Install Splunk Enterprise Security
Install Splunk Enterprise Security on an on-premises search head. Splunk Cloud Platform customers must work with Splunk Support to coordinate access to the Enterprise Security search head.
Splunk Enterprise platform considerations
Splunk Enterprise 7.2.0 uses Serialized Result Set (SRS) format by default. The exception is in searches that execute actions, for which we auto-detect whether to use CSV or SRS. This is handled in the alert_actions.conf
file, but do not modify the forceCsvResults
stanza without a thorough understanding of scripts or processes that access the results files directly.
A new install_apps
capability is introduced in Splunk Enterprise v8. The change impacts the existing Enterprise Security edit_local_apps
capability's functionality to install and upgrade apps. In ES, enable_install_apps
is false by default. If you set enable_install_apps=True
and you don't have the new install_apps
and existing edit_local_apps
capabilities, you will not be able to install and setup apps. This includes performing ES setup and installing other content packs or Technology Add-ons.
Installation prerequisites
- Review the Splunk platform requirements for Splunk Enterprise Security. See Deployment planning.
- If a deployment server manages any of the apps or add-ons included with Splunk Enterprise Security, remove the
deploymentclient.conf
file that contains references to the deployment server and restart Splunk services. If you do not do this, the installation will not complete. - Your user account must have the admin role and the
edit_local_apps
capability. The admin role is assigned that capability by default. - Approximately 1 GB of free space is required in the
/tmp/
directory for the installation or upgrade to complete. When installing or upgrading an app through either the CLI or Splunk Web UI, the/tmp/
directory is utilized during the process.
Step 1. Download Splunk Enterprise Security
- Log in to Splunkbase with your Splunk.com user name and password.
- Download the latest Splunk Enterprise Security product. You must be a licensed Enterprise Security customer to download the product.
- Click Download and save the Splunk Enterprise Security product file to your desktop.
- Log in to the search head as an administrator.
Step 2. Install Splunk Enterprise Security
The installer dynamically detects if you're installing in a single search head environment or search head cluster environment. The installer is also bigger than the default upload limit for Splunk Web.
- Increase the Splunk Web upload limit to 1 GB by creating a file called
$SPLUNK_HOME/etc/system/local/web.conf
with the following stanza.[settings]
max_upload_size = 1024 - To restart Splunk from the Splunk toolbar, select Settings > Server controls and click Restart Splunk.
- On the Splunk toolbar, select Apps > Manage Apps and click Install App from File.
- Click Choose File and select the Splunk Enterprise Security product file.
- Click Upload to begin the installation.
- Click Set up now to start setting up Splunk Enterprise Security
There are a few differences after installing on a deployer in a SHC environment. See Install Splunk Enterprise Security in a search head cluster environment.
Step 3. Set up Splunk Enterprise Security
Set up Splunk Enterprise Security in a single search head environment.
- Click Start.
- If you are not using Secure Sockets Layer (SSL) in your environment, do one of the following steps when you see the SSL Warning message:
- Click Enable SSL to turn on SSL and start using
https://
for encrypted data transfer. - Click Do Not Enable SSL to keep SSL turned off and continue using
http://
for data transfer.
- Click Enable SSL to turn on SSL and start using
- The Splunk Enterprise Security Post-Install Configuration page indicates the status as it moves through the stages of installation.
- Choose to exclude selected add-ons from being installed, or install and disable them. When the setup is done, the page prompts you to restart Splunk platform services.
- If prompted to do so, click Restart Splunk to finish the installation.
If you enable SSL, you must change the Splunk Web URL to use https
to access the search head after installing ES.
After the installation completes, review the installation log in: $SPLUNK_HOME/var/log/splunk/essinstaller2.log
.
Step 4. Configure Splunk Enterprise Security
To continue configuring Splunk Enterprise Security, see the following:
- Deploy add-ons included with Splunk Enterprise Security
- Configure and deploy Indexes
- Configure users and roles
- Configure data models
For an overview of the data sources and collection considerations for Enterprise Security, see Data source planning.
Install Splunk Enterprise Security from the command line
Install Splunk Enterprise Security using the Splunk software command line. See About the CLI for more about the Splunk software command line.
- Follow Step 1: Download Splunk Enterprise Security to download Splunk Enterprise Security and place it on the search head.
- Start the installation process on the search head. Install with the
./splunk install app <filename>
command or perform a REST call to start the installation from the server command line.
For example:curl -k -u admin:password https://localhost:8089/services/apps/local -d filename="true" -d name="<file name and directory>" -d
For information on upgrading Splunk Enterprise Security, see Upgrade Splunk Enterprise Security. You can upgrade the Splunk Enterprise Security app on the CLI using the same process as other Splunk apps or add-ons. For information on upgrading Splunk platform apps, see Manage apps and add-ons. After the Splunk Enterprise Security app is installed, run the
essinstall
command with the appropriate flags as shown in the next step. - On the search head, use the Splunk software command line to run the following command:
splunk search '| essinstall' -auth admin:password
You can also run this search command from Splunk Web and view the installation progress as search results.| essinstall
When installing from the command line,
If you run the search command to install Enterprise Security in Splunk Web, you can review the progress of the installation as search results. If you run the search command from the command line, you can review the installation log in:ssl_enablement
defaults to "strict." If you don't have SSL enabled, the installer will exit with an error.$SPLUNK_HOME/var/log/splunk/essinstaller2.log
.
Test installation and setup of Splunk Enterprise Security
You can test the installation and setup of Splunk Enterprise Security by adding
- Follow Step 1: Download Splunk Enterprise Security to download Splunk Enterprise Security and place it on the search head.
- Start the installation process on the search head. Install with the
./splunk install app <filename>
command or perform a REST call to start the installation from the server command line.
For example:curl -k -u admin:password https://localhost:8089/services/apps/local -d filename="true" -d name="<file name and directory>" -d update="true" -v
- From Splunk Web, open the Search and Reporting app.
- Type the following search to perform a dry run of the installation and setup.
|essinstall --dry-run
Uninstall Splunk Enterprise Security
You can uninstall the Splunk ES app by removing the Splunk Enterprise Security Suite from the $SPLUNK_HOME/etc/apps folder by recursively deleting the directory or moving it to $SPLUNK_HOME/etc/disabled-apps and restarting Splunk. When you restart Splunk, the KV Store data is also removed. You can temporarily test the uninstallation of the Splunk ES app by moving the Splunk Enterprise Security Suite to the disabled-apps folder and then move it back.
ES is a collection of apps, so removing a single app folder will not uninstall it. You need to remove or move all applicable apps in the Splunk Enterprise Security Suite.
Data source planning for Splunk Enterprise Security | Install Splunk Enterprise Security in a search head cluster environment |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.0
Feedback submitted, thanks!