Splunk® Enterprise Security

Installation and Upgrade Manual

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Upgrade Splunk Enterprise Security

This topic describes how to upgrade Splunk Enterprise Security on an on-premises search head from version 4.0 or later to the latest release. Splunk Cloud customers work with Splunk Support to coordinate upgrades to Enterprise Security.

Step 1. Review the planning topic

  1. For an overview of the upgrade process and prerequisites, see Planning an upgrade in this manual.
  2. Perform a full backup of the search head before upgrading.

To back out of the upgrade, you must restore the prior version of Splunk Enterprise Security from backup.

Step 2. Download Splunk Enterprise Security

  1. Open splunk.com and log in with your Splunk.com ID. You must be a licensed Enterprise Security customer to download the product.
  2. Download the latest Splunk Enterprise Security product.
  3. Choose Download and save the Splunk Enterprise Security product file to your desktop.
  4. Log in to the Enterprise Security search head as an administrator.

Step 3. Install the latest Splunk Enterprise Security

  1. On the Splunk Enterprise search page, select Apps > Manage Apps and choose Install App from File.
  2. Click Upgrade app to start an upgrade.
  3. Click Choose File and select the Splunk Enterprise Security product file.
  4. Click Upload to begin the installation.
  5. When prompted, restart Splunk Enterprise.

If you do not run the setup procedure promptly after the file upload completes, Enterprise Security displays errors.

Step 4. Set up Splunk Enterprise Security

After Splunk Web returns after the restart, set up Splunk Enterprise Security.

  1. Click Continue to app setup page to start the ES setup.
  2. Click Start.
  3. The Splunk Enterprise Security Post-Install Configuration page indicates the upgrade status as it moves through the stages of installation.
  4. Choose to exclude selected add-ons from being installed, or install and disable them.
    When the setup is done, the page prompts you to restart Splunk platform services.
  5. Click Restart Splunk to finish the installation.

Step 5. Validate the upgrade

The Splunk Enterprise Security upgrade process is now complete. Objects disabled during the upgrade process will automatically be enabled.

  1. On the Enterprise Security menu bar, select Audit > ES Configuration Health.
  2. Review potential conflicts and changes to the default settings. See ES Configuration Health in the User Manual.
  3. Clear the browser cache of the browser you use to access Splunk Web to make sure that you access a fresh version of Splunk Web after upgrading. If you do not clear the browser cache, some pages might fail to load.

Splunk logs the upgrade in $SPLUNKHOME$/var/log/splunk/essinstaller2.log

Version-specific upgrade notes

After upgrading Enterprise Security from a version prior to 4.1.x to a version after 4.1.x, the correlation search editor may show configurations inconsistent with pre-upgrade settings if the search migration process is still running. Search the internal index to look for successfully migrated searches and review the status of the migration operation.

index=_internal sourcetype=configuration_check file="confcheck_es_modactions*" migrated

After upgrading Enterprise Security from a version prior to 4.1.x to a version after 4.1.x, enabled correlation searches that are not configured to create notable events revert to creating notable events. For example, a correlation search that by default created a notable event and a risk modifier that you configured to create only a risk modifier will, after upgrade, create both a risk modifier and a notable event.

  1. Before upgrading, note enabled correlation searches that do not create notable events using the following search.

    | rest splunk_server=local count=0 /services/saved/searches search="name=\"*-Rule\"" | where disabled=0 AND 'action.summary_index'=0 | table "eai:acl.app",title

  2. After the upgrade is complete, update the affected correlation searches so that the searches no longer create notable events.

Upgrade Enterprise Security on a search head cluster

Before you upgrade a Splunk Enterprise Security search head cluster, review these instructions and the order of operations.

  1. Prepare a staging instance.
  2. Upgrade the staging instance to the latest version.
  3. Migrate the upgraded installation to the production deployer.
  4. Deploy the changes to the cluster members.
  5. Validate the configuration on the search head cluster.

Versions of these instructions published prior to August 15, 2017, if followed precisely, might have caused you to deploy default apps included with Splunk Enterprise to your search peers using the deployer. Deploying default apps in this way is not recommended.

If you experience problems with your deployment as a result of this misconfiguration, migrate the settings of your installation to a new deployer and search head cluster, similar to the steps for migrating a standalone search head to a search head cluster. See Migrate an existing search head to a search head cluster on this page.

Prerequisites

  • Review the add-ons included in the Splunk Enterprise Security package.
  • If needed, upgrade Splunk Enterprise to the latest version compatible with this version of Splunk Enterprise Security.

Prepare a staging instance

Before upgrading, you need to compare the copy of Splunk Enterprise Security on the deployer with the latest release. You can do this by performing the upgrade on a staging instance. If you have a testing or QA instance in your Splunk environment with only Splunk Enterprise installed, you can use that instance for staging.

  1. Prepare a single instance of Splunk Enterprise to use for staging an upgrade. Do not connect the instance to indexers or search peers.
  2. Copy the apps in the deployer instance path etc/shcluster/apps to the staging instance path etc/apps.
    For example, on the deployer type: scp -r ~/etc/shcluster/apps <staging_machine>:~/etc/
    If the deployer includes default apps, such as the search app, remove them from the deployer before copying the folder to the staging instance.

The copy of Splunk Enterprise Security on the deployer includes configuration settings that are deployed to the search head cluster. The copy does not include the runtime knowledge object changes replicated between the search head cluster nodes.

Upgrade the staging instance to the latest version

  1. Follow steps one through four in the Upgrade Splunk Enterprise Security process.
  2. Review the ES Configuration Health dashboard to identify changes in configurations and settings between the deployed version and the latest release of Splunk Enterprise Security.

The installer automatically disables deprecated apps or add-ons. An alert displays in Messages on the staging instance and identifies all deprecated items. You must manually remove a deprecated app or add-on from the Enterprise Security installation.

Migrate the upgraded ES install to the deployer

Move the apps that comprise Splunk Enterprise Security from the staging instance to the deployer.

  1. On the staging instance, copy the apps, SAs, DAs, and TAs associated with the Splunk Enterprise Security Suite from the $SPLUNK_HOME/etc/apps directory to the $SPLUNK_HOME/etc/shcluster/apps directory on the deployer.
    1. Do not copy any of the deprecated apps or add-ons that you noted during the upgrade on staging.
    2. Do not copy any of the default apps, such as the search, launcher, or gettingstarted apps.

Do not copy all of the apps in the $SPLUNK_HOME/etc/apps directory, because you do not want to upgrade and deploy apps included with Splunk Enterprise.

Deploy the changes to the cluster members

  1. On the deployer, deploy Enterprise Security with -preserve-lookups true to retain lookup file content generated on the search head cluster members. See Deploy a configuration bundle in Distributed Search.

See Maintain lookup files across app upgrades in the Splunk Enterprise Distributed Search Manual for more about using this setting.

Validate the configuration on the search cluster

After you distribute the copy of Enterprise Security on the deployer to the search head cluster members, use the ES Configuration Health dashboard to compare the cluster-replicated knowledge objects to the latest installation of Enterprise Security.

  1. Log in to Splunk Web on a search head cluster member.
  2. Open Enterprise Security.
  3. From the Enterprise Security menu bar, select Audit > ES Configuration Health.
  4. Review potential conflicts and changes to the default settings.

See ES Configuration Health in Use Splunk Enterprise Security.

Migrate an existing search head to a search cluster

An Enterprise Security standalone search head or search head pool member cannot be added to a search head cluster. To migrate ES configurations to a search head cluster:

  1. Identify any custom configurations and modifications in the prior ES installation.
  2. Implement a new search head cluster.
  3. Deploy the latest version of Enterprise Security on the search head cluster.
  4. Review and migrate the customized configurations to the search head cluster deployer for replication to the cluster members.
  5. Shut down the old ES search head.

For more information on settings migration, see Migrate from a standalone search head to a search head cluster in the Splunk Enterprise Distributed Search Manual.

For assistance in planning a Splunk Enterprise Security deployment migration, contact the Splunk Professional Services team.

PREVIOUS
Planning an upgrade
 

This documentation applies to the following versions of Splunk® Enterprise Security: 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0 Cloud only


Comments

Dflodstrom, I missed your comment when you made it in April. I apologize. I updated the instructions to reflect the proper procedure today. Thanks for calling it to our attention in April.

Smoir splunk, Splunker
August 15, 2017

"On the staging instance, copy $SPLUNK_HOME/etc/apps to $SPLUNK_HOME/etc/shcluster/apps on the deployer." - If you do this yo'u'll be copying all of the default apps as well. I don't think this is what we should be doing.

Dflodstrom
April 11, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters