Splunk® Enterprise Security

Installation and Upgrade Manual

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Install Add-ons

The Splunk App for Enterprise Security solution includes a number of predefined add-ons to work with the data you want to monitor. The add-ons provide the feeds to get data from different sources, and also provide search-time knowledge maps to normalize the data for use within the app. Add-ons ensure that the data is correctly consumed by the Splunk App for Enterprise Security.

Add-ons provided with Enterprise Security

A number of add-ons are provided within the Splunk App for Enterprise Security so that you can start mapping your data right away.

The provided add-ons include:

Splunk_TA_nix Splunk_TA_windows Splunk-TA-nessus TA-airdefense
TA-alcatel TA-bluecoat TA-cef TA-fireeye
TA-flowd TA-fortinet TA-ftp TA-ip2location
TA-juniper Splunk_TA_mcafee TA-ncircle TA-nmap
TA-oracle TA-ossec TA-paloalto TA-rsa
TA-sav TA-sep TA-snort TA-sophos
TA-splunk TA-tippingpoint TA-trendmicro TA-websense

Find out more about these out-of-the-box add-ons in the Data Source Integration Manual

You can download additional apps from Splunk Apps, provided they are compatible with the Splunk App for Enterprise Security.

Updating add-ons

An add-on used by the Splunk App for Enterprise Security may be updated independent of the Enterprise Security App, and made available on Splunk Apps.

Update the app from within Splunk

To check for a newer version, go to Manage Apps from the Splunk menu. If there is an updated version of an add-on, there will be a link similar to this: 4.6.0|Update to 4.6.3 in the Version column.

1. To update your existing add-on with the newer one, click the link in the version column.

2. A window will confirm that there is an updated version of the add-on. Click Update to get the newer version.

3. You may need to restart Splunk to install the add-on. Click Restart.

Note: You will need to be logged into Splunk.com to download the add-on.

Update the app manually

You can also download the newer add-on directly from Splunk Apps.

1. Go to Splunk Apps and find the new version of the add-on. Download the add-on to your desktop or local directory. For example, download the Splunk for Unix and Linux add-on from Splunk Apps.

2. Install the add-on by navigating to Manage Apps > Install app from file from the Splunk Home page. Browse to the add-on location and select the add-on.

Be sure to select Upgrade app... so that the newer version of the add-on overwrites the older one. Click Upload.

3. You may need to restart Splunk to install the add-on. Click Restart.

How to get more add-ons

Each add-on is specific to a single technology, or version of a technology, and provides all the Splunk knowledge necessary to incorporate that technology into Enterprise Security. You can use pre-packaged add-ons or create your own. See the Data Source Integration manual for information on creating your own add-ons.

Note: Not all apps and add-ons are compatible with the Splunk App for Enterprise Security. Only those that explicitly state they are Enterprise Security-compatible should be installed on the same search head with the Splunk App for Enterprise Security.

  • Add-ons for a number of common source types are bundled with the Splunk App for Enterprise Security. Some of these add-ons may need to be configured for your environment. Each add-on contains a README file that details the required configurations.
  • Splunk Apps hosts downloadable apps and add-ons for Splunk.
  • You can develop your own add-ons for unsupported or custom data formats, including your own application logs.

See the Data Source Integration manual for more information. You are also encouraged to upload your add-ons to Splunk Apps and share them with the Splunk community. To share your add-ons, go to Splunk Apps, click upload an app and follow the instructions for the upload.

Add-ons are designed to be as easy as possible to deploy, but some supported technologies may require additional configuration. This is especially true if you have customized the format of your logs or other data sources.

Steps for installing add-ons

Use the Splunk Apps manager to configure or add additional CIM-compatible add-ons to your deployment.

Find an add-on

To find an add-on to add:

  1. Click Apps next to Splunk in the menu bar.
  2. Select Find more apps. Browse and search the list of apps.
  3. Select an app to be installed.

Add an add-on from a local file

To add an add-on saved locally:

  1. Click Apps next to Splunk in the menu bar.
  2. From the drop-down menu, select Manage Apps.
  3. Select Install app from file.
  4. In the Upload an app panel, browse for the location of the app, select it, and click Upload.

Edit an existing add-on

To edit an existing add-on:

  1. Click Apps next to Splunk in the menu bar.
  2. From the drop-down menu, select Manage Apps.
  3. Select the app from the list of apps available.
  4. Click Edit Properties for the app you want to configure. When you are finished, click Save.

Note: Do not use the Create app option on the Manage Apps > Apps page with the Enterprise Security app.

To create a custom add-on to capture and map your data, see the Data Source Integration Manual.

Add a custom add-on to an app

The Splunk App for Enterprise Security includes a modular input to update your add-ons or add custom add-ons with unique naming conventions. There are a couple of ways to update or add add-ons in your deployment:

Run setup to update the list of add-ons

When you run setup on the Splunk App for Enterprise Security from Manage Apps, the module automatically imports any add-ons with the following the naming conventions:

TA-*
Splunk_TA_* 
  1. Go to Apps > Manage Apps > Enterprise Security > Setup.
  2. Click OK.
  3. Restart Splunk to incorporate the changes.

Imports are transitive

App imports are transitive; meaning than an app (A) that imports another app (B), also imports all of the apps (C) imported by that app.

In other words:

  1. If app A imports B,
  2. and app B imports C,
  3. then A imports C.

Since supporting add-ons import each other, you may see only one supporting add-on with an updated local.meta file. This is usually SA-AccessProtection, since it is the first supporting add-on in the list of apps.

View current app imports

View the current app imports by using the "rest" search command.

Note: You need to have administrator permissions to run the command.

This example views the imports for the SA-EndpointProtection application:

| rest /servicesNS/nobody/system/apps/local/SA-EndpointProtection/import | fields import

Modify this code sample to view the imports of another app.

Import add-ons with a different naming convention

To add a new add-on's naming convention, you need to modify the regular expression (regex) used by the app import updater. To do this:

1. Edit or create the app_regex field in $SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite/local/inputs.conf for the "app_imports_update://update_es" stanza.

2. Make the necessary changes in your app_imports_update://update_es stanza.

For example, the app "test" has been added to this stanza:

# Update the meta-data

[app_imports_update://update_es]

app_regex = (TA-.*)|(Splunk_TA_.*)|(sideview_utils)|(SplunkEnterpriseSecuritySuite)|(DA-.*)|(SA-.*)|(test)

3. Save your changes.

4. Restart Splunk to incorporate the changes.

Remove an add-on from app import

To remove an add-on from app import:

1. Edit SplunkEnterpriseSecuritySuite/local/inputs.conf and use a regex string that filters away the imported add-on.

For example, here you block Splunk_TA_windows by adding a "w":

[app_imports_update://update_es]
app_regex = (TA-.*)|(Splunk_TA_w.*)|(sideview_utils)|
(SplunkEnterpriseSecuritySuite)|(DA-.*)|(SA-.*)|(test)

2. Restart Splunk to incorporate the changes.

Determine which add-ons to deploy

Not all add-ons must be installed on the indexers, only those that perform operations at index time. Review the README ($SPLUNK_HOME/etc/apps/TA-<vendor/product>/README) associated with the add-on you are deploying to determine if it includes index-time operations. If it does not include index-time operations, then no further action is necessary.

If there are index-time operations that require the add-on, deploy it with the deployment server, using the instructions found in "About deployment server" in the Distributed Deployment Manual, part of the core Splunk documentation.

Note: If there is no README, you can look at the configuration files. An add-on includes index-time operations if any of the following appear in the default/props.conf file in the apps directory:

* SHOULD_LINEMERGE
* LINE_BREAKER
* TIME_PREFIX
* TIME_FORMAT
* TZ
* TRANSFORMS-<x>=<y>
Last modified on 13 November, 2014
PREVIOUS
Solution architecture
  NEXT
Install the Splunk App for Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 3.1, 3.1.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters