Deployment options
Splunk App for PCI Compliance is available as a standalone app, or as a content addition to Splunk Enterprise Security.
- If you have Splunk Enterprise Security 4.5.x installed, install the Splunk App for PCI Compliance (for Splunk Enterprise Security).
- If you do not have Splunk Enterprise Security 4.5.x installed, install the Splunk App for PCI Compliance (for Splunk Enterprise).
Common deployment architectures
This topic covers how to integrate the Splunk App for PCI Compliance into common Splunk Enterprise architectures:
- Single instance deployment
- Distributed deployment
Single instance deployment
You can install the Splunk App for PCI Compliance (for Splunk Enterprise) on a single Splunk platform instance. A single instance serves as both search head and indexer, providing both search and storage capability. A single instance deployment can support one or two users running concurrent searches.
You can also install the Splunk App for PCI Compliance (for Splunk Enterprise Security) along with Splunk Enterprise Security on a single Splunk platform instance, but a distributed deployment is recommended.
Distributed deployment
A distributed Splunk Enterprise deployment is recommended for the Splunk App for PCI Compliance. A dedicated search head provides the web interface and search management, while a collection of indexers provide improved search performance by distributing the workload of searches across multiple nodes. Multiple indexers also allow for the distribution of incoming data from the forwarders and the workload of processing that data.
You can install this app on a search head cluster and run it with an indexer cluster.
Search Head considerations
Install the Splunk App for PCI Compliance on one dedicated search head or search head cluster. Install only Common Information Model (CIM)-compatible add-ons on a search head or search head cluster with this app.
Install the Splunk App for PCI Compliance (for Splunk Enterprise Security) on the same search head as Splunk Enterprise Security version 4.5 or later. If you install PCI Compliance with Splunk Enterprise Security, follow the hardware recommendations for Splunk Enterprise Security.
Hardware | Requirement | Additional Considerations |
---|---|---|
CPU cores | 16 | Additional cores needed depending on search concurrency, search type, and number of users. |
Memory | 16GB RAM | Add additional memory to address search concurrency, number of enabled correlation searches, and the size of the asset and identity tables. |
- All real-time searches in the app use the indexed real-time setting for improved indexing performance. Reverting the configuration reduces overall indexing capacity. See About real-time searches and reports in the Search Manual. To review the performance implications, see Expected performance and known limitations of real-time searches and reports" in the Search Manual.
- Splunk App for PCI Compliance requires the KV Store. For more information about KV Store, including the system requirements, see About the app key value store in the Admin Manual.
- If you enable the Distributed Management Console (DMC) on a Splunk App for PCI Compliance search head, it must remain in standalone mode. For more information on when and how to configure the DMC for use in a distributed environment, see Which instance should host the console? in the Distributed Management Console Manual.
Search head clustering
You can install the Splunk App for PCI Compliance on a search head cluster and run it with an indexer cluster. Splunk App for PCI Compliance supports installation on Linux-based search head clusters only. Review the requirements and differences of search head clustering.
- For details on search head clustering architecture, see Search head clustering architecture in the Distributed Search Manual.
- A search head cluster requires the KV store feature for data synchronization among search cluster members. For a list of requirements, see System requirements and other deployment considerations for search head clusters in the Distributed Search Manual.
- Configure the search head to forward all data to the indexers. See Forward search head data to the indexer layer in the Distributed Search manual.
Indexer considerations
Indexing is an I/O-intensive process. The indexers require sufficient disk I/O to ingest and parse data efficiently while responding to search requests. For the latest IOPS requirements to run Splunk Enterprise, see Reference Hardware: Indexer in the Capacity Planning Manual.
Using the Splunk App for PCI Compliance (for Splunk Enterprise Security) on the same search head as Splunk Enterprise Security introduces added indexer load of 15%. This results in reduced throughput capacity of 85GB, compared with 100GB per day when using Splunk Enterprise Security by itself. If you install PCI Compliance with Splunk Enterprise Security, follow the hardware recommendations for Splunk Enterprise Security.
Hardware | Requirement | Additional Considerations |
---|---|---|
CPU cores | 16 | Additional cores needed depending on search concurrency, search type, and number of users. |
Memory | 32GB RAM | Add additional memory to address search concurrency, number of enabled correlation searches, and the size of the asset and identity tables. |
A collection of indexers can serve more than one search head. Additional search heads using the same indexers affects the total performance, and reduces the resources available to the search infrastructure. Always increase the number of indexers to scale with increases in search load and search concurrency.
Because the Splunk App for PCI Compliance uses the same framework as Splunk Enterprise Security, the Performance test results are useful to review. Data model usage and correlation search load are the two largest factors in sizing the Splunk App for PCI Compliance. Changing correlation search counts and data model usage may require additional indexers.
Indexes
Splunk App for PCI Compliance (for Splunk Enterprise) defines custom indexes for event storage. For more information about the indexes required, see Configure and deploy indexes. The Splunk App for PCI Compliance (for Enterprise Security) relies on the custom indexes defined by Splunk Enterprise Security.
Indexer clustering
Splunk App for PCI Compliance supports both single site and multisite cluster architectures. See The basics of indexer cluster architecture and Multisite cluster architecture in the Managing Indexers and Clusters Manual.
A single site or multisite indexer cluster architecture may have one search head or a search head cluster with a running instance of the Splunk App for PCI Compliance. Additional, single instance search heads cannot run this app.
Data model accelerations
Splunk App for PCI Compliance accelerates data models to provide dashboard panel and correlation search results. Data model acceleration uses the indexers for processing and storage, placing the accelerated data alongside each index. To calculate the additional storage needed on the indexers based on the total volume of data, use the following formula: accelerated data model storage/year = data volume per day * 3.4
This formula assumes that you are using the recommended retention rates for the accelerated data models.
Example: If you process 100GB/day of data volume for use with this app, you need approximately 340GB more space available across all of the indexers to allow for up to one year of data model retention and source retention.
The storage used for data model acceleration is not added to index sizing calculations for maintenance tasks such as bucket rolling and free space checks.
Splunk Enterprise 6.1.0 and later implements new configuration parameters for data model acceleration tasks. See Advanced configurations for persistently accelerated data models in the Knowledge Manager Manual.
TSIDX reduction compatibility
A retention policy for an index's TSDIX files is available in Splunk Enterprise 6.4.x. For more information on TSIDX reduction, see Reduce tsidx disk usage in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual. Setting a retention policy for the TSIDX files does not effect data model acceleration retention.
Some searches provided with the Splunk App for PCI compliance do not work on buckets with reduced TSIDX files.
Panel/Search Name | Default time range | Workaround |
---|---|---|
Forwarder Audit panel: Event Count Over Time by Host | -30d | Set the TSIDX retention to a value greater then the time range, or reduce the default time range for the search to a value under the TSIDX retention value. |
Saved Search: Audit - Event Count Over Time By Top 10 Hosts | -30d | Set the TSIDX retention to a value greater then the time range, or reduce the default time range for the search to a value under the TSIDX retention value. |
Saved Search: Audit - Events Per Day - Lookup Gen | -1d | Set the TSIDX retention to a value greater then the default time range. |
Saved Search: Endpoint - Index Time Delta 2 - Summary Gen | -1d | Set the TSIDX retention to a value greater then the default time range. |
Deploying add-ons
Deploy add-ons to forwarders and indexers to distribute index-time knowledge.
- If you use a distributed deployment without index or search head clusters, use the deployment server. For information about the deployment server configuration and use, see About deployment server and forwarder management in the Updating Splunk Enterprise Instances Manual.
- If you use indexer clustering, see Manage common configurations across all cluster peers and Manage app deployment across all cluster peers in the Managing Indexers and Clusters Manual.
- If you use search head clustering, use the search head cluster deployer to distribute configurations across the set of search head cluster members. See Use the deployer to distribute apps and configuration updates in the Distributed Search Manual.
- To facilitate using the deployer to manage configuration files with hashed passwords, the captain replicates its
Splunk.secret
file to all other cluster members during initial deployment of the cluster. For more information, see Deploy secure passwords across multiple servers in the Securing Splunk Enterprise Manual.
- To facilitate using the deployer to manage configuration files with hashed passwords, the captain replicates its
- Splunk App for PCI Compliance includes the Distributed Configuration Management tool to gather the
indexes.conf
and index-timeprops.conf
andtransforms.conf
settings from all enabled apps and add-ons on the search head and assemble them into one add-on.
Virtualized hardware
Installing Splunk App for PCI Compliance in a virtualized environment requires the same memory and CPU allocation as an installation in a non-virtualized environment. You must reserve all CPU and memory resources, with no oversubscription of hardware.
In a virtualized environment, test the storage IOPS across all Splunk platform indexer nodes simultaneously. The results from every node must conform to the Reference Hardware IOPS specified in the Capacity Planning Manual.
Insufficient storage performance is a common cause for poor search response and timeouts when scaling the Splunk platform in a virtualized environment.
Deploying with other apps
For optimal performance, install the Splunk App for PCI Compliance on a dedicated search head. The dedicated search head should not have any other apps installed, and use indexers that have only the necessary Common Information Model-compatible technology add-ons. In some cases, it might be necessary to install other apps on the same search head or instance as the Splunk App for PCI Compliance. Apps compatible with the Splunk App for PCI Compliance are documented as CIM-compatible. Splunk apps and other add-ons that are not CIM-compatible could prevent PCI Compliance searches and dashboards from functioning properly.
If you have Splunk Enterprise Security, you can install the Splunk App for PCI Compliance (for Splunk Enterprise Security) on the same search head. Test and consider the data volume that you process in your environment before doing so.
Remote data collection
Use forwarders to collect data from remote systems. See Using forwarding agents. A node where a forwarder is installed is a collection point for one or more data sources. The technology add-ons for those data sources should be installed on the forwarder, ensuring that the data is properly tagged. To manage and distribute technology add-ons across many forwarders, use the Splunk deployment server or a third party software distribution system. See About deployment server. If Splunk Enterprise Security 4.5.x is already installed and the technology add-ons are already collecting data on a specific node, this node can act as a forwarder.
Identify data sources | Data management overview |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.3.0, 3.3.1, 3.3.2, 3.3.3
Feedback submitted, thanks!