Splunk® Enterprise Security

Install and Upgrade Splunk Enterprise Security

Splunk Enterprise Security version 4.2.x is available only to Splunk Cloud subscribers.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Upgrade Splunk Enterprise Security

This topic describes how to upgrade Splunk Enterprise Security on an on-premises search head from version 3.3 or later to the latest release. Splunk Cloud customers work with Splunk Support to coordinate upgrades to Enterprise Security.

Step 1. Review the planning topic

  1. For an overview of the upgrade process and prerequisites, see Planning an upgrade in this manual.
  2. Perform a full backup of the search head before upgrading.
Important: To back out of the upgrade, the prior version of Splunk Enterprise Security must be restored from backup.

Step 2. Download Splunk Enterprise Security

  1. Browse to splunk.com and log in with your Splunk.com ID. You must be a licensed Enterprise Security customer to download the product.
  2. Download the latest Splunk Enterprise Security product.
  3. Choose Download, and save the Splunk Enterprise Security product file to your desktop.
  4. Log in to the ES search head as an administrator.

Step 3. Install the latest Splunk Enterprise Security

  1. On the Splunk Enterprise search page, browse to Apps > Manage Apps and choose Install App from File.
  2. Select Upgrade app to initiate an upgrade.
  3. Select Choose File and browse to the Splunk Enterprise Security product file.
  4. Select Upload to begin the installation.
  5. Select Set up now to begin the ES setup.
Important: If the setup procedure is not run promptly after the upload is complete, Enterprise Security will display errors.

Step 4. Set up Splunk Enterprise Security

  1. Select Start.
  2. The Splunk Enterprise Security Post-Install Configuration page indicates the upgrade status as it moves through the stages of installation.
  3. Choose to exclude selected add-ons from being installed, or install and disable them. When the setup is done, the page will prompt you to restart Splunk platform services.
  4. Select Restart Splunk to finish the installation.

Step 5. Validate the upgrade

  1. The Splunk Enterprise Security upgrade process is now complete. Objects disabled during the upgrade process will automatically be enabled.
  2. On the Enterprise Security menu bar, open Audit and select ES Configuration Health to view potential conflicts and changes to the default settings. For more information, see ES Configuration Health in the User Manual.
  3. Splunk logs the installation in $SPLUNKHOME$/var/log/splunk/essinstaller2.log
  4. Clear the browser cache of the browser you use to access Splunk Web to make sure that you access a fresh version of Splunk Web after upgrading.

Version-specific upgrade notes

After upgrading Enterprise Security from a version prior to 3.2.x to a version after 3.2.x, the Incident Review dashboard may not display notable events for up to five minutes. The migration process from a .csv file to the KV store implements a brief wait time to initialize the system. If notable events do not show up on Incident Review after more than ten minutes, run the data migration searches in inputs.conf.


After upgrading Enterprise Security from a version prior to 4.1.x to a version after 4.1.x, the correlation search editor may show configurations inconsistent with pre-upgrade settings if the search migration process is still running. Search the internal index to look for successfully migrated searches and review the status of the migration operation.

index=_internal sourcetype=configuration_check file="confcheck_es_modactions*" migrated


After upgrading Enterprise Security from a version prior to 4.1.x to a version after 4.1.x, enabled correlation searches that are not configured to create notable events revert to creating notable events. For example, a correlation search that by default created a notable event and a risk modifier that you configured to create only a risk modifier will, after upgrade, create both a risk modifier and a notable event.

  1. Before upgrading, note enabled correlation searches that do not create notable events using the following search.

    | rest splunk_server=local count=0 /services/saved/searches search="name=\"*-Rule\"" | where disabled=0 AND 'action.summary_index'=0 | table "eai:acl.app",title

  2. After the upgrade is complete, update the affected correlation searches so that the searches no longer create notable events.

Upgrading ES on a search head cluster

This process discusses the upgrade of an existing Splunk Enterprise Security installed on a search head cluster. Review all procedures and the order of operations before upgrading.

Prerequisites

Upgrade Splunk Enterprise on all search head instances as required. For more information on upgrading the Splunk platform instances that comprise a search head cluster, see Upgrade a search head cluster in the Splunk Enterprise Distributed Search Manual.

Prepare a staging instance

The staging instance is used to compare the deployer's copy of Enterprise Security with the latest release. If you have a clean testing or QA instance in your environment for the ES, you may use that instance for staging the upgrade if no other apps are installed.

  1. Prepare a single instance of Splunk Enterprise to use for staging an upgrade. This instance is for staging only, and should not connect to indexers or search peers.
  2. Copy the Enterprise Security installation from the deployer instance path $SPLUNK_HOME/etc/shcluster/apps to the staging instance path $SPLUNK_HOME/etc/apps. The deployer's copy of Enterprise Security represents the prior release, and includes configuration settings that are deployed to the search head cluster. It does not include the runtime knowledge object changes replicated between the search head cluster nodes.

Upgrade staging to the latest version of ES

Upgrade the staging instance by following steps 1 - 5 the Upgrade Splunk Enterprise Security process in this manual.

  1. Using the details provided on the ES Configuration Health dashboard, reconcile the configurations and settings in the deployed version with the latest release of ES.
  2. A deprecated app or add-on will be disabled automatically. An alert will display in Messages on the staging instance and identify all deprecated items. A deprecated app or add-on must be manually removed from the Enterprise Security installation.

Migrate the upgraded ES install to the deployer

The upgraded contents of the staging instance will be migrated back to the deployer and deployed to the search head cluster members.

  1. On the staging instance, copy $SPLUNK_HOME/etc/apps to $SPLUNK_HOME/etc/shcluster/apps on the deployer.
  2. On the deployer, remove any deprecated apps or add-ons in $SPLUNK_HOME/etc/shcluster/apps that were noted during the upgrade on staging.

Deploy the changes to the cluster members

On the deployer, use the preserve-lookups true switch to deploy ES while retaining all lookup file content generated on the cluster members. For more information, see Maintain lookup files across app upgrades in the Splunk Enterprise Distributed Search Manual.

Validate the configuration on the search cluster

After the deployer's copy of ES is distributed to the search cluster members, use the ES Configuration Health dashboard to compare the cluster replicated knowledge objects to the latest ES install.

On a search head cluster node, use the Enterprise Security menu bar to open Audit and select ES Configuration Health to view potential conflicts and changes to the default settings. For more information, see ES Configuration Health in the User Manual.

Migrate an existing search head to a search cluster

An Enterprise Security standalone search head or search head pool member cannot be added to a search head cluster. To migrate ES configurations to a search head cluster:

  1. Identify any custom configurations and modifications in the prior ES installation.
  2. Implement a new search head cluster.
  3. Deploy the latest version of Enterprise Security on the search head cluster.
  4. Review and migrate the customized configurations to the search head cluster deployer for replication to the cluster members.
  5. Shut down the old ES search head.

For more information on settings migration, see Migrate from a standalone search head to a search head cluster in the Splunk Enterprise Distributed Search Manual.

For assistance in planning a Splunk Enterprise Security deployment migration, contact the Splunk Professional Services team.

Last modified on 17 August, 2017
Planning an upgrade  

This documentation applies to the following versions of Splunk® Enterprise Security: 4.2.0 Cloud only, 4.2.1 Cloud only, 4.2.2 Cloud only


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters