Splunk® Enterprise Security

Installation and Upgrade Manual

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Deploy add-ons included with Splunk Enterprise Security

The Splunk Enterprise Security package includes a set of add-ons.

  • The add-ons that include "SA-" or "DA-" in the name make up the Splunk Enterprise Security framework. You do not need to take any additional action to deploy or configure these add-ons, because their installation and setup is handled as part of the Splunk Enterprise Security installation process. Do not disable any add-ons that make up the Splunk Enterprise Security framework.
  • The rest of the add-ons include "TA-" in the name and are technology-specific and provide the CIM-compliant knowledge necessary to incorporate that source data into Enterprise Security.

For more about how the different types of add-ons interact with Splunk Enterprise Security, see About the ES solution architecture on the Splunk developer portal.

How you deploy the technology add-ons depends on the architecture of your Splunk platform deployment.

Prerequisite

Install Splunk Enterprise Security on your search head or search head cluster. See Install Enterprise Security. When you install Splunk Enterprise Security in a distributed environment, the installer installs and enables the add-ons included in the Enterprise Security package on the search head or search head cluster.

Steps

  1. Determine which add-ons to install on forwarders
  2. Deploy add-ons to forwarders
  3. Deploy add-ons to indexers

Determine which add-ons to install on forwarders

Install add-ons that collect data on forwarders. Determine which add-ons to install on forwarders and which type of forwarder configuration each add-on requires by reviewing the documentation for the add-ons.

Most add-ons include input settings for a specific data source. Review the inputs.conf included with an add-on and deploy the add-on to a forwarder as needed. Some add-ons need to be deployed on forwarders installed directly on the data source system. Other add-ons require heavy forwarders. See the documentation or README file for each add-on for specific instructions.

  • For add-ons with web-based documentation, follow the links below to determine where it needs to be installed and configured.
  • For add-ons that do not have web-based documentation, see the README file included in the root folder of the add-on.

Deploy add-ons to forwarders

See Install an add-on in a distributed Splunk Enterprise deployment in the Splunk Add-ons documentation.

Technology-specific add-ons provided with Enterprise Security

Splunk Enterprise Security includes the following security-relevant and CIM-compliant technology add-ons.

Deploy add-ons to indexers

Splunk recommends installing Splunk-supported add-ons across your entire Splunk platform deployment, then enabling and configuring inputs only where they are required. For more information, see Where to install Splunk add-ons in the Splunk Add-ons documentation.

The procedure that you use to deploy add-ons to your indexer can depend on your Splunk platform deployment. Select the option that matches your situation or preference.

Deployment situation Procedure
Splunk Enterprise Security is running on Splunk Cloud. Contact Splunk Support and ask them to install the required add-ons to your indexers.
You prefer to deploy add-ons to the indexers manually. See Install an add-on in a distributed Splunk Enterprise deployment.
Your indexers are clustered, you use the cluster master to deploy add-ons to cluster peers of your on-premises Splunk platform installation, and there is no additional deployment complexity. Create the Splunk_TA_ForIndexers and manage deployment manually
Your indexers are not clustered, you use the deployment server to manage indexer settings of your on-premises Splunk platform installation, and there is no additional deployment complexity. Create and set up automatic deployment of the Splunk_TA_ForIndexers
Splunk Enterprise Security is running on a complex deployment, such as one Enterprise Security search head and one search head for other searches both using the same set of indexers. Contact Splunk Professional Services for assistance with deploying add-ons to your indexers.

Create the Splunk_TA_ForIndexers and manage deployment manually

Use this procedure only if Splunk Enterprise Security is running on Splunk Enterprise rather than Splunk Cloud, indexers are clustered, and there is no additional deployment complexity. If this does not match your deployment situation, see Deploy required add-ons to indexers to select a different deployment method.

Distributed Configuration Management collects the index-time configurations and basic index definitions into the Splunk_TA_ForIndexers package to simplify the deployment of add-on configurations to on-premises indexers. The Splunk_TA_ForIndexers includes all indexes.conf and index-time props.conf and transforms.conf settings from all enabled apps and add-ons on the search head, merges them into single indexes.conf, props.conf, and transforms.conf files, and places the files into one add-on for download. It works similar to a ./splunk cmd btool <conf_file_prefix> list output.

Note: This procedure deploys all add-ons that are enabled on your search head to your indexers. If you want to limit which add-ons you deploy to your indexers to only the subset that are strictly required to be on indexers, select Apps > Manage Apps and disable all add-ons that are not required on indexers before you begin this procedure, then re-enable them after you finish the procedure.

Before you deploy Splunk_TA_ForIndexers, make sure that existing add-ons installed on indexers are not included in the Splunk_TA_ForIndexers package. Deploying the same add-on twice might lead to configuration conflicts, especially if the add-ons are different versions.

  1. On the Enterprise Security menu bar, select Configure > General > Distributed Configuration Management.
  2. Select Download the Package to create and download the Splunk_TA_ForIndexers.
  3. After the add-on downloads, you can modify the contents of the package.
    For example, modify indexes.conf to conform with site retention settings and other storage options, or remove the file if you manage and configure indexes in another app.
  4. Use the cluster master to deploy the Splunk_TA_ForIndexers or add-ons to the cluster peers. See Manage common configurations across all peers and Manage app deployment across all peers in Managing Indexers and Clusters of Indexers.

When you install a new add-on to use with Enterprise Security, repeat these steps to create an updated version of Splunk_TA_ForIndexers.

Create and set up automatic deployment of the Splunk_TA_ForIndexers

Use this procedure only if Splunk Enterprise Security is running on Splunk Enterprise, indexers are not clustered, and there is no additional deployment complexity. If this does not match your deployment situation, see Deploy required add-ons to indexers to select a different deployment method.

Distributed Configuration Management collects the index-time configurations and basic index definitions into the Splunk_TA_ForIndexers package to simplify the deployment of add-on configurations to on-premises indexers. When you select the automatic deployment option, Distributed Configuration Management includes all index-time props.conf and transforms.conf settings from all enabled apps and add-ons on the search head, merges them into single props.conf and transforms.conf files, and places the files into the Splunk_TA_ForIndexers for automatic deployment. If your indexer storage and retention configurations are the same across all indexers, you can choose to add indexes.conf configurations to the package.

Note: This procedure deploys all add-ons that are enabled on your search head to your indexers. If you want to limit which add-ons you deploy to your indexers to only the subset that are strictly required to be on indexers, select Apps > Manage Apps and disable all add-ons that are not required on indexers before you begin this procedure, then re-enable them after you finish the procedure.

Before you deploy Splunk_TA_ForIndexers, make sure that existing add-ons installed on indexers are not included in the Splunk_TA_ForIndexers package. Deploying the same add-on twice might lead to configuration conflicts, especially if the add-ons are different versions.

  1. Set up the Splunk Enterprise Security search head as a deployment client of the deployment server. See Configure deployment clients in Updating Splunk Enterprise Instances.
  2. On the Enterprise Security menu bar, select Configure > General > Distributed Configuration Management.
  3. For Do you want to use auto deployment? select Yes.
  4. Select Add new credential to add a Splunk administration account to use with the deployment server. The administration account must have the administrator role on the deployment server.
    1. Type the User and the Password for the account.
    2. Set the Application to SplunkEnterpriseSecuritySuite.
    3. Save the account credential.
  5. Click Select credentials and select the credential that you added in step four.
  6. Select the indexers that can receive the Splunk_TA_ForIndexers add-on.
  7. (Optional) Add additional indexer names by typing in the Select Splunk Indexers field.
  8. (Optional) Select the Push indexes.conf check box to include indexes.conf configurations in the Splunk_TA_ForIndexers add-on package. Because index settings can require storage-specific configurations, indexes.conf is not included in the package by default. If you do not deploy indexes.conf with the Splunk_TA_ForIndexers, manage index configurations manually.
  9. Click Save to create the Splunk_TA_ForIndexers add-on.

Note: If you disable automated deployment of the Splunk_TA_ForIndexers after you set up automated deployment, the Splunk_TA_ForIndexers add-on remains on the deployment server. Remove the add-on and serverclass manually.

PREVIOUS
Install Enterprise Security
  NEXT
Import custom apps and add-ons to Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6


Comments

I ran through the Create and set up automatic deployment of the Splunk_TA_ForIndexers and i get an Index-time configuration successfully saved message when completing this but don't see it (or any of the add-on's installed on the searchhead) installed on the specified indexer, neither is it in the deployment-apps directory on the deployment server. How do I verify this process is a success? and if it has failed is there a log created I can check?

Samhodgson
February 6, 2018

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters