Hi,
We are planning to implement SH cluster. We also use OPSEC LEA Add-on for the firewall log collection. Docs say: Search Head Clusters NOT supported. (http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Install)
Can anyone confirm that OPSEC add-on can be installed on a SH cluster when using only the knowledge objects part of the add-on? The scripted inputs are handled on HFs.
Regards,
Istvan
Sure, absolutely, but you’ll have to pull out whatever you need and put it in a shell app.
iirc, the opseclea app has scripted inputs that further extend its capabilities. You’ll want to disable all of that stuff and test in a lower environment if possible.
Sure, absolutely, but you’ll have to pull out whatever you need and put it in a shell app.
iirc, the opseclea app has scripted inputs that further extend its capabilities. You’ll want to disable all of that stuff and test in a lower environment if possible.
Hi,
Thanks for your answer.
"pull out whatever you need and put it in a shell app": you mean I have to collect all the needed conf files and exclude the inputs and put it into a new app, then install the new app into SH cluster?
If I understand you correctly, you not installed OPSEC Lea, but have a similar app installed it already into SH cluster?
Regards,
István
http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Install#Where_to_install_this_add-on