Splunk® Enterprise Security

Installation and Upgrade Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Configure the search head

The Splunk App for Enterprise Security utilizes summary searches to store statistical snapshots of critical data. The storage of that data depends upon some architectural considerations.

The Splunk App for Enterprise Security supports the following deployment architectures:

1. A Single server deployment with all data stored on the same system

2. A distributed deployment with a search head hosting its own summary indexes

3. A distributed deployment with a search head sending its summary indexes and any generated data to the indexers

The configuration steps will vary depending on which architecture you have chosen to use in your environment.

Single-server deployment

No additional configuration is needed. In this deployment scenario, the Enterprise Security app is installed on a single server that acts as both a search head and an indexer.

Distributed deployment with summary indexes on search head

No additional configuration is needed. This deployment architecture is common in small to medium sized deployments where the summary index volumes are low. The summary index data is generated on the search head, and will be stored on the search head. Any searching that references summary indexes will retrieve local results.

Distributed deployment with summary indexes on indexers

This deployment architecture is used in larger environments where the data volumes are higher and the summary indexes are expected to be larger. The search head must be configured to send all data generated locally to the indexers. Configuring the search head to forward summary data and internal events to the indexers is a "Splunk Best Practice." This configuration is also required to implement search head pooling.

To configure the search head to send all data to the indexers, configure the outputs.conf file on the search head according to "Configure forwarders with outputs.conf" in the core Splunk product documentation.

Search head pooling considerations

The Splunk App for Enterprise Security supports search head pooling, but the architecture must be tested before implementation. Search head pooling adds the potential for conflicts with other Splunk apps and has significant performance considerations.

See "Overview of search head pooling" in the Splunk core documentation for more information on setting up search head pooling.

Review "Key implementation issues" in the core Splunk documentation if you plan to use a search head pool.

Important: The app requires a stable and supportable Splunk installation. Please review the "Search head pooling configuration issues" topic in the core Splunk documentation if you are planning to use a search head pool.

Update Enterprise Security configurations to reference the shared mount point

  • Any stanza in inputs.conf that references an object in the shared pool mount must use an absolute path. In Enterprise Security, an audited lookup table requires an input. That input stanza must be updated when using search head pooling since /etc/apps resides on the pool and is no longer tied to the relative path $SPLUNK_HOME.

Example:

  SA-ThreatIntelligence/local/inputs.conf
    [monitor://$SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/lookups/incident_review.csv]
     disabled = true
     ## Lookup is on the search head pool shared storage. Changed path below:
    [monitor:///the/shared/storage/etc/apps/SA-ThreatIntelligence/lookups/incident_review.csv]
     disabled = false
     index = _audit
     sourcetype = incident_review

Use the deployment apps

The Splunk App for Enterprise Security includes a set of "deployment apps" that can be used to collect data from systems monitored by Enterprise Security and to do other useful tasks. Find out more about deployment-apps in "Splunk deployment server" in this manual and "About deployment server and forwarder management" in the core Splunk documentation for more details and information about the deployment server.

The deployment-apps are available in the Enterprise Security Install App. You will need server access to unzip the package to get to the deployment-apps. Unzip this file: SplunkEnterpriseSecuritySuiteInstaller/default/src/splunk_app_es-*.zip.

After unzipping this file, the deployment-apps can be found at: SplunkEnterpriseSecuritySuiteInstaller/default/src/etc/deployment-apps.

Last modified on 09 April, 2014
PREVIOUS
Configure data protection
  NEXT
Correlation searches

This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters