Install and deploy add-ons
The Splunk Enterprise Security installation includes a selection of add-ons designed for compliance with the Common Information Model (CIM). Add-ons are specific to a single technology, or version of a technology, and provide the knowledge necessary to incorporate that source data into Enterprise Security.
Add-ons provided with Enterprise Security
Splunk Add-on for Blue Coat ProxySG | Splunk Add-on for Bro IDS | Splunk Add-on for McAfee | Splunk Add-on for Juniper |
Splunk Add-on for Microsoft Windows | Splunk Add-on for Nessus | Splunk Add-on for NetFlow | Splunk Add-on for Oracle Database |
Splunk Add-on for OSSEC | Splunk Add-on for RSA SecurID | Splunk Add-on for Sophos | Splunk Add-on for FireSIGHT |
Splunk Add-on for Symantec Endpoint Protection | Splunk Add-on for UEBA | Splunk Add-on for Unix and Linux | Splunk Add-on for Websense Content Gateway |
TA-airdefense | TA-alcatel | TA-cef | TA-fireeye |
TA-fortinet | TA-ftp | TA-ncircle | TA-nmap |
TA-tippingpoint | TA-trendmicro |
For configuration details on an add-on that does not have web-based documentation, see the README file included in the root of the add-on's folder.
Other add-ons
Splunk also offers the Splunk Add-on for Facebook ThreatExchange, which allows Splunk Enterprise Security users to leverage intelligence from Facebook ThreatExchange within the ES Threat Intelligence framework to populate the existing Threat Activity and Threat Artifact views. See About the Splunk Add-on for Facebook ThreatExchange for installation and setup instructions.
Distributed installation of add-ons
Add-ons contain pre-defined knowledge about data sources. When you install Splunk Enterprise Security in a distributed environment, add-ons must be distributed based upon the Splunk instance types used in your Splunk environment. Splunk Cloud customers will work with Splunk Support to install add-ons on search heads and indexers, but are responsible for on-premises forwarders.
Splunk instance type | Supported | Comments |
---|---|---|
Search Heads | Yes | Add-ons are installed on the search head with Splunk Enterprise Security. Any unused add-ons should be disabled. |
Indexers | Yes | An add-on that includes index-time props and transforms must be deployed to the indexers. For configuration details on an add-on that does not have web-based documentation, see the README file included in the root of the add-on's folder. |
Heavy Forwarders | Yes | An add-on that includes index-time props and transforms must be deployed to a heavy forwarder if the data source is routed or collected with that forwarder. |
Universal Forwarders | Yes | Most add-ons include input settings for a specific data source. Review the inputs.conf included with an add-on and deploy the add-on to a forwarder as necessary.
|
Distributed deployment compatibility
Distributed deployment feature | Supported | Comments |
---|---|---|
Search Head Clusters | Yes | Use the search head cluster deployer to distribute add-ons across on-premises search head cluster members. See Installing Add-ons on a Search Head cluster in this topic. |
Indexer Clusters | Yes | Use the cluster master to distribute add-ons across a set of on-premises index cluster peers . See Manage common configurations across all cluster peers and Manage app deployment across all cluster peers in the Managing Indexers and Clusters Manual. |
Deployment Server | Yes | Use the deployment server to distribute add-ons across non-clustered on-premises indexers and forwarders. |
Determine which add-ons to deploy on indexers
When you install Splunk Enterprise Security in a distributed environment, the add-ons are installed and enabled on the search head as part of the ES package. Add-ons contain search-time knowledge imported during the ES installation, and can include additional index-time operations. An add-on can remain solely on the search head unless it includes additional index-time operations, in which case you must deploy the add-on to your indexers. Splunk Cloud customers must work with Splunk Support to install add-ons on indexers.
- Review the README files included with each add-on to determine if the add-on includes index-time operations.
- Collect the add-ons that use index-time operations. Optionally, use the Distributed Configuration Management feature of ES to create an add-on for deployment.
- Determine how to deploy the add-ons based on the Splunk platform architecture in your environment:
- Non-clustered indexers
- Place the add-ons on the deployment server.
- Use the deployment server to deploy the add-on(s) to the indexers. See Plan a deployment in the Updating Splunk Enterprise Instances Manual.
- Clustered indexers
- Place the add-ons on the cluster master.
- Use the cluster master to deploy the add-on(s) to the cluster peers. See Manage app deployment across all peers in the Managing Indexers and Clusters of Indexers Manual.
Creating the Splunk_TA_ForIndexers
Use the Splunk_TA_ForIndexers app to consolidate all of the index-time configurations and basic index definitions in one package to ease deployment for on-premises indexers.
- On the Enterprise Security menu bar, browse to Configure > General and select Distributed Configuration Management.
- Select the option to Download the Package to merge all
indexes.conf
and index-timeprops.conf
andtransforms.conf
settings from all enabled apps and add-ons on the search head, and place them into one add-on for download. The merge creates oneindexes.conf
,props.conf
, andtransforms.conf
file containing all settings, similar to a./splunk cmd btool <conf_file_prefix> list
output. - After the add-on is downloaded, review
indexes.conf
and update it if needed to conform with site retention settings and other storage options. Optionally, you can remove theindexes.conf
file from the add-on as the index configurations for your environment might be configured and managed in another app. For more information on configuring the indexes for Enterprise Security, see Configure and deploy Indexes in this manual.
When you install a new add-on for use with ES, create an updated copy of Splunk_TA_ForIndexers
by returning to the Distributed Configuration Management page and selecting Download the Package.
Automated deployment of the Splunk_TA_ForIndexers
If your on-premises Splunk platform installation uses the Deployment Server to manage the indexer settings, you can configure the Distributed Configuration Management page to push the Splunk_TA_ForIndexers
directly to the indexers. This feature is designed to work with a Splunk Deployment Server, and cannot be used for indexer clustering.
- Make the search head a deployment client of the Deployment Server.
- On the Enterprise Security menu bar, browse to Configure > General and select Distributed Configuration Management.
- Select Yes for Do you want to use auto deployment?
- Select Add new credential to create a Splunk administration credential for use with the Deployment Server. The user credential must be in the Splunk administrator role on the Deployment Server instance.
- Fill out the User and Password fields, and set the Application field to SplunkEnterpriseSecuritySuite.
- Save the credential.
- Use the Select credentials drop down to choose the Splunk admin credentials required to authenticate with the Deployment Server
- Select the indexers that can receive the
Splunk_TA_ForIndexers
add-on. The indexers list is created from the search head's Distributed search configuration page.- (Optional): You can add additional indexer names manually by entering text in the Select Splunk Indexers field.
- Select Save to create the
Splunk_TA_ForIndexers
add-on that includes the index-timeprops.conf
, andtransforms.conf
.- (Optional): Enable the Push indexes.conf setting. As the index settings often require storage specific configuration, do not choose this option by default.
- If you disable the auto-deployment option after enabling it, the
Splunk_TA_ForIndexers
add-on will remain on the Deployment Server, and you must remove the add-on and serverclass manually.
Determine which add-ons to deploy on forwarders
Review the add-on documentation to determine if it contains a unique input configuration for the data source, or index-time operations. For information on an add-on that does not have web-based documentation, see the README file included in the root of the add-on's folder. Splunk Cloud customers are responsible the configuration, deployment, and management of on-premises forwarders.
- Review the
inputs.conf
included with an add-on, and deploy the add-on to any forwarder ingesting that data. - An add-on that includes index-time props and transforms must be deployed to a heavy forwarder if the data source is routed or collected with that forwarder.
Installing add-ons on a Search Head
Each add-on is specific to a single technology, or version of a technology, and provides the knowledge necessary to incorporate that source data into Enterprise Security. Use the Splunk Apps manager to add additional CIM-compatible add-ons to your on-premises search head. Splunk Cloud customers must work with Splunk Support to install add-ons on search heads. To deploy an add-on to other Splunk instances, see Distributed deployment compatibility in this topic.
Note: Install add-ons that are compatible with the Common Information Model.
Find an add-on
- Log in to splunk.com.
- Go to Splunkbase.
- Browse and search the list of add-ons.
- Select an add-on.
- Download the add-on.
Add an add-on from a local file
- Click Apps next to Splunk in the menu bar.
- From the drop-down menu, select Manage Apps.
- Select Install app from file.
- In the Upload an app panel, browse for the location of the add-on and select it.
- Click Upload.
Edit an existing add-on
- Click Apps next to Splunk in the menu bar.
- From the drop-down menu, select Manage Apps.
- Select the add-on from the list.
- Click Edit Properties for the add-on you want to configure.
- When your finished, click Save.
Note: Do not use the Create app option on the Apps page within Enterprise Security.
Updating add-ons
Some add-ons are released independently of Enterprise Security, and can be downloaded directly from Splunkbase.
Update the add-on from within Splunk
To check for the new version of an app, select Manage Apps on the Apps menu. A link will appear in the Version column if a new version is available.
- Log in to splunk.com.
- Click the link in the version column in Splunk Enterprise.
- Confirm that an updated version of the add-on exists. Click Update to get the new version.
- To install the add-on, choose Restart.
Update the app manually
- Log in to splunk.com.
- Find the new version of the add-on on Splunkbase.
- Download the add-on to your desktop or local directory.
- Browse to Apps > Manage Apps > Install app from file.
- Browse to the add-on location and select the add-on.
- Select Upgrade app... so that the new version of the add-on overwrites the prior version.
- Choose Upload.
- To install the add-on, choose Restart.
Installing Add-ons on a Search Head cluster
Using search head clustering changes the process for deploying apps and configuration files to the on-premises search head cluster members. To distribute app and add-on configurations to search head cluster members, you must use the search head cluster deployer.
Distributing add-ons in a search head cluster with Splunk Enterprise 6.4
App import settings automatically replicate across search head cluster nodes running Splunk Enterprise 6.4 or later. Use the search head cluster deployer to distribute add-ons across the set of search head cluster members. For details, see Use the deployer to distribute apps and configuration updates in the Splunk Enterprise Distributed Search Manual.
Import custom apps and add-ons
You can extend the functionality of Splunk Enterprise Security with apps and add-ons. Download apps and add-ons from Splunkbase or create your own add-on with a tool such as the Splunk Add-on Builder. Splunk Cloud customers must work with Splunk Support to install add-ons on search heads.
Use the Update ES modular input
Splunk Enterprise Security integrates the configurations of apps and add-ons installed on the same search head. The Update ES modular input is responsible for importing all apps and add-ons that match a regex filter. The filter is defined in the app path SplunkEnterpriseSecuritySuite/default/inputs.conf
.
Modular input | Function |
---|---|
app_imports_update://update_es | Imports and updates the metadata for supporting add-ons. |
app_imports_update://update_es_da | Imports and updates the metadata for domain add-ons. |
app_imports_update://update_es_main | Imports and updates the metadata for the SplunkEnterpriseSecuritySuite. |
Imports are transitive
App imports are transitive. This means than an app (A) that imports another app (B), also imports all of the apps (C) imported by that app.
- If app A imports B,
- and app B imports C,
- then A imports C.
Because supporting add-ons import each other, you might see only one supporting add-on with an updated local.meta
file. This is SA-AccessProtection
, as it is the first supporting add-on in the list of apps.
View existing app imports
Use the |rest
search commands to view the existing app imports. You must have Splunk administrator permissions to run the command.
For example, to view the imports for the SplunkEnterpriseSecuritySuite
app while authenticated as the admin user:
| rest /servicesNS/admin/system/apps/local/SplunkEnterpriseSecuritySuite/import splunk_server=local | fields import
App and add-on import naming conventions
The modular inputs will automatically import apps and add-ons prefixed with any of the following: DA-ESS-
, SA-
, TA-
, Splunk_SA_
, Splunk_TA_
, and Splunk_DA-ESS_
.
Import add-ons with a different naming convention
If your custom add-on does not use the typical ES naming conventions, you must add the name or a naming convention to the import modular input.
- On the Enterprise Security toolbar, browse to Configure > General > App Imports Update.
- Click
update_es
to edit it. - Update the Application Regular Expression field, adding the naming convention of your add-on to the list of supported naming conventions using a regex.
- For example, to import a new add-on named
My_datasource
update the Application Regular Expression field to:(appsbrowser)|(search)|([ST]A-.*)|(Splunk_[ST]A_.*)|(DA-ESS-.*)|(Splunk_DA-ESS_.*)|(My_datasource)
- When changing the Application Regular Expression field, always append to the default regex or the existing app imports will fail.
- For example, to import a new add-on named
- Save.
- Preview the changes
|rest services/data/inputs/app_imports_update | table title app_regex app_exclude_regex updated
- Restart Splunk Enterprise services to incorporate the changes.
Remove an add-on from app import
To exclude an add-on from the app import process:
- On the Enterprise Security toolbar, browse to Configure > General and select App Imports Update.
- Edit the
update_es
input. - Update the Application Exclusion Regular Expression field, adding the naming convention of your add-on to the list of supported naming conventions using a regex.
- For example, to exclude a new add-on named
TA_new_test
update the Application Exclusion Regular Expression field to:|TA_new_test
- For example, to exclude a new add-on named
- Save.
- Preview the changes
|rest services/data/inputs/app_imports_update | table title app_regex app_exclude_regex updated
- Restart Splunk Enterprise services to incorporate the changes.
Splunk Stream integration
Enterprise Security offers direct integration with Splunk Stream.
Splunk Stream has two components:
- The Splunk App for Stream is responsible for the job management of the Splunk Stream Add-on. The Splunk App for Stream is installed on the Enterprise Security search head.
- The Splunk Stream Add-on is the listener that siphons data from the network. The Splunk Stream Add-on is installed on forwarders.
Data collection using the Splunk Stream Add-on requires a review and analysis of the network topology to determine the best method and location for data capture. See Network collection architectures in the Splunk Stream User Manual.
Stream data collection utilizes system resources that scale with the number of protocols polled and the volume of network data. See Hardware requirements in the Splunk Stream User Manual.
Splunk Stream communications
Integrating Enterprise Security with Splunk Stream requires the installation of the Stream app on the ES search head. The Splunk Stream Add-on is installed on the forwarders, and initiates communications with the Stream app on the search head over HTTP.
Stream data capture jobs are managed from the Splunk App for Stream, and are retrieved for processing by the Stream Add-on. The Splunk Stream Add-on must be configured to communicate with the Splunk App for Stream. See Configure Stream Forwarder in the Splunk Stream User Manual.
For a Splunk Cloud deployment, see Deploy Splunk Stream on Splunk Cloud in the Splunk Stream Installation and Configuration Manual.
Create a Stream capture job
There are 2 ways to create a Stream capture job from Enterprise Security.
A workflow action
You can use a workflow action to create a Stream packet capture job in any event view in Splunk Enterprise and Enterprise Security that both has an action menu and displays a source or destination IP. The workflow action opens the Create Stream Capture page.
Review the requirements and change them if needed.
- Description: Defaults to the source or destination IP chosen in the workflow action.
- Protocols to capture: Defaults to All. For more information, see Supported protocols in the Splunk Stream Installation and Configuration manual.
- Capture duration: Defaults to 7 days.
Choose Create Capture to finish and create a job for Splunk Stream.
Note: If Splunk Stream is not installed, a warning and a link to the app is displayed.
To view and analyze the Stream data events captured, see the Protocol Intelligence dashboards in the Enterprise Security User Manual.
A correlation search alert action
A correlation search can initiate a Stream capture job as an alert action. See Configure correlation search actions in Enterprise Security User Manual.
Install Enterprise Security | Configure and deploy indexes |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.2.0 Cloud only, 4.2.1 Cloud only, 4.2.2 Cloud only
Feedback submitted, thanks!