatile, I made a counter-proposal to the system integrator to utilize Splunk, and asked them to incorporate it into the configuration of the new internal information system.”

Distributed logs are centrally aggregated and monitored Speedy identification of causes when problems occur

In August 2014, Splunk was introduced, and in January 2015, full-scale operation began with a 5GB/day license.

Currently, event logs from each server are aggregated with Splunk, critical logs are extracted, Web access trends are analyzed, and special access is monitored based on rare values. It is said that it is now possible to grasp the business situation that was not visible until now, such as who is using what website and whether they are accessing dangerous websites. In the near future, we plan to launch a system to monitor the use of unauthorized applications and devices.

Mr. Hasegawa says, "Since Splunk can centrally collect logs from all servers and network devices and analyze and monitor them from multiple perspectives, it is possible to understand the usage status and security risks of client PCs. Now,” he said, highly appreciating the efficiency. The speed of log search has also become much faster, so even when a security incident occurs, it may be possible to shorten the time to identify the cause.

"For us, who manage the system with a small number of people, simply consolidating the distributed logs greatly reduces the human burden, and Splunk is becoming an indispensable tool."

Linking SKYSEA and Splunk Realizes Efficient Client Management

On the other hand, the IT asset management tool "SKYSEA ClientView" (SKYSEA), which has been used since the system update in 2009, is also planned to be linked with Splunk. In addition to the 430 client PCs distributed to city hall employees, SKYSEA also manages client PCs for school affairs placed at 10 locations in the city, such as elementary and junior high schools, via VPN. is being implemented.

In the future, after extracting usage rates and web browsing logs from client PC start-up and shutdown operation logs from SKYSEA, Splunk will be used to report detailed operating status over a long period of time, as well as access trends to external networks and internal file systems. I would like to use Splunk to analyze access trends and optimize the placement of PCs distributed to part-time workers.

“Since SKYSEA can output various logs in text format, creating a job on the Splunk side, collecting those text logs and analyzing them from multiple perspectives will increase visibility and enable more efficient client management. I think the effect of linking the two will be very high,” analyzes Mr. Hasegawa.

In addition, the operation server of the platform management system that monitors the entire system sends an enormous number of error messages to administrators by e-mail every day. They are also thinking about extracting only the log to enable early detection intuitively.

In this new internal information system, UTM, Box, mail security system, proxy, wireless LAN, etc. are newly introduced, and in the future, logs from these will be automatically collected and monitored by Splunk. In the future, as part of the utilization of big data, Splunk will manage logs such as temperature and humidity output from the system that controls the air conditioners in the server room, and we are considering strengthening the monitoring of air conditioning status. .

Mr. Hasegawa points out that it will be important to know what kind of logs exist in the coming IoT era and to manage them. If you first create a job and register it on the dashboard, I don't think it will be too difficult for other local governments to manage and monitor logs," he advised.

Going forward, Macnica will continue to support the IT implementation of advanced local governments by providing more information and support than ever before at Minamiashigara City Hall, where full-scale construction work on Splunk will take place.

User Profile

045-476-2010
月～金 8：45～17：30

inquiry
Please feel free to contact us

Free seminar
Click here for various seminars

Document download
Click here for various materials