Splunk® App for AWS Security Dashboards

Installation and Configuration Manual

Installing the app on Splunk Enterprise

If you are an existing user of Splunk App for Amazon Web Services and plan to migrate to Splunk App for AWS Security Dashboards, See Migrate from Splunk App for AWS to the Splunk App for AWS Security Dashboards.

Download the Splunk App for AWS Security Dashboards and the add-on

You can download both the Splunk App for AWS Security Dashboards and Splunk Add-on on for AWS from Splunkbase. Search for the following:

Install on a single instance

If your Splunk Enterprise deployment is a single instance, install both the app and the add-on to your single instance. You can use the Install app from file feature in the Manage Apps page in Splunk Web to install both packages, or install manually using the command line.

After you install the app and add-on, create indexes the app uses to report on preconfigured saved searches. For more information, see Create indexes and schedule saved searches.

Install in a non-clustered distributed environment

If your Splunk Enterprise deployment is distributed and non-clustered, follow these steps:

  1. Install both the app and add-on to your search heads.
  2. Turn off add-on visibility on your search heads.
  3. Configure the search head tier to directly forward data to the indexer tier.
  4. Distribute the summary index configurations to the indexer.
  5. Install the add-on to a heavy forwarder.

Install the app and the add-on to your search heads

If you are installing to one or more independent search heads, follow your preferred method of deploying both the app and the add-on. You can do any of the following:

  • Follow the Install app from file wizard on the Manage Apps screen in Splunk Web.
  • Install manually using the command line.
  • Use a deployment server to deploy the unconfigured packages to your search heads. Do not configure the app or add-on prior to deploying it.

Turn off visibility for the add-on on your search heads

After you have deployed the app and the add-on to your search heads, change the visibility setting for the add-on on each search head to make it not visible. This step helps prevent data duplication errors that can result from running inputs on your search heads instead of (or in addition to) on your data collection node.

  1. Go to Apps > Manage Apps.
  2. Find the Splunk Add-on for AWS, with the folder name Splunk_TA_aws in the list, and click Edit properties.
  3. Under Visible, click the radio button next to No.
  4. Click Save.

Repeat these steps on all search heads.

Configure the search head tier to forward data directly to the indexer tier

Use a configuration file outputs.conf to configure the search head tier as in the following example:

[indexAndForward]
index = false  # Turn off indexing on the search head
[tcpout]
defaultGroup = my_search_peers  # Name of the search peer group
forwardedindex.filter.disable = true
indexAndForward = false 
[tcpout:my_search_peers]
server=10.10.10.1:9997,10.10.10.2:9997,10.10.10.3:9997  # list of peers
  1. Place the outputs.conf file under $SPLUNK_HOME/etc/apps/splunk_app_aws_security/local on the search head.
  2. Restart the search head.

Create indexes and schedule saved searches for the Splunk App for AWS Security Dashboards

Create indexes the app uses to report on preconfigured saved searches. For more information, seeCreate indexes and schedule saved searches.

Install the add-on to heavy forwarders

Follow your preferred method of installing the Splunk Add-on for Amazon Web Services to one or more heavy forwarders. You can do any of the following:

  • Follow the Install app from file wizard on the Manage Apps screen in Splunk Web.
  • Install manually using the command line.
  • Use a deployment server to deploy the unconfigured packages to your forwarders. Do not configure the app or add-on prior to deploying it.

The add-on does not support universal forwarders or light forwarders because the configuration logic handled by the add-on requires Python. In addition, to configure AWS accounts in the add-on, you must do so using the add-on's configuration UI in Splunk Web rather than in the configuration files.

Install in a clustered distributed environment

To accelerate reporting, the Splunk App for AWS Security Dashboards uses summary indexing that builds separate summary indexes on the search head. If you are deploying the Splunk App for AWS Security Dashboards in a clustered environment, you need to distribute the summary index configuration bundle across all the clustered indexers and configure your individual or clustered search heads to directly forward data to the indexer tier so that data summary can be shared across all the search heads:

  1. Install the app and the add-on to your search head cluster.
  2. Turn off visibility for the add-on on your search heads.
  3. Configure the search head tier to directly forward data to the indexer tier.
  4. Distribute the summary index configuration bundle across clustered indexers.
  5. Install the add-on to heavy forwarders.

Install the app and the add-on to your search head cluster

Install the app and the add-on using the deployer. See Use the deployer to distribute apps and configuration updates in the Distributed Search manual of the Splunk Enterprise documentation.

To prepare the app and add-on for deployment in a search head cluster and prevent validation errors on startup, remove the following files on the delployer:

  • Remove the eventgen.conf file from the add-on folder: $SPLUNK_HOME/etc/shcluster/apps/Splunk_TA_aws/default
  • Remove the >inputs.conf and inputs.conf.spec files from the add-on folder: $SPLUNK_HOME/etc/shcluster/apps/Splunk_TA_aws/default
  • Remove all files in the folder $SPLUNK_HOME/etc/shcluster/apps/Splunk_TA_aws/samples.

Turn off visibility for the add-on on your search heads

To turn off visibility for the add-on, update the app.conf file:

  1. On the deployer, create an app.conf file in the folder $SPLUNK_HOME/etc/shcluster/apps/Splunk_TA_aws/local.
  2. Edit the local/app.conf file.
  3. Turn off visibility using the is_visible setting. Example:
[ui]
is_visible =  false

Configure the search head tier to forward data directly to the indexer tier

Use a configuration file outputs.conf to configure the search head tier as in the following example:

[indexAndForward]
index = false  # Turn off indexing on the search head
[tcpout]
defaultGroup = my_search_peers  # Name of the search peer group
forwardedindex.filter.disable = true
indexAndForward = false 
[tcpout:my_search_peers]
server=10.10.10.1:9997,10.10.10.2:9997,10.10.10.3:9997  # list of peers
  1. Do one of the following, depending on your configuration:
    1. If you use clustered search heads, place the outputs.conf file under $SPLUNK_HOME/etc/shcluster/apps/splunk_app_aws_security/local and run the splunk apply shcluster-bundle command on the deployer to push the configuration bundle to peers.
    2. If you use multiple independent search heads, place the outputs.conf file under $SPLUNK_HOME/etc/apps/splunk_app_aws_security/local on all the search heads..
  2. Restart the search head instances.

Create indexes and schedule saved searches for the Splunk App for AWS Security Dashboards

Create indexes the app uses to report on preconfigured saved searches. For more information, see Create indexes and schedule saved searches.

Install the add-on to heavy forwarders

Follow your preferred method of deploying the Splunk Add-on for Amazon Web Services to one or more heavy forwarders. You can do any of the following:

  • Follow the Install app from file wizard on the Manage Apps screen in Splunk Web.
  • Install manually using the command line.
  • Use a deployment server to deploy the unconfigured packages to your forwarders. Do not configure the app or add-on prior to deploying it.

The add-on does not support universal forwarders or light forwarders because the configuration logic handled by the add-on requires Python. In addition, to configure AWS accounts in the add-on, you must do so using the add-on's configuration UI in Splunk Web rather than in the configuration files.

Last modified on 15 August, 2024
Installing the app on Splunk Cloud Platform   Create indexes and schedule saved searches

This documentation applies to the following versions of Splunk® App for AWS Security Dashboards: 1.1.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters