Deploy add-ons included with Splunk Enterprise Security
The Splunk Enterprise Security package includes a set of add-ons.
- The add-ons that include "SA-" or "DA-" in the name make up the Splunk Enterprise Security framework. You do not need to take any additional action to deploy or configure these add-ons, because their installation and setup is handled as part of the Splunk Enterprise Security installation process. Do not disable any add-ons that make up the Splunk Enterprise Security framework.
- The rest of the add-ons include "TA-" in the name and are technology-specific and provide the CIM-compliant knowledge necessary to incorporate that source data into Enterprise Security.
For more about how the different types of add-ons interact with Splunk Enterprise Security, see About the ES solution architecture on the Splunk developer portal. Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. See Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.
How you deploy the technology add-ons depends on the architecture of your Splunk platform deployment.
Prerequisite
Install Splunk Enterprise Security on your search head or search head cluster. See Install Enterprise Security. When you install Splunk Enterprise Security in a distributed environment, the installer installs and enables the add-ons included in the Enterprise Security package on the search head or search head cluster.
Steps
- Determine which add-ons to install on forwarders
- Deploy add-ons to forwarders
- Deploy add-ons to indexers
Determine which add-ons to install on forwarders
Install add-ons that collect data on forwarders. Determine which add-ons to install on forwarders and which type of forwarder configuration each add-on requires by reviewing the documentation for the add-ons.
Most add-ons include input settings for a specific data source. Review the inputs.conf
included with an add-on and deploy the add-on to a forwarder as needed. Some add-ons need to be deployed on forwarders installed directly on the data source system. Other add-ons require heavy forwarders. See the documentation or README file for each add-on for specific instructions.
- For add-ons with web-based documentation, follow the links below to determine where it needs to be installed and configured.
- For add-ons that do not have web-based documentation, see the README file included in the root folder of the add-on.
Deploy add-ons to forwarders
See Install an add-on in a distributed Splunk Enterprise deployment in the Splunk Add-ons documentation.
Technology-specific add-ons provided with Enterprise Security
Splunk Enterprise Security includes the following security-relevant and CIM-compliant technology add-ons.
- Splunk Add-on for Blue Coat ProxySG
- Splunk Add-on for Bro IDS
- Splunk Add-on for McAfee
- Splunk Add-on for Juniper
- Splunk Add-on for Microsoft Windows
- Splunk Add-on for Oracle Database
- Splunk Add-on for OSSEC
- Splunk Add-on for RSA SecurID
- Splunk Add-on for Sophos
- Splunk Add-on for FireSIGHT
- Splunk Add-on for Symantec Endpoint Protection
- Splunk Add-on for Splunk UBA
- Splunk Add-on for Unix and Linux
- Splunk Add-on for Websense Content Gateway
- TA-airdefense
- TA-alcatel
- TA-cef
- TA-fortinet
- TA-ftp
- TA-nmap
- TA-tippingpoint
- TA-trendmicro
Deploy add-ons to indexers
Splunk recommends installing Splunk-supported add-ons across your entire Splunk platform deployment, then enabling and configuring inputs only where they are required. For more information, see Where to install Splunk add-ons in the Splunk Add-ons documentation.
The procedure that you use to deploy add-ons to your indexer can depend on your Splunk platform deployment. Select the option that matches your situation or preference.
Deployment situation | Procedure |
---|---|
Splunk Enterprise Security is running on Splunk Cloud. | Contact Splunk Support and ask them to install the required add-ons to your indexers. |
You prefer to deploy add-ons to the indexers manually. | See Install an add-on in a distributed Splunk Enterprise deployment. |
Your indexers are clustered, you use the cluster master to deploy add-ons to cluster peers of your on-premises Splunk platform installation, and there is no additional deployment complexity. | Create the Splunk_TA_ForIndexers and manage deployment manually |
Your indexers are not clustered, you use the deployment server to automatically manage indexer settings of your on-premises Splunk platform installation, and there is no additional deployment complexity. | This automatic procedure is deprecated. See the Release Notes. |
Splunk Enterprise Security is running on a complex deployment, such as one Enterprise Security search head and one search head for other searches both using the same set of indexers. | Contact Splunk Professional Services for assistance with deploying add-ons to your indexers. |
Create the Splunk_TA_ForIndexers and manage deployment manually
Use this procedure only if Splunk Enterprise Security is running on Splunk Enterprise rather than Splunk Cloud, indexers are clustered, and there is no additional deployment complexity. If this does not match your deployment situation, see Deploy required add-ons to indexers to select a different deployment method.
Distributed Configuration Management collects the index-time configurations and basic index definitions into the Splunk_TA_ForIndexers package to simplify the deployment of add-on configurations to on-premises indexers. The Splunk_TA_ForIndexers includes all indexes.conf
and index-time props.conf
and transforms.conf
settings from all enabled apps and add-ons on the search head, merges them into single indexes.conf
, props.conf
, and transforms.conf
files, and places the files into one add-on for download. It works similar to a ./splunk cmd btool <conf_file_prefix> list
output.
This procedure deploys all add-ons that are enabled on your search head to your indexers. If you want to limit which add-ons you deploy to your indexers to only the subset that are strictly required to be on indexers, select Apps > Manage Apps and disable all add-ons that are not required on indexers before you begin this procedure, then re-enable them after you finish the procedure.
Before you deploy Splunk_TA_ForIndexers, make sure that existing add-ons installed on indexers are not included in the Splunk_TA_ForIndexers package. Deploying the same add-on twice might lead to configuration conflicts, especially if the add-ons are different versions.
- On the Enterprise Security menu bar, select Configure > General > Distributed Configuration Management.
- Click Download the Package.
- Select the contents for the package. You must select at least one of the following options to download the package.
- (Optional) Select the check box for Include index time properties to include the
props.conf
andtransforms.conf
files in the package. - (Optional) Select the check box for Include index definitions to include the
indexes.conf
file in the package.
- (Optional) Select the check box for Include index time properties to include the
- Click Download the Package to create and download the
Splunk_TA_ForIndexers
. - After the add-on downloads, you can modify the contents of the package.
For example, modifyindexes.conf
to conform with site retention settings and other storage options. - Use the cluster master to deploy the Splunk_TA_ForIndexers or add-ons to the cluster peers. See Manage common configurations across all peers and Manage app deployment across all peers in Managing Indexers and Clusters of Indexers.
When you install a new add-on to use with Enterprise Security, repeat these steps to create an updated version of Splunk_TA_ForIndexers
.
Errors and successful uploads of the Splunk_TA_ForIndexers app are logged in es_deployment_manager.log
.
Install Splunk Enterprise Security in a search head cluster environment | Import custom apps and add-ons to Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1
Feedback submitted, thanks!