Splunk® Enterprise Security

Install and Upgrade Splunk Enterprise Security

Splunk Enterprise Security version 4.2.x is available only to Splunk Cloud subscribers.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Data source planning

The volume, type, and number of data sources influences the overall Splunk platform architecture, the number and placement of forwarders, estimated load, and impact on network resources.

Splunk Enterprise Security requires that all data sources comply with the Splunk Common Information Model (CIM). Enterprise Security is designed to leverage the CIM standardized data models both when searching data to populate dashboard panels and views, and when providing data for correlation searches.

Map add-ons to data sources

The add-ons included with Splunk Enterprise Security are designed to parse and categorize known data sources and other technologies for CIM compliance.

For each data source:

  1. Identify the add-on: Identify the technology and determine the corresponding add-on. The primary sources for add-ons are the Add-ons provided with Enterprise Security and the CIM-compatible content available on Splunkbase. If the add-on you want to use is not already compatible with the CIM, modify it to support CIM data schemas. For an example, see Use the CIM to normalize data at search time in the Common Information Model Add-on Manual.
  2. Install the add-on: Install the add-on on the Enterprise Security search head. Install add-ons that perform index-time processing on each indexer. If the forwarder architecture includes sending data through a parsing or heavy forwarder, the add-on might be needed on the heavy forwarder. Splunk Cloud customers must work with Splunk Support to install add-ons on search heads and indexers, but are responsible for on-premises forwarders.
  3. Configure the server, device, or technology where necessary: Enable logging or data collection for the device or application and/or configure the output for collection by a Splunk instance. Consult the vendor documentation for implementation steps.
  4. Customize the add-on where necessary: An add-on might require customization, such as setting the location or source of the data, choosing whether the data is located in a file or in a database, or other unique settings.
  5. Set up a Splunk data input and confirm the source type settings: The add-on's README file includes information about the source type setting associated with the data, and might include customization notes about configuring the input.

Considerations for data inputs

Splunk platform instances provide several types of input configurations to ingest data. Depending on the technology or source being collected, choose the input method that matches the infrastructure requirements based on the performance impact, ease of data access, stability, minimizing source latency, and maintainability.

  • Monitoring files: Deploy a Splunk forwarder on each system hosting the files, and set the source type on the forwarder using an input configuration. If you have a large number of systems with identical files, use the Splunk Enterprise deployment server to set up standardized file inputs across large groups of forwarders.
  • Monitoring network ports: Use standard tools such as a syslog server, or create listener ports on a forwarder. Sending multiple network sources to the same port or file complicates source typing. For more information, see Get data from TCP and UDP ports in the Getting Data In Manual.
  • Monitoring network wire data: Splunk Stream supports the capture of real-time wire data. See About Splunk Stream in the Splunk Stream Installation and Configuration Manual.
  • Scripted inputs: Use scripted inputs to get data from an API or other remote data interfaces and message queues. Configure the forwarder to call shell scripts, python scripts, Windows batch files, PowerShell, or any other utility that can format and stream the data that you want to index. You can also write the data polled by any script to a file for direct monitoring by a forwarder. See Get data from APIs and other remote data interfaces through scripted inputs in the Getting Data In Manual.

Collect asset and identity information

Splunk Enterprise Security uses an asset and identity correlation system. Enterprise Security compares collected asset and identity data with events in Splunk Enterprise to provide data enrichment and additional context for analysis.

Identify assets and identities

An asset represents devices and systems in a network environment that generate data. An identity can represent a user, credential, or a role used to grant access to a device or system. Determine the repositories that will provide asset and identity data for integration with Enterprise Security, and how to collect the data.

In a highly regulated network environment, one database or repository might be the only source of information for both assets and identities. However, it is more common to find asset and identity data spread out among many unique repositories, hosted on different technologies, and maintained by many departments. As asset information changes and identities are added and removed, updates should be integrated into ES as a recurring task.

Asset lists

An asset list is a lookup table of fields. The input will accept multiple asset lists and will collect them into a collection of lookup tables sorted by key values. To manage and configure the assets and identities lists, use the Identity Management dashboard. An asset list does not have to have all fields defined. For a complete list of fields, see Asset lookup fields in the User Manual.

Identity lists

An identity list is a lookup table of fields. The input will accept multiple identity lists and will collect them in a single lookup table sorted by the key value. To manage and configure the assets and identities lists, use the Identity Management dashboard. An identity list does not have to have all fields defined. For a complete list of fields, see Identity lookup fields in the User Manual.

Collection options for assets and identities

The preferred collection method to provide asset or identities information is through an app or add-on. There are a number of add-ons that can be used to automate connections to external systems for data collection. Use an add-on to connect, collect, and return asset and identities data to Enterprise Security.

You can create additional lists by automating capture from other asset or identity repositories through the use of a custom script or modular input. Indexed events in Splunk Enterprise are another potential source of data for asset and identity information. Use the Splunk search language to collect the information, sort and table the fields, and export the results. Use a manually populated lookup file for asset information collected from static lists, such as data sources that are not directly accessible through the other methods mentioned.

For a sample list of asset and identity sources with collection methods, see Collection methods for assets and identities in the User Manual.

Last modified on 08 November, 2016
Deployment planning   Install Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.2.0 Cloud only, 4.2.1 Cloud only, 4.2.2 Cloud only


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters