Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How and where to deploy the Splunk App for Enterprise Security in my environment?

kormot
New Member
‎11-04-2014 08:49 PM

Currently a bit confused on how many servers I would need to deploy Splunk with Enterprise Security in our environment.

This is what I know so far:
Enterprise Security - Dedicated Search Head (Can this also be the Indexer or this should be separate from the indexer?)
Splunk Search Head - Currently sizing about 22 Users and could be adding more in the future maybe 5 additional users- Would it be sufficient enough to have 4 CPU's with 6 cores/cpu = 24 cores total?
Indexer - same question above; can this be where I would install Enterprise Security or should it be separate?
Deployment Server - mini search head - Not sure what apps should be installed, how much hardware would I need for this?
Syslog Server - Not sure if this is necessary; what do I need this for? what are it's benefits? (recommended syslog-ng) how much hardware would I also need for this?

So far I am at 3 Physical Servers (ES Dedicated Search Head, Indexer, Splunk Search Head)
The other two servers can be VM's as I was told.

Additional info: Indexing about 150GB of data with retention of 6 months (searchable logs) = 15TB of SAN space needed 3 months would be just 8TB of SAN space then logs can be archived right after (Do I need more space for Archive logs?)

0 Karma
Reply

ChrisG
Splunk Employee
Splunk Employee
‎11-05-2014 05:25 PM

My thoughts here are:

  1. Contact Splunk Professional Services and have them help you with this. Enterprise Security is not simple to deploy and you will benefit from their guidance.
  2. Read the deployment planning topics in the Installation and Configuration Guide for the basics, if you have not already done so.
Reply

kormot
New Member
‎11-05-2014 12:22 PM

Hello Just wondering if there is anyone who can guide me in the right direction, mainly in regards to the indexer. Can the indexer also be where I install my Splunk App for Enterprise Security?

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...