Install Enterprise Security
This topic describes installing an on-premises search head with Splunk Enterprise Security.
Splunk Enterprise Security prerequisites
To view the platform requirements for Splunk Enterprise Security, see Deployment planning in this manual. For an overview of the data sources and collection considerations for ES, see Data source planning in this manual.
Step 1. Download Splunk Enterprise Security
- Browse to splunk.com and log in with your Splunk.com ID. You must be a licensed Enterprise Security customer to download the product.
- Download the latest Splunk Enterprise Security product.
- Choose Download, and save the Splunk Enterprise Security product file to your desktop.
- Log in to the search head as an administrator.
Step 2. Install Splunk Enterprise Security
- On the Splunk Enterprise search page, browse to Apps > Manage Apps and choose Install App from File.
- Select Choose File and browse to the Splunk Enterprise Security product file.
- Select Upload to begin the installation.
- Select Set up now to begin the ES setup.
Step 3. Set up Splunk Enterprise Security
- Select Start.
- The Splunk Enterprise Security Post-Install Configuration page indicates the status as it moves through the stages of installation.
- Choose to exclude selected add-ons from being installed, or install and disable them. When the setup is done, the page will prompt you to restart Splunk platform services.
- Select Restart Splunk to finish the installation.
- Note: The installation of Enterprise Security will enable SSL on the search head. You must change the Splunk URL to use
httpsto access the search head after installing ES.
Step 4. Configure Enterprise Security
To continue configuring Splunk Enterprise Security, see the following.
- Install and deploy add-ons
- Configure and deploy Indexes
- Configure users and roles
- Configure data models
Installation from a command line
Perform a Splunk Enterprise Security installation using the Splunk software command line. See About the CLI for more about the Splunk software command line.
- Follow Step 1: Download Splunk Enterprise Security to download Splunk Enterprise Security and place it on the search head.
- Start the installation process on the search head. Follow Step 2: Install Splunk Enterprise Security or perform a REST call to start the installation from the server command line. For example:
curl -k -u admin:password https://localhost:8089/services/apps/local -d filename="true" -d name="<filename and directory>" -d update="true" -v
- On the search head, use the Splunk software command line to run:
splunk search '| testessinstall' -auth admin:password
- Review the installation log in:
Installation on a search head cluster
This topic discusses the clustered search head requirements specific to Enterprise Security, and does not replace the documentation review and testing required to implement search head clustering.
For an overview of search head clustering, see Search head clustering architecture in the Splunk Enterprise Distributed Search Manual.
For a complete list of requirements, see System requirements and other deployment considerations for search head clusters in the Splunk Enterprise Distributed Search Manual.
A staging instance is used to prepare the deployer's copy of Enterprise Security. If you have a clean testing or QA Splunk Enterprise instance in your environment, you may use that instance for staging if no other apps are installed. The instance is used for staging and upgrades only, and should not connect to production indexers or search peers.
- Prepare a staging instance.
- Install ES on staging.
- Migrate the ES install to the deployer by copying all of the apps, SAs, DAs, and TAs associated with the Splunk Enterprise Security Suite from
$SPLUNK_HOME/etc/appson the staging instance to
$SPLUNK_HOME/etc/shcluster/appson the deployer. Do not copy the entire folder, as you should not include any default apps.
- Deploy ES to the cluster members using the deployer.
Dashboard changes in a search head cluster
There are several types of configuration changes made on a search head:
- UI configurations
- Search-related configurations
- System configurations.
Create or update UI and search configurations from any member of a search head cluster. Once the change are made, they replicate to the other search cluster members automatically without using the deployer.
Manage system configurations centrally with the deployer. To review which configuration files are replicated between cluster members and which ones must be deployed, see How configuration changes propagate across the search head cluster in the Splunk Enterprise Distributed Search Manual.
Adding or disabling an identities list from Identity Management cannot be done from a search head cluster member or captain. When reviewing the dashboard Configure > Identity Management from any cluster member, the page states: "Current instance is running in SHC mode and is not able to add new inputs.”
- New workflow: Configure the new or changed identities list on your Enterprise Security testing or staging environment. After testing the configuration, use the search head cluster deployer to distribute updated configurations and a new lookup file across the search head cluster.
Threat Source Management
Adding or disabling a threat source from Threat Intelligence Manager or Threat Intelligence Downloads cannot be configured from a search head cluster member or captain. When reviewing the dashboard Configure > Data Enrichment > Threat Intelligence Downloads from any cluster member, the page states: "Current instance is running in SHC mode and is not able to add new inputs.”
- New workflow: Configure the new or changed threat source on your Enterprise Security testing or staging environment. After testing the configuration, migrate the configuration to the search head cluster deployer and distribute the updated
inputs.confconfigurations across the search head cluster.
Migrate an existing deployment
An Enterprise Security search head or search head pool member cannot be added directly to a search head cluster. To perform a migration, a new search cluster must be created and deployed with the latest version of Enterprise Security. Once the search head cluster is running ES, any custom configurations from a prior Enterprise Security installation must be manually reviewed and migrated to the deployer for replication to the cluster members.
For more information, see the topic Migrate from a standalone search head to a search head cluster in the Splunk Enterprise Distributed Search Manual.
For assistance in planning a Splunk Enterprise Security deployment migration, contact the Splunk Professional Services team.
Data source planning
Install and deploy add-ons
This documentation applies to the following versions of Splunk® Enterprise Security: 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4