Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How and where to deploy the Splunk App for Enterprise Security in my environment?

kormot
New Member
‎11-04-2014 08:49 PM

Currently a bit confused on how many servers I would need to deploy Splunk with Enterprise Security in our environment.

This is what I know so far:
Enterprise Security - Dedicated Search Head (Can this also be the Indexer or this should be separate from the indexer?)
Splunk Search Head - Currently sizing about 22 Users and could be adding more in the future maybe 5 additional users- Would it be sufficient enough to have 4 CPU's with 6 cores/cpu = 24 cores total?
Indexer - same question above; can this be where I would install Enterprise Security or should it be separate?
Deployment Server - mini search head - Not sure what apps should be installed, how much hardware would I need for this?
Syslog Server - Not sure if this is necessary; what do I need this for? what are it's benefits? (recommended syslog-ng) how much hardware would I also need for this?

So far I am at 3 Physical Servers (ES Dedicated Search Head, Indexer, Splunk Search Head)
The other two servers can be VM's as I was told.

Additional info: Indexing about 150GB of data with retention of 6 months (searchable logs) = 15TB of SAN space needed 3 months would be just 8TB of SAN space then logs can be archived right after (Do I need more space for Archive logs?)

0 Karma
Reply

ChrisG
Splunk Employee
Splunk Employee
‎11-05-2014 05:25 PM

My thoughts here are:

  1. Contact Splunk Professional Services and have them help you with this. Enterprise Security is not simple to deploy and you will benefit from their guidance.
  2. Read the deployment planning topics in the Installation and Configuration Guide for the basics, if you have not already done so.
Reply

kormot
New Member
‎11-05-2014 12:22 PM

Hello Just wondering if there is anyone who can guide me in the right direction, mainly in regards to the indexer. Can the indexer also be where I install my Splunk App for Enterprise Security?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...