Manual upgrade of Enterprise Security
This topic describes how to upgrade the Splunk Enterprise Security Suite or the Splunk App for Enterprise Security to a newer version of the app.
Step 1. Backup existing Enterprise Security installation
To perform a manual upgrade of the Splunk App for Enterprise Security, first make a backup of the current Enterprise Security 2.x installation by copying the following directories to a backup location.
$SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite$SPLUNK_HOME/etc/apps/DA-*$SPLUNK_HOME/etc/apps/SA-*$SPLUNK_HOME/etc/apps/TA-*$SPLUNK_HOME/etc/apps/Splunk_DA-*$SPLUNK_HOME/etc/apps/Splunk_SA-*$SPLUNK_HOME/etc/apps/Splunk_TA-*
Note: Users of the Splunk Enterprise Security Suite 1.1.x need to perform a clean install or upgrade to 2.2.x using an older installer. The current installer does not support upgrades from Splunk Enterprise Security Suite 1.1.x. Contact Splunk Support for more information.
Step 2. Extract new Enterprise Security version into workspace
The new instance of the Splunk App for Enterprise Security should be tested in a new $SPLUNK_HOME or on a new server. This will be the upgrade workspace.
Install the new Splunk App for Enterprise Security version into the upgrade workspace. For details on installation see "Install Enterprise Security" in this manual.
Step 3. Retrieve configurations and customizations from backup
We recommend that the administrator of the existing installation review their as-built documents and runbooks, review the contents of their $SPLUNK_HOME/etc/apps and $SPLUNK_HOME/etc/deployment-apps directories, and review the installation notes from the original Enterprise Security Suite install.
Preserve the list of generated lookup files from the current installation. This can be a long list. Many CSV files are generated and updated while Enterprise Security Suite is operating. Go through all "lookups" sub-directories of each Enterprise Security Suite (DA*, SA*, TA* and SplunkEnterpriseSecuritySuite) folder.
For each csv.default, backup its equivalent .csv if it exists.
These files have changed format since the previous release:
- SA-ThreatIntelligence/lookups/ reviewstatuses.csv
- SA-ThreatIntelligence/lookups/incident_review.csv
- SA-ThreatIntelligence/default/savedsearches.conf
Note: The default savedsearches.conf file will be taken care of through the upgrade process. Attention is only required for local copies of savedsearches.conf.
Set aside the list and locations of these files for processing later.
Deployment-apps
The deployment-apps distributed with the Splunk App for Enterprise Security 3.0 should be used instead of the earlier Enterprise Security Suite deployment-apps.
The new deployment-apps folder is located in the SplunkEnterpriseSecurityInstaller/default/src/etc/deployment-apps after the Installer App has been run once. If the Install App has not been run, unzip it from SplunkEnterpriseSecurityInstaller/default/src/splunk_app_es-3.0.0-xxxxxx.zip. After the file has been unzipped the deployment-apps folder is located at SplunkEnterpriseSecurityInstaller/default/src/etc/deployment-apps.
Any customizations made to the old /deployment-apps have to be manually migrated to the new /deployment-apps. When the install is complete, ensure those changes are distributed to the Splunk infrastructure properly.
Review your existing installation of Enterprise Security for modifications and customizations to its scripts and dashboards. These modifications may not be required in the new versions and will each need to be reviewed for applicability.
Note: Splunk does not support modifying configuration files in the /default directories. Any changed default files will be overwritten as part of the upgrade, if the configuration directories are copied from the backup to the upgrade workspace. To save these changes, move them to /local directories.
Step 4. Move the upgrade workspace
In the production workspace:
1. Stop Splunk
$SPLUNK_HOME/bin splunk stop
2. Delete these directories:
$SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite$SPLUNK_HOME/etc/apps/DA-*$SPLUNK_HOME/etc/apps/SA-*$SPLUNK_HOME/etc/apps/TA-*$SPLUNK_HOME/etc/apps/Splunk_TA-*(if these exist)$SPLUNK_HOME/etc/apps/Splunk_SA-*(if these exist)
3. Copy the relevant files from the upgrade workspace to the production workspace.
Step 5. Restart Splunk and verify upgrade
1. Restart Splunk:
$SPLUNK_HOME/bin ./splunk start
2. After Splunk restarts, go to Splunk Home (https://localhost:8000). Click the Enterprise Security app.
3. Click the Continue to app setup page link on the App configuration dialog.
Note: If the upgrade is performed, and the setup procedure is not run, Splunk may display errors on some dashboards.
4. Verify the settings on the Splunk App for Enterprise Security Setup page.
5. Click Save. The Enterprise Security configure page appears.
6. Verify the Enterprise Security install:
- Look for errors in Audit
- Navigate to Audit > View Audit.
- Make sure data is still coming into the expected source types
- Navigate to Audit > Incident Review Audit
- Make sure notable events are still generating
- Navigate to the Incident Review dashboard and run a search to see if events are being displayed
See "Installing Enterprise Security" and "Steps to configure" in this manual for more details on setting up the Splunk App for Enterprise Security for the first time.
Upgrade troubleshooting
Check the rest of the Splunk App for Enterprise Security documentation:
http://docs.splunk.com/Documentation/ES
See "Troubleshoot your deployment" in this document.
| Upgrade Splunk App for Enterprise Security to a newer version | File conversion example |
This documentation applies to the following versions of Splunk® Enterprise Security: 3.0
Download manual
Feedback submitted, thanks!