Install Enterprise Security
Install Splunk Enterprise Security on an on-premises search head. Splunk Cloud customers must work with Splunk Support to coordinate access to the Enterprise Security search head.
Installation prerequisites
- Review the Splunk platform requirements for Splunk Enterprise Security. See Deployment planning.
- If a deployment server manages any of the apps or add-ons included with Splunk Enterprise Security, remove the
deploymentclient.conf
file that contains references to the deployment server and restart Splunk services. If you do not do this, the installation will not complete. - Your user account must have the admin role and the
edit_local_apps
capability. The admin role is assigned that capability by default.
Step 1. Download Splunk Enterprise Security
- Log in to splunk.com with your Splunk.com user name and password.
- Download the latest Splunk Enterprise Security product. You must be a licensed Enterprise Security customer to download the product.
- Click Download and save the Splunk Enterprise Security product file to your desktop.
- Log in to the search head as an administrator.
Step 2. Install Splunk Enterprise Security
- On the Splunk toolbar, select Apps > Manage Apps and click Install App from File.
- Click Choose File and select the Splunk Enterprise Security product file.
- Click Upload to begin the installation.
- Click Set up now to start setting up Splunk Enterprise Security
Step 3. Set up Splunk Enterprise Security
- Click Start.
- The Splunk Enterprise Security Post-Install Configuration page indicates the status as it moves through the stages of installation.
- Choose to exclude selected add-ons from being installed, or install and disable them. When the setup is done, the page prompts you to restart Splunk platform services.
- Click Restart Splunk to finish the installation.
Installing Enterprise Security enables SSL on the search head. You must change the Splunk Web URL to use https
to access the search head after installing ES.
After the installation completes, review the installation log in: $SPLUNK_HOME/var/log/splunk/essinstaller2.log
.
If post-install does not complete, but stops during the enabling add-ons phase with the error of "reenable_apps failed. See search.log for details" then you can change the timeout settings. ES executes the post-install steps, allowing only a certain amount of time to complete. If for any reason the server doesn't finish in time, a timeout is triggered and the installation or upgrade is forced to halt.
- From the ES search head, navigate to
etc/system/local/web.conf
. - Increase the splunkdConnectionTimeout to a larger number, such as 300:
[settings]
splunkdConnectionTimeout = 300
- Save the changes.
- Stop the ES search head.
- Rerun the ES setup.
Step 4. Configure Enterprise Security
To continue configuring Splunk Enterprise Security, see the following:
- Deploy add-ons included with Splunk Enterprise Security
- Configure and deploy Indexes
- Configure users and roles
- Configure data models
For an overview of the data sources and collection considerations for Enterprise Security, see Data source planning.
Install Splunk Enterprise Security from the command line
Install Splunk Enterprise Security using the Splunk software command line. See About the CLI for more about the Splunk software command line.
- Follow Step 1: Download Splunk Enterprise Security to download Splunk Enterprise Security and place it on the search head.
- Start the installation process on the search head. Follow Step 2: Install Splunk Enterprise Security or perform a REST call to start the installation from the server command line.
For example:curl -k -u admin:password https://localhost:8089/services/apps/local -d filename="true" -d name="<file name and directory>" -d update="true" -v
- On the search head, use the Splunk software command line to run the following command:
splunk search '| essinstall' -auth admin:password
You can also run this search command from Splunk Web and view the installation progress as search results.| essinstall
- (Optional) You can use additional options to specify add-ons to install, to skip installing, or to disable after installing.
|essinstall --install-ta <ta-name>+ --skip-ta <ta-name>+ --disable-ta <ta-name>+
Specify the name of the add-on to install, skip, or disable, or use * as a wildcard. Use+
to specify multiple add-ons to install.
If you run the search command to install Enterprise Security in Splunk Web, you can review the progress of the installation as search results. If you run the search command from the command line, you can review the installation log in: $SPLUNK_HOME/var/log/splunk/essinstaller2.log
.
Test installation and setup of Splunk Enterprise Security
You can test the installation and setup of Splunk Enterprise Security by adding
- Follow Step 1: Download Splunk Enterprise Security to download Splunk Enterprise Security and place it on the search head.
- Start the installation process on the search head. Follow Step 2: Install Splunk Enterprise Security or perform a REST call to start the installation from the server command line.
For example:curl -k -u admin:password https://localhost:8089/services/apps/local -d filename="true" -d name="<file name and directory>" -d update="true" -v
- From Splunk Web, open the Search and Reporting app.
- Type the following search to perform a dry run of the installation and setup.
|essinstall --dry run
- (Optional) You can use additional options to specify add-ons to install, to skip installing, or to disable after installing.
|essinstall --install-ta <ta-name>+ --skip-ta <ta-name>+ --disable-ta <ta-name>+
Specify the name of the add-on to install, skip, or disable, or use * as a wildcard. Use+
to specify multiple add-ons to install.
Installation on a search head cluster
Splunk Enterprise Security has specific requirements and processes for implementing search head clustering.
- For an overview of search head clustering, see Search head clustering architecture in the Distributed Search Manual.
- For a complete list of search head clustering requirements, see System requirements and other deployment considerations for search head clusters in the Distributed Search Manual.
Use a staging instance to prepare Enterprise Security for the deployer. If you do not have a staging instance available, you can use a testing or QA Splunk Enterprise instance that does not have any other apps installed. A staging instance cannot be connected to production indexers or search peers. Use a staging instance for configuration changes and upgrades.
To install Enterprise Security on a search head cluster:
- Prepare a staging instance.
- Install Enterprise Security on the staging instance.
- Migrate the Enterprise Security installation to the deployer. Copy the apps, SAs, DAs, and TAs associated with the Splunk Enterprise Security Suite from
$SPLUNK_HOME/etc/apps
on the staging instance to$SPLUNK_HOME/etc/shcluster/apps
on the deployer. Do not copy the entire folder because you do not want to include default apps, such as the search app. - Use the deployer to deploy Enterprise Security to the cluster members.
Managing configuration changes in a search head cluster
Some system configuration changes must be deployed using the deployer.
- Instead of making the changes on a search head cluster member, make the changes on a staging instance.
- Test the configuration changes on the staging instance.
- Migrate the necessary files to the search head cluster deployer.
- Deploy the updated configuration to the search head cluster.
Configuration changes that must be deployed using the deployer:
Configuration change | File modified |
---|---|
Enable or disable indexed real-time searches on the General Settings page. | inputs.conf
|
Modify the indexed real-time disk sync delay on the General Settings page. | inputs.conf
|
Send notable events to Splunk UBA on the UBA Setup page. | outputs.conf
|
Most configuration changes that you make in a search head cluster replicate automatically to other search head cluster members. For example:
- Add, modify, and disable threat intelligence sources
- Add, modify, and disable asset and identity source lists
- Changes to the user interface
- Changes to searches
See How configuration changes propagate across the search head cluster in the Distributed Search Manual.
Migrate an existing deployment
You cannot add an Enterprise Security search head or search head pool member directly to a search head cluster. To migrate a search head or search head pool member to a search head cluster, you must create a new search head cluster and deploy the latest version of Enterprise Security on it.
After the search head cluster is running Enterprise Security, you must manually review and migrate custom configurations from a previous Enterprise Security installation to the deployer of the new search head cluster to replicate the changes to the cluster members.
For more information, see the topic Migrate from a standalone search head to a search head cluster in the Splunk Enterprise Distributed Search Manual.
For assistance in planning a Splunk Enterprise Security deployment migration, contact Splunk Professional Services.
Data source planning for Splunk Enterprise Security | Deploy add-ons included with Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.0, 5.0.1
Feedback submitted, thanks!