All Apps and Add-ons

Cluster Deployment of Rapid7 Nexpose Add-On?

splk
Communicator

Hello,

how to setup this add-on in a cluster environment?
As far as I understand the add-on, there is a cron job triggered which gets the data from the nexpose.
So if i install the add-on on my indexer cluster, every indexer would start the cron job and get the data?!

We don't use any Heavy Forwarders at the moment to get the add-on running there.
So any advice how to setup the add-on on the indexer cluster?

Kind regards!

0 Karma

goodsellt
Contributor

Since this app does the scripted input/cron job to get data, you'll need to install it on a HF or a Search head for your data collection, plus any indexers you plan on using to index the data and the search heads you plan on searching the data from (including Splunk ES).

Once you've done that, you'll need to go to the node you've chosen as the data collector (either a SH or HF) and generate the inputs either using the web config for the TA or by hand editing the conf files provided in the TA (web gui is easier, but you'll want to change your app context to this TA before you go to settings and set everything up so the new conf files get stored within the app).

Once your Rapid7 detections are run and the input picks up the new data you'll then be able to search and so on. Not this app appears to not meet the specs for index cluster deployment as the bundles fail validation with this app (did not include a spec file for a custom .conf they have, also thinks one of the default values is invalid likely due to the lack of spec file).

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Any input-gathering app should not be on an indexer cluster peer, so without really knowing this app in particular I'm pretty sure you should move the input-gathering part to (heavy) forwarders.

If you deploy the app on one indexer cluster peer, you have asymmetrical peers - bad.
If you deploy the app on all indexer cluster peers, you will get duplicate input - bad.

0 Karma

splk
Communicator

I will get your feedback to the rapid7 support guys.
Maybe some kind of workaround is possible, e.g. exporting the results and using a universal forwarder to add the data to the indexer cluster, and disabling the cron job.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...