Plan the upgrade
This topic covers key considerations you need to know when you plan the Splunk App for Enterprise Security upgrade.
Splunk Enterprise requirements
The Splunk App for Enterprise Security 3.0.1 requires Splunk Enterprise version 6.0.2 or later on all search heads and indexers. To plan the upgrade of the Splunk Enterprise environment, see "Upgrade your distributed environment" in the Splunk Enterprise documentation.
Hardware requirements
The reference hardware for Splunk Enterprise 6 has changed. See "Reference Hardware" in the Splunk Enterprise documentation for details.
The TSIDX namespace data collection has been replaced with the data model acceleration feature in Splunk Enterprise 6. Data model acceleration uses the indexers for storage, with the data models stored within each index. This change reduces, but does not eliminate the storage use on the search head. See "Hardware requirements for Splunk indexers" in the Enterprise Security documentation.
Installation prerequisites
The Splunk App for Enterprise Security 3.0 and later does not require the Sideview Utils app to be installed. Sideview Utils does not conflict with Enterprise Security, and you can retain it for legacy dashboards or other uses.
Review the Known Issues
For the latest details about known issues found in this release, see "Known Issues" in the "Release Notes".
Enterprise Security Install App
The Enterprise Security Install App performs an upgrade only on a search head that has an installation of Enterprise Security 2.4 or greater. The Install App does not support upgrades from Splunk Enterprise Security Suite 1.1.x.
The Enterprise Security Install App displays a review of all changes before performing the upgrade. It also migrates custom searches, temporarily disables all correlation searches, changes the lookup files to new formats, and disables searches that might use the same names as core Enterprise Security. During the review, the installer can print a report of all changes to be made during the upgrade. Printing the report is recommended.
In a "Distributed deployment," manually upgrade the "add-ons" installed on the indexers. See "Deployemnt-apps" in this topic.
Use the Splunk deployment server to deploy the "add-ons" to the indexers and forwarders. Manually upgrade the "add-ons" hosted on the deployment server. See "Deployment-apps" in this topic.
Search head pooling considerations
In a environment with search head pooling, you must follow a specific order of operations for upgrading any app. See "Upgrade a distributed environment with pooled search heads" in the Splunk Enterprise documentation.
Deployment-apps
A copy of the latest deployment-apps are included with the Splunk App for Enterprise Security. When upgrading to the latest Enterprise Security app, the deployment-apps included with the Enterprise Security Install App should be used. The Enterprise Security Install App does not automatically upgrade or migrate any deployment-app configurations.
Once the upgrade has been run, the deployment-apps can be found in SplunkEnterpriseSecurityInstaller/default/src/etc/deployment-apps.
They can also be extracted directly from the Enterprise Security Install App in the file SplunkEnterpriseSecurityInstaller/default/src/splunk_app_es-3.0.x-xxxxxx.zip
Important Any customizations made to the prior versions of deployment-apps must be manually migrated.
Changes to TA packages
Splunk App for *Nix
To improve and consolidate Unix performance and configuration data collection, the Splunk App for Enterprise Security contains a set of views in
SA-EndpointProtection that display performance and configuration information from Solaris, Linux, and Mac OS X systems.
In previous versions, the collection of performance and configuration data from Unix systems was handled separately from Splunk "knowledge objects" (like props.conf, transforms.conf, and related files) that parsed and interpreted the data.
These functions are now merged into the Splunk for Unix and Linux app and distributed with the Splunk App for Enterprise Security. A version of the Splunk for Unix and Linux app is also available as a separate download from Splunk Apps.
In the earlier version of the Splunk App for Enterprise Security:
- Deployment apps were distributed to forwarders to collect Unix performance and configuration data. These apps were located in
$SPLUNK_HOME/etc/deployment_apps/after installation. There were three of these apps:
- linux_base - osx_base - solaris_base
- These apps used Python-based scripted inputs to perform collection tasks, making them unsuitable for installation on universal forwarders (which do not contain a Python distribution).
- The
TA-nix,TA-deploymentapps, andSA-EndpointProtectionall contained "knowledge objects" used to interpret the collected data.
In this version of the Splunk App for Enterprise Security:
- A single app, Splunk for Unix and Linux (or
Splunk_TA_nix) now replicates the functionality of the olderTA_nixandTA-deploymentapps-- which have been deprecated.
Note: SA-EndpointProtection has not been deprecated, but knowledge pertaining to Unix data collection has been migrated into Splunk_TA_nix.
- Shell scripts are now used to perform data collection, so that the
Splunk_TA_nixcan be installed on universal forwarders.
For instance, the functions provided by the following scripts in the older deployment apps are now performed by a single script in Splunk_TA-nix named "service.sh":
linux_base/bin/linux_service.py
osx_base/bin/os_service.py
solaris_base/bin/solaris_service.py
- Outputs from the older
Splunk_TA_nixhave been leveraged to provide data in Enterprise Security. These outputs are:
cpu.sh - provides CPU utilization data
df.sh - provides filesystem utilization data
ps.sh - provides process information data
vmstat.sh - provides memory utilization data
Splunk_TA_nixcontains all the knowledge objects necessary to parse data produced by the scripted inputs. A few minor modifications were made toSA-EndpointProtectionto facilitate backwards compatibility.
Previously, scripted inputs in the deprecated deployment apps generated source and sourcetype values in the following format:
<OS>:<script name or identifier>
For instance, CPU data collected from a Linux, Solaris, or OS X host would have received the following source and sourcetype classifications:
Linux:CPUTime Solaris:CPUTime OSX:CPUTime
In the new Splunk_TA_nix script architecture being used, it is not possible in all cases to distinguish the source operating system (OS) at the time of sourcetype classification. Therefore, sources and sourcetypes from scripted inputs in the unified Splunk_TA_nix app have the following, less granular format:
Unix:<script name or identifier>
For example, CPU information collected from a Linux, Solaris, or OS X host using the new Splunk_TA_nix receive the following source and sourcetype classification irrespective of the source host's operating system:
Unix:CPUTime
Splunk administrators should be aware of this naming change, especially when writing searches that perform cross-platform comparison of data. For example, depending on the target system architecture, it may not be accurate to compare CPU utilization percentages directly.
Summary of *nix upgrade considerations
Consider these important changes as you upgrade:
- If you were using the older deployment apps (
linux_base,osx_base,solaris_base) and distributing these apps to forwarders, you can continue to do so without impact. The data collected by these older apps will still be collected and interpreted correctly.
- To begin data collection on universal forwarders, you can now distribute
Splunk_TA_nixto your systems.
Splunk_TA_nixnow supersedes theTA-nixandTA-deploymentappsapps. Both of theses older apps will be disabled during installation. If custom modifications have been made to these apps, the changes need to be migrated manually into an appropriate app of your choosing.
| Platform: linux_base | |
|---|---|
| former script | new script (or existing script) |
| linux_cputime.py | (cpu.sh) |
| linux_disk.py | (df.sh) |
| linux_listening_ports.py | openPortsEnhanced.sh *** |
| linux_memory.py | (vmstat.sh) |
| linux_passwd.py | passwd.sh |
| linux_process.py | (ps.sh) |
| linux_selinux_checker.py* | selinuxChecker.sh |
| linux_service.py | service.sh |
| linux_sshd_checker.py | sshdChecker.sh *** |
| linux_update.py** | update.sh |
| linux_uptime.py | uptime.sh |
| linux_version.py | version.sh |
| linux_vsftpd_checker.py | vsftpdChecker.sh *** |
| Platform: osx_base | |
| osx_cputime.py | (cpu.sh) |
| osx_disk.py | (df.sh) |
| osx_listening_ports.py | openPortsEnhanced.sh *** |
| osx_memory.py | (vmstat.sh) |
| osx_passwd.py | passwd.sh |
| osx_process.py | (ps.sh) |
| osx_service.py | service.sh *** |
| osx_sshd_checker.py | sshdChecker.sh |
| osx_update.py** | update.sh *** |
| osx_uptime.py | uptime.sh |
| osx_version.py | version.sh |
| osx_vsftpd_checker.py | vsftpdChecker.sh *** |
| Platform: solaris_base | |
| solaris_cputime.py | (cpu.sh) |
| solaris_disk.py | (df.sh) |
| solaris_listening_ports.py | openPortsEnhanced.sh |
| solaris_memory.py | (vmstat.sh) |
| solaris_passwd.py | passwd.sh |
| solaris_process.py | (ps.sh) |
| solaris_service.py | service.sh |
| solaris_sshd_checker.py | sshdChecker.sh |
| solaris_uptime.py | uptime.sh |
| solaris_version.py | version.sh |
| solaris_vsftpd_checker.py | vsftpdChecker.sh *** |
* Only present on Linux
** Only present on Mac OS X and Linux
*** May require root privileges to produce complete results on the indicated OS
| Add a custom dashboard | Upgrade Splunk App for Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 3.0.1
Download manual
Feedback submitted, thanks!