Splunk® App for PCI Compliance

Installation and Configuration Manual

Download manual as PDF

This documentation does not apply to the most recent version of PCI. Click here for the latest version.
Download topic as PDF

Upgrade Splunk App for PCI Compliance

Upgrading the Splunk App for PCI Compliance from version 2.1.x to version 3.0.x is best performed with the assistance of Splunk Professional Services. Before upgrading, see What to expect from the upgrade in this manual. These upgrade procedures were tested for a migration from version 2.1.1 to version 3.0.x.

Upgrading a single-instance environment

If you use the Splunk App for PCI Compliance on a single server, follow these steps to upgrade your installation.

  1. Set up a new Splunk 6.3.0 instance and install the Splunk App for PCI Compliance 3.0.x. See Install the Splunk App for PCI Compliance in this manual.
  2. Stop services on the PCI 2.1.x instance.
  3. Point all forwarders and data sources to the PCI 3.0.x instance.
  4. Manually migrate custom data sources, app configurations, and user configurations from the PCI 2.1.x app. For example, you can migrate asset and identity lookups from PCI 2.1.x.
    1. Locate the assets.csv and identities.csv files in SA-IdentityManagement/lookups on your 2.1.x instance.
    2. Copy the files to the same location on your PCI 3.0.x instance.
    3. If present, do not migrate the assets_by_str.csv, assets_by_cidr.csv, or identities.expanded.csv files, as PCI 3.0.x will recreate them once you migrate the assets and identities lists.
  5. Review all correlation searches used on PCI 2.1.x and enable them on the new PCI instance.
  6. Verify that you can search historical data and that there is data in the Incident Review dashboard in the Splunk App for PCI Compliance.

Note: The PCI 3.0.x dashboards might be empty until data model accelerations complete. Use the Data Model Audit dashboard to review the acceleration status.

Upgrading a distributed environment

If you use the Splunk App for PCI Compliance in a distributed Splunk environment with a deployment server, follow these steps to upgrade your installation.

  1. Upgrade your current indexers to Splunk 6.3.0, if they are not using that version already.
  2. Set up a new Splunk 6.3.0 search head and install the Splunk App for PCI Compliance 3.0.x. See Install the Splunk App for PCI Compliance in this manual.
  3. Stop services on the PCI 2.1.x search head.
  4. Install PCI 3.0.x on the indexers.
  5. Start the PCI 3.0.x search head and configure distributed search to the upgraded indexers.
  6. Using the distributed configuration management tool, create the Splunk SA Forindexers app.
  7. Reconcile the PCI add-ons and index settings on the indexers with the Splunk SA ForIndexers app. Deploy the changes to the indexers.
  8. Manually migrate custom data sources, app configurations, and user configurations from the PCI 2.1.x app. For example, you can migrate asset and identity lookups from PCI 2.1.x.
    1. Locate the assets.csv and identities.csv files in SA-IdentityManagement/lookups on your 2.1.x search head.
    2. Copy the files to the same location on your PCI 3.0.x search head.
    3. If present, do not migrate the assets_by_str.csv, assets_by_cidr.csv, or identities.expanded.csv files, as PCI 3.0.x will recreate them once you migrate the assets and identities lists.
  9. Review the correlation searches you used on PCI 2.1.x and enable them on the new PCI instance.
  10. Verify that you can search historical data and that there is data in the Incident Review dashboard in the Splunk App for PCI Compliance.
  11. Remove the old 2.1.x folders.

Note: Until the data model accelerations complete, the Splunk App for PCI Compliance dashboards might be empty. Use the Data Model Audit dashboard to review the acceleration status.

PREVIOUS
Plan the upgrade
  NEXT
Troubleshoot your deployment

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters