Splunk® App for PCI Compliance

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.

Plan the upgrade

To plan your upgrade, you must be familiar with the Splunk App for PCI Compliance and have administrative knowledge of the Splunk platform.

Minimum requirements for upgrade

Before beginning the upgrade process, see "Known Issues" and "Release Notes" in the Release Notes to understand the new features and functionality. Also see the "Minimum recommended hardware requirements" in this manual.

Planning the upgrade

The Splunk App for PCI Compliance upgrade process assumes the following:

  • You have an installation of PCI Compliance 2.1.x and the required add-ons on a dedicated search head or single-instance Splunk environment
  • You are running Splunk Enterprise 6.0.1 or later on a supported Linux or Windows system

What to expect from the upgrade

The upgrade from PCI 2.1.x to PCI 3.0.x requires manual migration of custom configurations. Some information in PCI 2.1.x is not compatible with PCI 3.0.x.

Some historical status information will be lost.

  • The upgrade process will migrate notable events associated with PCI, but will not migrate the historical statuses associated with the events. For example, if you have 50 notable events in the app, with 10 that have a status of closed and 20 with a status of in progress, after upgrading, all 50 notable events would have a status of new.
  • Compliance status panels will not be accurate until they are repopulated with data. For example, the Compliance Status - Last 24 Hours panel will not contain an accurate status until 24 hours after the upgrade is complete. The Compliance Status History panel will not display data until five days after the upgrade.
  • The PCI requirement 6 report will not be accurate until it is repopulated with data. For example, the Anomalous Update Service By System Count (Last 90 Days) panel will not contain an accurate count until 90 days after the upgrade is complete.

You will need to perform manual migration steps.

  • Migrate custom app configurations.
  • Migrate custom user configurations.
  • Migrate custom csv files.

After the upgrade is complete, you will need to verify that your new configuration matches your old configuration. This includes:

  • Updating any custom lookups you might have created.
  • Verifying or updating any source type conversion or aliasing.
  • Configuring new reports and scorecards for PCI compliance that did not exist before upgrading.
  • Enabling the same correlation searches.

Note: Some lookups are now stored in the KV Store instead of in csv files. Some field names have changed, so the Splunk App for PCI Compliance 3.0.x will not be able to parse the information in the same way as before.

  • notable_owners_lookup
  • incident_review
  • src_dest_tracker
Last modified on 30 March, 2016
Configure Incident Workflow   Upgrade Splunk App for PCI Compliance

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters