Splunk Enterprise Security

How and where to deploy the Splunk App for Enterprise Security in my environment?

kormot
New Member

Currently a bit confused on how many servers I would need to deploy Splunk with Enterprise Security in our environment.

This is what I know so far:
Enterprise Security - Dedicated Search Head (Can this also be the Indexer or this should be separate from the indexer?)
Splunk Search Head - Currently sizing about 22 Users and could be adding more in the future maybe 5 additional users- Would it be sufficient enough to have 4 CPU's with 6 cores/cpu = 24 cores total?
Indexer - same question above; can this be where I would install Enterprise Security or should it be separate?
Deployment Server - mini search head - Not sure what apps should be installed, how much hardware would I need for this?
Syslog Server - Not sure if this is necessary; what do I need this for? what are it's benefits? (recommended syslog-ng) how much hardware would I also need for this?

So far I am at 3 Physical Servers (ES Dedicated Search Head, Indexer, Splunk Search Head)
The other two servers can be VM's as I was told.

Additional info: Indexing about 150GB of data with retention of 6 months (searchable logs) = 15TB of SAN space needed 3 months would be just 8TB of SAN space then logs can be archived right after (Do I need more space for Archive logs?)

0 Karma

ChrisG
Splunk Employee
Splunk Employee

My thoughts here are:

  1. Contact Splunk Professional Services and have them help you with this. Enterprise Security is not simple to deploy and you will benefit from their guidance.
  2. Read the deployment planning topics in the Installation and Configuration Guide for the basics, if you have not already done so.

kormot
New Member

Hello Just wondering if there is anyone who can guide me in the right direction, mainly in regards to the indexer. Can the indexer also be where I install my Splunk App for Enterprise Security?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...