All Apps and Add-ons

Can anyone confirm that OPSEC add-on can be installed on a Search Head cluster when using only the knowledge objects part of the add-on?

ikulcsar
Communicator

Hi,

We are planning to implement SH cluster. We also use OPSEC LEA Add-on for the firewall log collection. Docs say: Search Head Clusters NOT supported. (http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Install)

Can anyone confirm that OPSEC add-on can be installed on a SH cluster when using only the knowledge objects part of the add-on? The scripted inputs are handled on HFs.

Regards,
Istvan

0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

Sure, absolutely, but you’ll have to pull out whatever you need and put it in a shell app.

iirc, the opseclea app has scripted inputs that further extend its capabilities. You’ll want to disable all of that stuff and test in a lower environment if possible.

View solution in original post

0 Karma

jkat54
SplunkTrust
SplunkTrust

Sure, absolutely, but you’ll have to pull out whatever you need and put it in a shell app.

iirc, the opseclea app has scripted inputs that further extend its capabilities. You’ll want to disable all of that stuff and test in a lower environment if possible.

0 Karma

ikulcsar
Communicator

Hi,

Thanks for your answer.

"pull out whatever you need and put it in a shell app": you mean I have to collect all the needed conf files and exclude the inputs and put it into a new app, then install the new app into SH cluster?

If I understand you correctly, you not installed OPSEC Lea, but have a similar app installed it already into SH cluster?

Regards,
István

0 Karma

jkat54
SplunkTrust
SplunkTrust
  1. Almost never do we ever install modular inputs apps on SHCs.
  2. Refer to the documentation for instructions for installing in SHC

http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Install#Where_to_install_this_add-on

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...