Archive
Highlighted

How to deploy the Splunk Add-on for Check Point OPSEC LEA in a multisite indexer cluster?

New Member

Hi,

Can anyone please offer advice on how to best deploy the Splunk Add-on for Check Point OPSEC LEA on a multisite Indexer cluster?

0 Karma
Highlighted

Re: How to deploy the Splunk Add-on for Check Point OPSEC LEA in a multisite indexer cluster?

Splunk Employee
Splunk Employee

I'm certain this app is not supported in a cluster, you'll want to setup a Heavy forwarder then send the OPSEC data to the Indexers instead.

Highlighted

Re: How to deploy the Splunk Add-on for Check Point OPSEC LEA in a multisite indexer cluster?

New Member

Hi, thanks for both of your answers. Unfortunately we have not allowed for a Heady forwarder in our Splunk environment so have no option but to configure OPSEC inputs on one of our 4 Indexer servers. I've been unable to find anything in the documentation to determine whether or not this would be supporterted. Can you advise where I may be able to find clarification on this. Sorry I'm new to Splunk. If we can do this I would intend to install the app via the normal Cluster Master -> Indexer deployment and configure OPSEC input on one of the Indexers. I believe I may also need to install the app on the Search Head servers. Any further advice would be greatly appreciated.

0 Karma
Highlighted

Re: How to deploy the Splunk Add-on for Check Point OPSEC LEA in a multisite indexer cluster?

Splunk Employee
Splunk Employee

If you cannot have a heavy forwarder, then install it on an indexer to ingest the data and install on SH for search time extractions (inputs disabled). The TA needs to live in both places at the same time to perform the various parts of the process.

0 Karma
Highlighted

Re: How to deploy the Splunk Add-on for Check Point OPSEC LEA in a multisite indexer cluster?

SplunkTrust
SplunkTrust

Keep in mind that since your running the application from 1 indexer the data will be on 1 indexer of your cluster (plus any replication settings you have...).

0 Karma
Highlighted

Re: How to deploy the Splunk Add-on for Check Point OPSEC LEA in a multisite indexer cluster?

Motivator

While you'll want the app deployed to your indexed clusters, thru the normal Cluster Master -> Indexer deployment, the inputs should definitely NOT be enabled/configured there.

You'll want a seperate Heavy Forwarder somewhere in your environment, setup the Opsec app there, and have the HF forward the data to your indexers.

Highlighted

Re: How to deploy the Splunk Add-on for Check Point OPSEC LEA in a multisite indexer cluster?

Splunk Employee
Splunk Employee

It's definitely a bad idea to install this app directly on an indexer, you will slow things down at best or grind them to a hault at worst.
re: installing on search head, yes, you need to do that, just with inputs disabled.

0 Karma
Highlighted

Re: How to deploy the Splunk Add-on for Check Point OPSEC LEA in a multisite indexer cluster?

Explorer

I was having the same problem. We do have a heavy forwarder, however, when the documentation is not very clear on how to setup the HF setup. When I configure as I would on an Indexer and just add an outputs.conf it is not working.

0 Karma
Highlighted

Re: How to deploy the Splunk Add-on for Check Point OPSEC LEA in a multisite indexer cluster?

SplunkTrust
SplunkTrust

Your heavy forwarder needs to forward data to the indexer cluster, it would be best practice that your search heads are already forwarding this data so you can re-use that same configuration.

If not create an outputs.conf to send data to the indexer cluster.

After that , the application should be straightforward to setup...

0 Karma