All Apps and Add-ons

How to install the Splunk Add-on for Checkpoint OPSEC LEA in a search head clustering environment?

horsefez
Motivator

Hi fellow splunkers,

I have a question on the installation process of the Splunk Add-on for Checkpoint OPSEC LEA.
I have read the following document:
http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Install


The following section concerns me:

Distributed deployment feature  Supported
Search Head Clusters               No
Indexer Clusters                   Yes
Deployment Server                 No  

Should this tell me installation over a deployer for the search head cluster is not possible?
If yes, should I then manually install this app on every search head in the cluster?

Best regards,
pyro_wood

0 Karma
1 Solution

javiergn
Super Champion

I ended up installing the OPSEC add-on in a Heavy Forwarder running one of the supported Linux flavours.
If I were you I would either try that or use a Standalone Search Head.

View solution in original post

javiergn
Super Champion

I ended up installing the OPSEC add-on in a Heavy Forwarder running one of the supported Linux flavours.
If I were you I would either try that or use a Standalone Search Head.

hassanali
Explorer

Hi javiergn, I am also trying to install the latest version of OPSEC on a HF but I am not seeing any events being forwarded to the Indexer.
I am assuming you had to add an outputs.conf (standard configuration, forward events to a port and on the indexer listen in on the port).
1) Are there any other changes you had to make to the ?
opseclea_connection.conf
opseclea_inputs.conf
2) Did you make any changes on the indexer? (i am assuming you have the app installed on the indexer)

Thanks !

0 Karma

javiergn
Super Champion

1)
Did you configure the OPSEC LEA object in your CheckPoint manager?
You then need to establish a session with a one-time password between your manager and your HF.

It's all here: http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Setup

2)
No I did not make any changes on the indexer as the parsing provided by the app was good enough.

If you can't see any logs flowing take a look at the troubleshooting section first: http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Troubleshoot

If that doesn't help, raise a new question with the specific details of your problem as you will get a much wider audience that way. Please keep in mind this post was referred to version 3 and not 4 of the OPSEC LEA app.

Thanks,
J

0 Karma

horsefez
Motivator

Thanks for your quick reply javiergn,
so you never installed this Add-on on a Search-Head?

What is the value I would get installing it on the SH?

0 Karma

javiergn
Super Champion

You can install it on a Search Head, provided is not part of a cluster.
But I always try to isolate collection layer to Forwarders only (Heavy or Universal) whereas Search Heads are just for searching purposes.

If the OPSEC app causes any impact on your search head or you need to restart it for whatever reason, you are bringing your search head down. Whereas if you have it on a HF, it's just the HF what is impacted.

0 Karma

horsefez
Motivator

Well... your approach on this actually makes a lot of sense. I will try to set it up on a HF.

Thank you!

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...