Upgrade Splunk App for PCI Compliance

This topic describes how to use the PCI Compliance Install App to upgrade an installed version of the Splunk App for PCI Compliance to the latest version.

Step 1. Get the Splunk App for PCI Compliance

1. Download the PCI Compliance Install App.

2. Click Download App and save the PCI Compliance Install App to your desktop.

Note: You must be logged into splunk.com with your splunk.com ID and be a licensed customer to download the app. If you have issues, contact Splunk Support.

3. From Splunk Home, go to App > Manage Apps… > Install App from File to add the Install App to your Splunk instance.

If you have the PCI Compliance Install App on your system, make sure you click Upgrade app, and overwrite the existing app with the newer version when you upload the file.

4. Restart Splunk Enterprise.

Step 2. Launch the upgrade installer

1. After Splunk Enterprise restarts, log back into Splunk Enterprise.

2. Go to Splunk Home and click PCI Compliance Install App.

3. To perform the upgrade, the installer first needs to disable the current instance of the Splunk App for PCI Compliance. Click Disable.

4. Restart Splunk Enterprise.

Note: The Splunk App for PCI Compliance includes a setting that forces Splunk Web to run over HTTPS. While disabled you might need to connect to Splunk Web using HTTP instead (HTTP://yourserver:yourport).

5. Click the click here to continue link when the Splunk Enterprise restart is complete.

Step 3. Evaluate your environment prior to upgrade

1. Log back into Splunk Enterprise. In the PCI Compliance Install App, click Continue to begin the upgrade.

2. The Upgrade and Compare screen contains tabs with upgrade warnings, customizations, deprecated apps, or changes to the default configuration files associated with the upgrade. Review each of these tabs before continuing with the upgrade.

3. Use the information in these panels to evaluate your existing configuration and resolve potential conflicts and customizations that could pose a problem during the upgrade. See "Resolve warnings and conflicts" below for details.

4. As you make changes to resolve issues, click Recheck to verify that the issue is fixed. Repeat this process as many times as necessary.

5. Click Print Report for a list of the warnings, customizations, deprecated apps, and changes to configuration files associated with the upgrade.

Step 4. Upgrade PCI Compliance

When you have reviewed each of the tabs and made changes, continue with the upgrade.

1. Click Upgrade & Restart to perform the upgrade.

2. Click the click here to continue link when the Splunk Enterprise restart is complete.

Note: The Splunk App for PCI Compliance automatically enables SSL.

3. The PCI Compliance Install App should display a message like:

Splunk App for PCI Compliance is up to date. Current version (version:2.1.x, build:xxxx) 
is installed.

You will be notified of future updates. 

Do not remove or disable the PCI Compliance Install App.

Step 5. Set up and configure the app

After performing the upgrade, set up the app.

1. Click Splunk to go to Splunk Home.

2. Click the PCI Compliance app.

3. Click Continue to app setup page.

Note: If the upgrade is performed, and the setup procedure is not run, Splunk Enterprise might display errors on some dashboards.

4. Verify the settings on the Splunk App for PCI Compliance Setup page.

See the "Capacity Planning Manual".

5. Click Save. The PCI Compliance configure page appears.

See the "Steps to configure" in this manual for details on setting up the Splunk App for PCI Compliance.

Backup of the upgrade

The PCI Compliance Install App creates a backup of the Splunk App for PCI Compliance installation after the upgrade completes. The folder and ZIP file of the PCI Compliance installation are located at:

  $SPLUNK_home/etc/apps/pci-backup-yyyy-mm-dd-hh-nn-ss

This file is located $SPLUNK_HOME/etc/apps/.

Note: After completing the upgrade and restarting Splunk Enterprise, check various parts of the Splunk App for PCI Compliance to see if they are still working as expected.

Resolve warnings and conflicts

During an upgrade using the PCI Compliance Install App, you might encounter warnings and conflicts between your current installation and the newer version of the Splunk App for PCI Compliance.

The following sections describe the possible issues and the appropriate actions to resolve them.

Upgrade warnings

Any warnings associated with your upgrade are shown on this tab. Use the examples in this section to resolve these upgrade warnings.

A Custom navigation file is detected

This custom navigation file prevents updates from being deployed with the new navigation. This custom file is renamed (to default.xml.old) and disabled after the upgrade. Re-enable this custom navigation file to rollback the changes.

Explanation:

The latest version of the Splunk App for PCI Compliance includes major changes to app navigation. If you upgrade from another version, you have a pre-existing custom navigation for PCI Compliance, most likely an artifact of previous setup tasks that generate a custom, local navigation as a side effect.

If you did not make any customizations to your navigation, you can ignore this message. The install/upgrade disables the existing custom navigation and deploys the new one. If you have customizations you want to keep, continue with the upgrade. After the upgrade, the new navigation is used.

To retrieve your previous customizations, refer to the old navigation file, now located: $SPLUNK_HOME/etc/apps/SplunkPCICompliance/local/data/ui/nav/default.xml.old. You need to manually map and add the earlier customizations into the new default.xml navigation file.

Invalid Savedsearches.conf Attribute Settings

Example:

File: $SPLUNK_HOME/etc/apps/SA-NetworkProtection/local/aggregate.conf

Network - Policy Or Configuration Change - Rule ==> 
duration :: -86400 - ERROR: 'duration' less than 1 second group_by ::
 - ERROR: 'group_by' cannot be empty

Explanation:

These conflicts apply to the detection and conversion of correlation search aggregation settings. These errors only apply to upgrades which used the correlation search aggregate framework, and correspond to invalid custom settings with that older framework. The change needed to fix each error is shown in the detected error message.

Example:

Network - Policy Or Configuration Change - Rule ==> 
duration :: -86400 - ERROR: 'duration' less than 1 second
group_by :: - ERROR: 'group_by' cannot be empty

Errors show the correlation search stanzas and the offending settings for each. Possible errors include:

    duration cannot be less than 1 second
    duration must be an integer
    group by cannot be empty

To resolve the issue, change the local values of settings in their respective stanzas, in the /local/aggregate.conf file before proceeding with the upgrade. Click the recheck button after you make changes to the aggregate.conf file to verify that the issue is resolved.

Local/Custom Savedsearch overwrites new default search

Example:

File: $SPLUNK_HOME/etc/apps/SA-EndpointProtection/local/savedsearches.conf

Endpoint - Recurring Malware Infection - Rule ==> search :: 
`get_summary(endpoint_summary,Endpoint - All Malware - Summary Gen)` | 
search * | stats dc(date_mday) as day_count by dest,signature | 
search day_count>3 | localop | aggregate search="Endpoint - Recurring Malware Infection - Rule"

Explanation:

You can modify search strings in a saved searches local directory, but if the newer version of the app includes a fix/change in the same saved search, the local version prevents the new changes from taking effect. The searches detected here are specifically correlation searches and ones that have undergone conversion from the aggregate framework to the per-event-alerting framework.

Comment out the existing custom search string in your /local directory. The new search string in the /default stanza is used. To preserve the existing custom search string, you need to reconcile the differences between the existing search logic and the new analogous search string in the /default stanza.

Customizations

Click Customizations to see what local customizations might be lost during the upgrade. This tab identifies local customizations in .conf files in the Splunk App for PCI Compliance that might prevent new default content from taking effect. The Install App searches for modifications to configuration files in default and local directories and displays any custom configuration conflicts that might occur with the newer version of the app.

Changes to configuration files should always be performed in an equivalent file within the local sub-directory. User customizations made to default objects are not saved and are overwritten during the app upgrade.

Warning: If you choose to move forward with the upgrade, the files listed are overwritten and any customizations are lost.

For guidance on modifying default files versus local files, see "About the default files" in the Admin Manual.

The Splunk configuration file layering system gives local .conf settings precedence over default .conf settings. If a setting's value changed in the new release and there is an existing local setting, this prevents new functionality or fixes.

The reporting hierarchy for .conf files is as follows:

- removed file
- modified file
  - removed stanza
  - modified stanza
    - removed attribute setting
    - modified attribute setting

This information is presented this way in the panel:

• Local .conf files different from latest default version
• Local .conf stanzas removed from latest default version
• Local .conf attributes different from latest default version
• TSIDX Conflicts
• Navigation Lite View Differences

Conflicting deprecated local .conf files

The detected local customized files that are deprecated from the latest release. Remove these files because they no longer exist in default. Examine the files to determine if anything needs to be backed up.

Example:

Conflicting Deprecated Local .conf Files
file: SA-IdentityManagement/local/correlationsearches.conf

Conflicting modified local .conf files

The upgrade process can detect local configuration files that have stanza and attribute conflicts.

• Deprecated Stanzas: These stanzas no longer exist in the latest release. Remove this stanza from the 'local' .conf file

deprecated stanza(s): file: SA-EndpointProtection/local/savedsearches.conf
> stanza: [Endpoint - Disk Tracker - Lookup Gen]

• Deprecated Attributes: These attributes no longer exist in the latest release. Remove this attribute from the 'local' .conf file

deprecated attribute(s): file: SA-CommonInformationModel/local/macros.conf > stanza: [cim_ids_types]
attribute: errormsg

• Conflicting Attributes: The following attributes have updated default values in the latest release. Evaluate whether you want to keep your local customization. You can simply remove it and the default value overrides it.

conflicting attribute(s): file: SA-CommonInformationModel/local/macros.conf > stanza: [cim_ids_types]
attribute: definition

Deprecated Apps

Click Deprecated Apps to see any currently installed apps or add-ons, previously shipped with the Splunk App for PCI Compliance, that are deprecated in this release. Some deprecated apps are replaced with a newer app and others are simply left in place. Notes on this tab tell you what the installer will do with each of these apps.

Default .conf

The Default .conf tab shows any modified default configuration files or extension files that have been detected by the Install App.

• Detected Modified Configuration Files: These files have been modified from the original files shipped with the Splunk App for PCI Compliance. These files are overwritten during the installation. If you want to save the modified files, copy the files to an appropriate location (like the local directory on your system).

Warning: If you chose to move forward with the upgrade, the modified configuration files listed are overwritten and any customizations are lost.

• Detected Extension Files: These files are new 'extension' files detected by the Install app. They will be unaffected by the upgrade.