Splunk® Enterprise Security

Installation and Upgrade Manual

Download manual as PDF

Download topic as PDF

Install Splunk Enterprise Security

Install Splunk Enterprise Security on an on-premises search head. Splunk Cloud customers must work with Splunk Support to coordinate access to the Enterprise Security search head.

Core considerations

For Splunk Enterprise Security 5.3 with Splunk Enterprise 7.1.0 and 7.1.1, set phased_execution_mode=singlethreaded in the [search] stanza of the $SPLUNK_HOME/etc/system/local/limits.conf file to avoid an issue that is fixed in Splunk Enterprise 7.1.2.

Splunk Enterprise 7.2.0 uses Serialized Result Set (SRS) format by default. The exception is in searches that execute actions, for which we auto-detect whether to use CSV or SRS. This is handled in the alert_actions.conf file, but do not modify the forceCsvResults stanza without a thorough understanding of scripts or processes that access the results files directly.

SmartStore support requires that your indexing tier conform to certain restrictions, for example, no use of report acceleration or data model acceleration summaries. This restriction is for on-premises devices only, with Splunk Enterprise 7.1 and 7.2. SmartStore continues to run as-is with ES in Splunk Cloud. See About SmartStore in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.

With Splunk Enterprise 7.3.0, data model acceleration summaries and SmartStore are supported with ES on-premises devices.

Installation prerequisites

  • Review the Splunk platform requirements for Splunk Enterprise Security. See Deployment planning.
  • If a deployment server manages any of the apps or add-ons included with Splunk Enterprise Security, remove the deploymentclient.conf file that contains references to the deployment server and restart Splunk services. If you do not do this, the installation will not complete.
  • Your user account must have the admin role and the edit_local_apps capability. The admin role is assigned that capability by default.

Step 1. Download Splunk Enterprise Security

  1. Log in to splunk.com with your Splunk.com user name and password.
  2. Download the latest Splunk Enterprise Security product. You must be a licensed Enterprise Security customer to download the product.
  3. Click Download and save the Splunk Enterprise Security product file to your desktop.
  4. Log in to the search head as an administrator.

Step 2. Install Splunk Enterprise Security

The installer dynamically detects if you're installing in a single search head environment or search head cluster environment.

  1. On the Splunk toolbar, select Apps > Manage Apps and click Install App from File.
  2. Click Choose File and select the Splunk Enterprise Security product file.
  3. Click Upload to begin the installation.
  4. Click Set up now to start setting up Splunk Enterprise Security

There are a few differences after installing on a deployer in a SHC environment. See Install Splunk Enterprise Security in a search head cluster environment.

Step 3. Set up Splunk Enterprise Security

Set up Splunk Enterprise Security in a single search head environment.

  1. Click Start.
  2. The Splunk Enterprise Security Post-Install Configuration page indicates the status as it moves through the stages of installation.
  3. Choose to exclude selected add-ons from being installed, or install and disable them. When the setup is done, the page prompts you to restart Splunk platform services.
  4. Click Restart Splunk to finish the installation.

Installing Enterprise Security enables SSL on the search head. You must change the Splunk Web URL to use https to access the search head after installing ES.

After the installation completes, review the installation log in: $SPLUNK_HOME/var/log/splunk/essinstaller2.log.

If post-install does not complete, but stops during the enabling add-ons phase with the error of "reenable_apps failed. See search.log for details" then you can change the timeout settings. ES executes the post-install steps, allowing only a certain amount of time to complete. If for any reason the server doesn't finish in time, a timeout is triggered and the installation or upgrade is forced to halt.

  1. From the ES search head, navigate to etc/system/local/web.conf.
  2. Increase the splunkdConnectionTimeout to a larger number, such as 300:
    [settings]

    splunkdConnectionTimeout = 300
  3. Save the changes.
  4. Stop the ES search head.
  5. Rerun the ES setup.

Step 4. Configure Splunk Enterprise Security

To continue configuring Splunk Enterprise Security, see the following:

  1. Deploy add-ons included with Splunk Enterprise Security
  2. Configure and deploy Indexes
  3. Configure users and roles
  4. Configure data models

For an overview of the data sources and collection considerations for Enterprise Security, see Data source planning.

Enterprise Security does not support Dark Theme.

Install Splunk Enterprise Security from the command line

Install Splunk Enterprise Security using the Splunk software command line. See About the CLI for more about the Splunk software command line.

  1. Follow Step 1: Download Splunk Enterprise Security to download Splunk Enterprise Security and place it on the search head.
  2. Start the installation process on the search head. Follow Step 2: Install Splunk Enterprise Security or perform a REST call to start the installation from the server command line.
    For example:
    curl -k -u admin:password https://localhost:8089/services/apps/local -d filename="true" -d name="<file name and directory>" -d update="true" -v
  3. On the search head, use the Splunk software command line to run the following command:
    splunk search '| essinstall' -auth admin:password

    You can also run this search command from Splunk Web and view the installation progress as search results.

    | essinstall

  4. (Optional) You can use additional options to specify add-ons to install, to skip installing, or to disable after installing.

    |essinstall --install-ta <ta-name>+ --skip-ta <ta-name>+ --disable-ta <ta-name>+


    Specify the name of the add-on to install, skip, or disable, or use * as a wildcard. Use + to specify multiple add-ons to install.

If you run the search command to install Enterprise Security in Splunk Web, you can review the progress of the installation as search results. If you run the search command from the command line, you can review the installation log in: $SPLUNK_HOME/var/log/splunk/essinstaller2.log.

Test installation and setup of Splunk Enterprise Security

You can test the installation and setup of Splunk Enterprise Security by adding

  1. Follow Step 1: Download Splunk Enterprise Security to download Splunk Enterprise Security and place it on the search head.
  2. Start the installation process on the search head. Follow Step 2: Install Splunk Enterprise Security or perform a REST call to start the installation from the server command line.
    For example:
    curl -k -u admin:password https://localhost:8089/services/apps/local -d filename="true" -d name="<file name and directory>" -d update="true" -v
  3. From Splunk Web, open the Search and Reporting app.
  4. Type the following search to perform a dry run of the installation and setup.

    |essinstall --dry-run

  5. (Optional) You can use additional options to specify add-ons to install, to skip installing, or to disable after installing.

    |essinstall --install-ta <ta-name>+ --skip-ta <ta-name>+ --disable-ta <ta-name>+


    Specify the name of the add-on to install, skip, or disable, or use * as a wildcard. Use + to specify multiple add-ons to install.
PREVIOUS
Data source planning for Splunk Enterprise Security
  NEXT
Install Splunk Enterprise Security in a search head cluster environment

This documentation applies to the following versions of Splunk® Enterprise Security: 5.3.0, 5.3.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters