Splunk® Enterprise Security

Install and Upgrade Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Deploy add-ons included with Splunk Enterprise Security

The Splunk Enterprise Security package includes a set of add-ons.

  • The add-ons that include "SA-" or "DA-" in the name make up the Splunk Enterprise Security framework. You do not need to take any additional action to deploy or configure these add-ons, because their installation and setup is handled as part of the Splunk Enterprise Security installation process. Do not disable any add-ons that make up the Splunk Enterprise Security framework.
  • The rest of the add-ons include "TA-" in the name and are technology-specific and provide the CIM-compliant knowledge necessary to incorporate that source data into Enterprise Security.

For more about how the different types of add-ons interact with Splunk Enterprise Security, see About the ES solution architecture on the Splunk developer portal. Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. See Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.

How you deploy the technology add-ons depends on the architecture of your Splunk platform deployment.

Prerequisite

Install Splunk Enterprise Security on your search head or search head cluster. See Install Enterprise Security. When you install Splunk Enterprise Security in a distributed environment, the installer installs and enables the add-ons included in the Enterprise Security package on the search head or search head cluster.

Steps

  1. Determine which add-ons to install on forwarders
  2. Deploy add-ons to forwarders
  3. Deploy add-ons to indexers

Determine which add-ons to install on forwarders

Install add-ons that collect data on forwarders. Determine which add-ons to install on forwarders and which type of forwarder configuration each add-on requires by reviewing the documentation for the add-ons.

Most add-ons include input settings for a specific data source. Review the inputs.conf included with an add-on and deploy the add-on to a forwarder as needed. Some add-ons need to be deployed on forwarders installed directly on the data source system. Other add-ons require heavy forwarders. See the documentation or README file for each add-on for specific instructions.

  • For add-ons with web-based documentation, follow the links below to determine where it needs to be installed and configured.
  • For add-ons that do not have web-based documentation, see the README file included in the root folder of the add-on.

Deploy add-ons to forwarders

See Install an add-on in a distributed Splunk Enterprise deployment in the Splunk Add-ons documentation.

Technology-specific add-ons provided with Enterprise Security

Splunk Enterprise Security includes the following security-relevant and CIM-compliant technology add-ons.

Deploy add-ons to indexers

Splunk recommends installing Splunk-supported add-ons across your entire Splunk platform deployment, then enabling and configuring inputs only where they are required. For more information, see Where to install Splunk add-ons in the Splunk Add-ons documentation.

The procedure that you use to deploy add-ons to your indexer can depend on your Splunk platform deployment. Select the option that matches your situation or preference.

Deployment situation Procedure
Splunk Enterprise Security is running on Splunk Cloud. Contact Splunk Support and ask them to install the required add-ons to your indexers.
You prefer to deploy add-ons to the indexers manually. See Install an add-on in a distributed Splunk Enterprise deployment.
Your indexers are clustered, you use the cluster master to deploy add-ons to cluster peers of your on-premises Splunk platform installation, and there is no additional deployment complexity. Create the Splunk_TA_ForIndexers and manage deployment manually
Your indexers are not clustered, you use the deployment server to manage indexer settings of your on-premises Splunk platform installation, and there is no additional deployment complexity. Create and set up automatic deployment of the Splunk_TA_ForIndexers
Splunk Enterprise Security is running on a complex deployment, such as one Enterprise Security search head and one search head for other searches both using the same set of indexers. Contact Splunk Professional Services for assistance with deploying add-ons to your indexers.

Create the Splunk_TA_ForIndexers and manage deployment manually

Use this procedure only if Splunk Enterprise Security is running on Splunk Enterprise rather than Splunk Cloud, indexers are clustered, and there is no additional deployment complexity. If this does not match your deployment situation, see Deploy required add-ons to indexers to select a different deployment method.

Distributed Configuration Management collects the index-time configurations and basic index definitions into the Splunk_TA_ForIndexers package to simplify the deployment of add-on configurations to on-premises indexers. The Splunk_TA_ForIndexers includes all indexes.conf and index-time props.conf and transforms.conf settings from all enabled apps and add-ons on the search head, merges them into single indexes.conf, props.conf, and transforms.conf files, and places the files into one add-on for download. It works similar to a ./splunk cmd btool <conf_file_prefix> list output.

This procedure deploys all add-ons that are enabled on your search head to your indexers. If you want to limit which add-ons you deploy to your indexers to only the subset that are strictly required to be on indexers, select Apps > Manage Apps and disable all add-ons that are not required on indexers before you begin this procedure, then re-enable them after you finish the procedure.

Before you deploy Splunk_TA_ForIndexers, make sure that existing add-ons installed on indexers are not included in the Splunk_TA_ForIndexers package. Deploying the same add-on twice might lead to configuration conflicts, especially if the add-ons are different versions.

  1. On the Enterprise Security menu bar, select Configure > General > Distributed Configuration Management.
  2. Click Download the Package.
  3. Select the contents for the package. You must select at least one of the following options to download the package.
    1. (Optional) Select the check box for Include index time properties to include the props.conf and transforms.conf files in the package.
    2. (Optional) Select the check box for Include index definitions to include the indexes.conf file in the package.
  4. Click Download the Package to create and download the Splunk_TA_ForIndexers.
  5. After the add-on downloads, you can modify the contents of the package.
    For example, modify indexes.conf to conform with site retention settings and other storage options.
  6. Use the cluster master to deploy the Splunk_TA_ForIndexers or add-ons to the cluster peers. See Manage common configurations across all peers and Manage app deployment across all peers in Managing Indexers and Clusters of Indexers.

When you install a new add-on to use with Enterprise Security, repeat these steps to create an updated version of Splunk_TA_ForIndexers.

Create and set up automatic deployment of the Splunk_TA_ForIndexers

Use this procedure only if Splunk Enterprise Security is running on Splunk Enterprise, indexers are not clustered, and there is no additional deployment complexity. If this does not match your deployment situation, see Deploy required add-ons to indexers to select a different deployment method.

Distributed Configuration Management collects the index-time configurations and basic index definitions into the Splunk_TA_ForIndexers package to simplify the deployment of add-on configurations to on-premises indexers. When you select the automatic deployment option, Distributed Configuration Management includes all index-time props.conf and transforms.conf settings from all enabled apps and add-ons on the search head, merges them into single props.conf and transforms.conf files, and places the files into the Splunk_TA_ForIndexers for automatic deployment. If your indexer storage and retention configurations are the same across all indexers, you can choose to add indexes.conf configurations to the package.

This procedure deploys all add-ons that are enabled on your search head to your indexers. If you want to limit which add-ons you deploy to your indexers to only the subset that are strictly required to be on indexers, select Apps > Manage Apps and disable all add-ons that are not required on indexers before you begin this procedure, then re-enable them after you finish the procedure.

Before you deploy Splunk_TA_ForIndexers, make sure that existing add-ons installed on indexers are not included in the Splunk_TA_ForIndexers package. Deploying the same add-on twice might lead to configuration conflicts, especially if the add-ons are different versions.

  1. Set up the Splunk Enterprise Security search head as a deployment client of the deployment server. See Configure deployment clients in Updating Splunk Enterprise Instances.
  2. On the Enterprise Security menu bar, select Configure > General > Distributed Configuration Management.
  3. For Do you want to use auto deployment? select Yes.
  4. Select Add new credential to add a Splunk administration account to use with the deployment server. The administration account must have the administrator role on the deployment server.
    1. Type the User and the Password for the account.
    2. Set the Application to SplunkEnterpriseSecuritySuite.
    3. Save the account credential.
  5. Click Select credentials and select the credential that you added in step four.
  6. Select the indexers that can receive the Splunk_TA_ForIndexers add-on.
  7. (Optional) Add additional indexer names by typing in the Select Splunk Indexers field.
  8. (Optional) Select the Push indexes.conf check box to include indexes.conf configurations in the Splunk_TA_ForIndexers add-on package. Because index settings can require storage-specific configurations, indexes.conf is not included in the package by default. If you do not deploy indexes.conf with the Splunk_TA_ForIndexers, manage index configurations manually.
  9. Click Save to create the Splunk_TA_ForIndexers add-on.

If you disable automated deployment of the Splunk_TA_ForIndexers after you set up automated deployment, the Splunk_TA_ForIndexers add-on remains on the deployment server. Remove the add-on and serverclass manually.

Troubleshoot automatic deployment of Splunk_TA_ForIndexers

If you set up automatic deployment of Splunk_TA_ForIndexers, but it is not working as expected, follow these steps to troubleshoot.

Problem Diagnosis Solution
Search head is not communicating with the deployment server. Server classes might not have been created by the distributed configuration management process. Check serverclass.conf on the deployment server to determine if server classes were successfully created.
The Splunk_TA_ForIndexers app was not deployed to indexers. Check the deployment apps repository on the deployment server. The app might not have been created in the deployment apps repository on the deployment server. Check the es_deployment_manager.log for errors related to the failed deployment of index-time configurations.
Automatic deployment is not working. There might be an issue with the deployment server, or one is not set up. Work with Splunk Support to troubleshoot your deployment server configuration or set up a deployment server for your Splunk deployment. See About deployment server and forwarder management in Updating Splunk Enterprise Instances.

Errors and successful uploads of the Splunk_TA_ForIndexers app are logged in es_deployment_manager.log.

Last modified on 31 August, 2018
Install Splunk Enterprise Security in a search head cluster environment   Import custom apps and add-ons to Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.0, 5.0.1, 5.1.0, 5.1.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters