Splunk® Enterprise Security

Installation and Upgrade Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Install Enterprise Security

Install Splunk Enterprise Security on an on-premises search head. Splunk Cloud customers work with Splunk Support to install Enterprise Security.

Installation prerequisites

  • Review the Splunk platform requirements for Splunk Enterprise Security. See Deployment planning.
  • If a deployment server manages any of the apps or add-ons included with Splunk Enterprise Security, remove the deploymentclient.conf file that contains references to the deployment server and restart Splunk services. If you do not do this, the installation will not complete.

Step 1. Download Splunk Enterprise Security

  1. Log in to splunk.com with your Splunk.com user name and password.
  2. Download the latest Splunk Enterprise Security product. You must be a licensed Enterprise Security customer to download the product.
  3. Click Download and save the Splunk Enterprise Security product file to your desktop.
  4. Log in to the search head as an administrator.

Step 2. Install Splunk Enterprise Security

  1. On the Splunk Enterprise search page, select Apps > Manage Apps and click Install App from File.
  2. Click Choose File and select the Splunk Enterprise Security product file.
  3. Click Upload to begin the installation.
  4. Click Set up now to start setting up Splunk Enterprise Security

Step 3. Set up Splunk Enterprise Security

  1. Click Start.
  2. The Splunk Enterprise Security Post-Install Configuration page indicates the status as it moves through the stages of installation.
  3. Choose to exclude selected add-ons from being installed, or install and disable them. When the setup is done, the page prompts you to restart Splunk platform services.
  4. Click Restart Splunk to finish the installation.

Installing Enterprise Security enables SSL on the search head. You must change the Splunk Web URL to use https to access the search head after installing ES.

If post-install does not complete, but stops during the enabling add-ons phase with the error of "reenable_apps failed. See search.log for details" then you can change the timeout settings. ES executes the post-install steps, allowing only a certain amount of time to complete. If for any reason the server doesn't finish in time, a timeout is triggered and the installation or upgrade is forced to halt.

  1. From the ES search head, navigate to etc/system/local/web.conf.
  2. Increase the splunkdConnectionTimeout to a larger number, such as 300:

    splunkdConnectionTimeout = 300
  3. Save the changes.
  4. Stop the ES search head.
  5. Rerun the ES setup.

Step 4. Configure Enterprise Security

To continue configuring Splunk Enterprise Security, see the following:

  1. Deploy add-ons included with Splunk Enterprise Security
  2. Configure and deploy Indexes
  3. Configure users and roles
  4. Configure data models

For an overview of the data sources and collection considerations for Enterprise Security, see Data source planning.

Install Splunk Enterprise Security from the command line

Install Splunk Enterprise Security using the Splunk software command line. See About the CLI for more about the Splunk software command line.

  1. Follow Step 1: Download Splunk Enterprise Security to download Splunk Enterprise Security and place it on the search head.
  2. Start the installation process on the search head. Follow Step 2: Install Splunk Enterprise Security or perform a REST call to start the installation from the server command line.
    For example:
    curl -k -u admin:password https://localhost:8089/services/apps/local -d filename="true" -d name="<filename and directory>" -d update="true" -v
  3. On the search head, use the Splunk software command line to run the following command:
    splunk search '| essinstall' -auth admin:password

After the installation completes, review the installation log in:



Installation on a search head cluster

Splunk Enterprise Security has specific requirements and processes for implementing search head clustering.

Use a staging instance to prepare Enterprise Security for the deployer. If you do not have a staging instance available, you can use a testing or QA Splunk Enterprise instance that does not have any other apps installed. A staging instance cannot be connected to production indexers or search peers. Use a staging instance for configuration changes and upgrades.

To install Enterprise Security on a search head cluster:

  1. Prepare a staging instance.
  2. Install Enterprise Security on the staging instance.
  3. Migrate the Enterprise Security installation to the deployer. Copy the apps, SAs, DAs, and TAs associated with the Splunk Enterprise Security Suite from $SPLUNK_HOME/etc/apps on the staging instance to $SPLUNK_HOME/etc/shcluster/apps on the deployer. Do not copy the entire folder because you do not want to include default apps, such as the search app.
  4. Use the deployer to deploy Enterprise Security to the cluster members.

Managing configuration changes in a search head cluster

Some system configuration changes must be deployed using the deployer.

  1. Instead of making the changes on a search head cluster member, make the changes on a staging instance.
  2. Test the configuration changes on the staging instance.
  3. Migrate the necessary files to the search head cluster deployer.
  4. Deploy the updated configuration to the search head cluster.

Configuration changes that must be deployed using the deployer:

Configuration change File modified
Enable or disable indexed real-time searches on the General Settings page. inputs.conf
Modify the indexed real-time disk sync delay on the General Settings page. inputs.conf
Send notable events to Splunk UBA on the UBA Setup page. outputs.conf

Most configuration changes that you make in a search head cluster replicate automatically to other search head cluster members. For example:

  • Add, modify, and disable threat intelligence sources
  • Add, modify, and disable asset and identity source lists
  • Changes to the user interface
  • Changes to searches

See How configuration changes propagate across the search head cluster in the Distributed Search Manual.

Migrate an existing deployment

You cannot add an Enterprise Security search head or search head pool member directly to a search head cluster. To migrate a search head or search head pool member to a search head cluster, you must create a new search head cluster and deploy the latest version of Enterprise Security on it.

After the search head cluster is running Enterprise Security, you must manually review and migrate custom configurations from a previous Enterprise Security installation to the deployer of the new search head cluster to replicate the changes to the cluster members.

For more information, see the topic Migrate from a standalone search head to a search head cluster in the Splunk Enterprise Distributed Search Manual.

For assistance in planning a Splunk Enterprise Security deployment migration, contact Splunk Professional Services.

Last modified on 20 September, 2019
Data source planning for Splunk Enterprise Security
Deploy add-ons included with Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters