Deploy add-ons included with Splunk Enterprise Security
The Splunk Enterprise Security package includes a set of add-ons.
- The add-ons that include "SA-" or "DA-" in the name make up the Splunk Enterprise Security framework. You do not need to take any additional action to deploy or configure these add-ons, because their installation and setup is handled as part of the Splunk Enterprise Security installation process. Do not disable any add-ons that make up the Splunk Enterprise Security framework.
- The rest of the add-ons include "TA-" in the name and are technology-specific and provide the CIM-compliant knowledge necessary to incorporate that source data into Enterprise Security.
For more about how the different types of add-ons interact with Splunk Enterprise Security, see About the ES solution architecture on the Splunk developer portal. Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. See Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.
How you deploy the technology add-ons depends on the architecture of your Splunk platform deployment.
Prerequisite
Install Splunk Enterprise Security on your search head or search head cluster. See Install Enterprise Security. When you install Splunk Enterprise Security in a distributed environment, the installer installs and enables the add-ons included in the Enterprise Security package on the search head or search head cluster.
Steps
- Determine which add-ons to install on forwarders
- Deploy add-ons to forwarders
- Deploy add-ons to indexers
Determine which add-ons to install on forwarders
Install add-ons that collect data on forwarders. Determine which add-ons to install on forwarders and which type of forwarder configuration each add-on requires by reviewing the documentation for the add-ons.
Most add-ons include input settings for a specific data source. Review the inputs.conf
included with an add-on and deploy the add-on to a forwarder as needed. Some add-ons need to be deployed on forwarders installed directly on the data source system. Other add-ons require heavy forwarders. See the documentation or README file for each add-on for specific instructions.
- For add-ons with web-based documentation, follow the links below to determine where it needs to be installed and configured.
- For add-ons that do not have web-based documentation, see the README file included in the root folder of the add-on.
Deploy add-ons to forwarders
See Install an add-on in a distributed Splunk Enterprise deployment in the Splunk Add-ons documentation.
Technology-specific add-ons provided with Enterprise Security
Splunk Enterprise Security includes the following security-relevant and CIM-compliant technology add-ons.
- Splunk Add-on for Blue Coat ProxySG
- Splunk Add-on for Bro IDS
- Splunk Add-on for McAfee
- Splunk Add-on for Juniper
- Splunk Add-on for Microsoft Windows
- Splunk Add-on for Tenable
- Splunk Add-on for NetFlow
- Splunk Add-on for Oracle Database
- Splunk Add-on for OSSEC
- Splunk Add-on for RSA SecurID
- Splunk Add-on for Sophos
- Splunk Add-on for FireSIGHT
- Splunk Add-on for Symantec Endpoint Protection
- Splunk Add-on for UBA
- Splunk Add-on for Unix and Linux
- Splunk Add-on for Websense Content Gateway
- TA-airdefense
- TA-alcatel
- TA-cef
- TA-fortinet
- TA-ftp
- TA-nmap
- TA-tippingpoint
- TA-trendmicro
Deploy add-ons to indexers
Splunk recommends installing Splunk-supported add-ons across your entire Splunk platform deployment, then enabling and configuring inputs only where they are required. For more information, see Where to install Splunk add-ons in the Splunk Add-ons documentation.
The procedure that you use to deploy add-ons to your indexer can depend on your Splunk platform deployment. Select the option that matches your situation or preference.
Deployment situation | Procedure |
---|---|
Splunk Enterprise Security is running on Splunk Cloud. | Contact Splunk Support and ask them to install the required add-ons to your indexers. |
You prefer to deploy add-ons to the indexers manually. | See Install an add-on in a distributed Splunk Enterprise deployment. |
Your indexers are clustered, you use the cluster master to deploy add-ons to cluster peers of your on-premises Splunk platform installation, and there is no additional deployment complexity. | Create the Splunk_TA_ForIndexers and manage deployment manually |
Your indexers are not clustered, you use the deployment server to manage indexer settings of your on-premises Splunk platform installation, and there is no additional deployment complexity. | Create and set up automatic deployment of the Splunk_TA_ForIndexers |
Splunk Enterprise Security is running on a complex deployment, such as one Enterprise Security search head and one search head for other searches both using the same set of indexers. | Contact Splunk Professional Services for assistance with deploying add-ons to your indexers. |
Create the Splunk_TA_ForIndexers and manage deployment manually
Use this procedure only if Splunk Enterprise Security is running on Splunk Enterprise rather than Splunk Cloud, indexers are clustered, and there is no additional deployment complexity. If this does not match your deployment situation, see Deploy required add-ons to indexers to select a different deployment method.
Distributed Configuration Management collects the index-time configurations and basic index definitions into the Splunk_TA_ForIndexers package to simplify the deployment of add-on configurations to on-premises indexers. The Splunk_TA_ForIndexers includes all indexes.conf
and index-time props.conf
and transforms.conf
settings from all enabled apps and add-ons on the search head, merges them into single indexes.conf
, props.conf
, and transforms.conf
files, and places the files into one add-on for download. It works similar to a ./splunk cmd btool <conf_file_prefix> list
output.
This procedure deploys all add-ons that are enabled on your search head to your indexers. If you want to limit which add-ons you deploy to your indexers to only the subset that are strictly required to be on indexers, select Apps > Manage Apps and disable all add-ons that are not required on indexers before you begin this procedure, then re-enable them after you finish the procedure.
Before you deploy Splunk_TA_ForIndexers, make sure that existing add-ons installed on indexers are not included in the Splunk_TA_ForIndexers package. Deploying the same add-on twice might lead to configuration conflicts, especially if the add-ons are different versions.
- On the Enterprise Security menu bar, select Configure > General > Distributed Configuration Management.
- Click Download the Package.
- Select the contents for the package. You must select at least one of the following options to download the package.
- (Optional) Select the check box for Include index time properties to include the
props.conf
andtransforms.conf
files in the package. - (Optional) Select the check box for Include index definitions to include the
indexes.conf
file in the package.
- (Optional) Select the check box for Include index time properties to include the
- Click Download the Package to create and download the
Splunk_TA_ForIndexers
. - After the add-on downloads, you can modify the contents of the package.
For example, modifyindexes.conf
to conform with site retention settings and other storage options. - Use the cluster master to deploy the Splunk_TA_ForIndexers or add-ons to the cluster peers. See Manage common configurations across all peers and Manage app deployment across all peers in Managing Indexers and Clusters of Indexers.
When you install a new add-on to use with Enterprise Security, repeat these steps to create an updated version of Splunk_TA_ForIndexers
.
Create and set up automatic deployment of the Splunk_TA_ForIndexers
Use this procedure only if Splunk Enterprise Security is running on Splunk Enterprise, indexers are not clustered, and there is no additional deployment complexity. If this does not match your deployment situation, see Deploy required add-ons to indexers to select a different deployment method.
Distributed Configuration Management collects the index-time configurations and basic index definitions into the Splunk_TA_ForIndexers package to simplify the deployment of add-on configurations to on-premises indexers. When you select the automatic deployment option, Distributed Configuration Management includes all index-time props.conf
and transforms.conf
settings from all enabled apps and add-ons on the search head, merges them into single props.conf
and transforms.conf
files, and places the files into the Splunk_TA_ForIndexers for automatic deployment. If your indexer storage and retention configurations are the same across all indexers, you can choose to add indexes.conf
configurations to the package.
This procedure deploys all add-ons that are enabled on your search head to your indexers. If you want to limit which add-ons you deploy to your indexers to only the subset that are strictly required to be on indexers, select Apps > Manage Apps and disable all add-ons that are not required on indexers before you begin this procedure, then re-enable them after you finish the procedure.
Before you deploy Splunk_TA_ForIndexers
, make sure that existing add-ons installed on indexers are not included in the Splunk_TA_ForIndexers
package. Deploying the same add-on twice might lead to configuration conflicts, especially if the add-ons are different versions.
- Set up the Splunk Enterprise Security search head as a deployment client of the deployment server. See Configure deployment clients in Updating Splunk Enterprise Instances.
- On the Enterprise Security menu bar, select Configure > General > Distributed Configuration Management.
- For Do you want to use auto deployment? select Yes.
- Select Add new credential to add a Splunk administration account to use with the deployment server. The administration account must have the administrator role on the deployment server.
- Type the User and the Password for the account.
- Set the Application to SplunkEnterpriseSecuritySuite.
- Save the account credential.
- Click Select credentials and select the credential that you added in step four.
- Select the indexers that can receive the
Splunk_TA_ForIndexers
add-on. - (Optional) Add additional indexer names by typing in the Select Splunk Indexers field.
- (Optional) Select the Push indexes.conf check box to include
indexes.conf
configurations in theSplunk_TA_ForIndexers
add-on package. Because index settings can require storage-specific configurations,indexes.conf
is not included in the package by default. If you do not deployindexes.conf
with theSplunk_TA_ForIndexers
, manage index configurations manually. - Click Save to create the
Splunk_TA_ForIndexers
add-on.
If you disable automated deployment of the Splunk_TA_ForIndexers
after you set up automated deployment, the Splunk_TA_ForIndexers
add-on remains on the deployment server. Remove the add-on and serverclass manually.
Troubleshoot automatic deployment of Splunk_TA_ForIndexers
If you set up automatic deployment of Splunk_TA_ForIndexers, but it is not working as expected, follow these steps to troubleshoot.
Problem | Diagnosis | Solution |
---|---|---|
Search head is not communicating with the deployment server. | Server classes might not have been created by the distributed configuration management process. | Check serverclass.conf on the deployment server to determine if server classes were successfully created.
|
The Splunk_TA_ForIndexers app was not deployed to indexers. | Check the deployment apps repository on the deployment server. The app might not have been created in the deployment apps repository on the deployment server. | Check the es_deployment_manager.log for errors related to the failed deployment of index-time configurations.
|
Automatic deployment is not working. | There might be an issue with the deployment server, or one is not set up. | Work with Splunk Support to troubleshoot your deployment server configuration or set up a deployment server for your Splunk deployment. See About deployment server and forwarder management in Updating Splunk Enterprise Instances. |
Errors and successful uploads of the Splunk_TA_ForIndexers app are logged in es_deployment_manager.log
.
Install Enterprise Security | Import custom apps and add-ons to Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.0, 5.0.1, 5.1.0, 5.1.1
Feedback submitted, thanks!