Configure the search head
The Splunk App for Enterprise Security utilizes summary searches to store statistical snapshots of critical data. The storage of that data depends upon some architectural considerations.
The Splunk App for Enterprise Security supports the following deployment architectures:
1. A Single server deployment with all data stored on the same system
2. A distributed deployment with a search head hosting its own summary indexes
3. A distributed deployment with a search head sending its summary indexes and any generated data to the indexers
The configuration steps will vary depending on which architecture you have chosen to use in your environment.
No additional configuration is needed. In this deployment scenario, the Enterprise Security app is installed on a single server that acts as both a search head and an indexer.
Distributed deployment with summary indexes on search head
No additional configuration is needed. This deployment architecture is common in small to medium sized deployments where the summary index volumes are low. The summary index data is generated on the search head, and will be stored on the search head. Any searching that references summary indexes will retrieve local results.
Distributed deployment with summary indexes on indexers
This deployment architecture is used in larger environments where the data volumes are higher and the summary indexes are expected to be larger. The search head must be configured to send all data generated locally to the indexers. Configuring the search head to forward summary data and internal events to the indexers is a "Splunk Best Practice." This configuration is also required to implement search head pooling.
To configure the search head to send all data to the indexers, configure the
outputs.conf file on the search head according to "Configure forwarders with outputs.conf" in the core Splunk product documentation.
Search head pooling considerations
The Splunk App for Enterprise Security supports search head pooling, but the architecture must be tested before implementation. Search head pooling adds the potential for conflicts with other Splunk apps and has significant performance considerations.
See "Overview of search head pooling" in the Splunk core documentation for more information on setting up search head pooling.
Review "Key implementation issues" in the core Splunk documentation if you plan to use a search head pool.
Important: The app requires a stable and supportable Splunk installation. Please review the "Search head pooling configuration issues" topic in the core Splunk documentation if you are planning to use a search head pool.
- Any stanza in inputs.conf that references an object in the shared pool mount must use an absolute path. In Enterprise Security, an audited lookup table requires an input. That input stanza must be updated when using search head pooling since /etc/apps resides on the pool and is no longer tied to the relative path $SPLUNK_HOME.
SA-ThreatIntelligence/local/inputs.conf [monitor://$SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/lookups/incident_review.csv] disabled = true ## Lookup is on the search head pool shared storage. Changed path below: [monitor:///the/shared/storage/etc/apps/SA-ThreatIntelligence/lookups/incident_review.csv] disabled = false index = _audit sourcetype = incident_review
Use the deployment apps
The Splunk App for Enterprise Security includes a set of "deployment apps" that can be used to collect data from systems monitored by Enterprise Security and to do other useful tasks. Find out more about deployment-apps in "Splunk deployment server" in this manual and "About deployment server and forwarder management" in the core Splunk documentation for more details and information about the deployment server.
The deployment-apps are available in the Enterprise Security Install App. You will need server access to unzip the package to get to the deployment-apps. Unzip this file:
After unzipping this file, the deployment-apps can be found at:
Configure data protection
This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1