Installation

Installing Enterprise Security app in a distributed environment

samehatef
Engager

Hi,
we are deploying Enterprise Security App. over distributed Environment (2 indexers, 1 master and 1 search head).

Should the security app be installed over all instances or over the search head only ?!

Also, what are source types supported by the security app ?!

Tags (1)

skulk
Explorer

First of all you should install Enterprise Security on the Search Head and choose add-ons which you need,

  • then configure add-on pack in via Enterprise Security
  • then download it and add to cluster master
  • then push configuration to indexers

Whole process is described in this article:
http://docs.splunk.com/Documentation/ES/5.0.0/Install/InstallTechnologyAdd-ons

0 Karma

frmaasdam
Path Finder

Well.
I am using Splunk 6.2 and Cisco Security Suite version 3.0.3 build 100784.
An Universal Forwarder for sending the network logging data to the Forwarder
A Forwarder to receive the data
A Master/License node for my cluster.
An Deployment node to deploy the configurations onto the UFW, FW, SH.
Two Indexers (Cluster Peers)
One Search Head.
My configuration files (All Apps) deployed by the Deployment server (except those for the cluster peers )

App 1. inputs for the Universal Forwarder to define which logs and their sourcetypes:
sourcetype = cisco:asa
sourcetype = cisco:esa
sourcetype = cisco:ios
sourcetype = cisco:wsa:squid
App 2. outputs for the Universal Forwarder to define the route to the forwarder:
[tcpout:to-fwdr-p]
server = 192.168.230.20:10300
[tcpout-server://192.168.230.20:10300]
useACK = true
App 3. inputs on the Forwarder to define the input from the Universal Forwarder:
[splunktcp://10300]
connection_host = ip
App 4. Outputs on the Forwarder to define the route to the Indexers
server = 192.168.230.21:9991, 192.168.230.23:9992
[tcpout-server://192.168.230.21:9991]
useACK = true
[tcpout-server://192.168.230.23:9992]
useACK = true
App 4. Props on the Forwarder to define which route and which index file to use for particular hosts:
[host::d*cr01]
TRANSFORMS-netwcr = set-idx-netwerkswitches0000s, set-rt-p
App 4. Transforms on the Forwarder:
[set-idx-netwerkswitches0000s]
REGEX = .
FORMAT = netwerk-switches_0000-s
DEST_KEY = _MetaData:Index
[set-rt-p]
REGEX = .
FORMAT = to-idxr-p
DEST_KEY = _TCP_ROUTING
App 5 . indexes for the Cluster Peers to deploy using the Master configuration bundle
[netwerk-switches_0000-s]
homePath = $SPLUNK_DB/netwerk-switches_0000-s/db
coldPath = $SPLUNK_DB/netwerk-switches_0000-s/colddb
thawedPath = $SPLUNK_DB/netwerk-switches_0000-s/thaweddb
# Rotate Hot Buckets daily
maxHotSpanSecs = 86400
# Max size of Hot Bucket is 750 MB
maxDataSize = auto
# After 184 days (July + August, 4 months of 31 days), delete the buckets
# If no FrozenDir is given, /dev/null is used
frozenTimePeriodInSecs = 15897600
# Total size of Hot, Warm and Cold Buckets should never exceed 184 GB
# Based on maximum daily volume of 1 GB
maxTotalDataSizeMB = 184000
# Replication setting
repFactor = auto
Then I deploy the TA-cisco-ios onto the Cluster peers and onto the Search Head
I deploy the TA-cisco-wsa, TA-cisco-esa, TA-cisco-asa, TA-cisco-ios onto the Search Head
I deploy the SA-cisco-wsa, SA-cisco-esa, TA-cisco-asa onto the Search Head
I deploy the dasboard apps Cisco Security Suite cisco-ios onto the Search Head.

I modify the configuration, because I do not have to deploy indexer files onto the Forwarder or onto the Search Head ofcource.
So finally your answer:
I deploy the dashboard app onto the Search Head only. 😉

Regards,
Frank Maasdam

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...