Installing Enterprise Security app in a distributed environment


we are deploying Enterprise Security App. over distributed Environment (2 indexers, 1 master and 1 search head).

Should the security app be installed over all instances or over the search head only ?!

Also, what are source types supported by the security app ?!

Tags (1)


First of all you should install Enterprise Security on the Search Head and choose add-ons which you need,

  • then configure add-on pack in via Enterprise Security
  • then download it and add to cluster master
  • then push configuration to indexers

Whole process is described in this article:

0 Karma

Path Finder

I am using Splunk 6.2 and Cisco Security Suite version 3.0.3 build 100784.
An Universal Forwarder for sending the network logging data to the Forwarder
A Forwarder to receive the data
A Master/License node for my cluster.
An Deployment node to deploy the configurations onto the UFW, FW, SH.
Two Indexers (Cluster Peers)
One Search Head.
My configuration files (All Apps) deployed by the Deployment server (except those for the cluster peers )

App 1. inputs for the Universal Forwarder to define which logs and their sourcetypes:
sourcetype = cisco:asa
sourcetype = cisco:esa
sourcetype = cisco:ios
sourcetype = cisco:wsa:squid
App 2. outputs for the Universal Forwarder to define the route to the forwarder:
server =
useACK = true
App 3. inputs on the Forwarder to define the input from the Universal Forwarder:
connection_host = ip
App 4. Outputs on the Forwarder to define the route to the Indexers
server =,
useACK = true
useACK = true
App 4. Props on the Forwarder to define which route and which index file to use for particular hosts:
TRANSFORMS-netwcr = set-idx-netwerkswitches0000s, set-rt-p
App 4. Transforms on the Forwarder:
FORMAT = netwerk-switches_0000-s
DEST_KEY = _MetaData:Index
FORMAT = to-idxr-p
App 5 . indexes for the Cluster Peers to deploy using the Master configuration bundle
homePath = $SPLUNK_DB/netwerk-switches_0000-s/db
coldPath = $SPLUNK_DB/netwerk-switches_0000-s/colddb
thawedPath = $SPLUNK_DB/netwerk-switches_0000-s/thaweddb
# Rotate Hot Buckets daily
maxHotSpanSecs = 86400
# Max size of Hot Bucket is 750 MB
maxDataSize = auto
# After 184 days (July + August, 4 months of 31 days), delete the buckets
# If no FrozenDir is given, /dev/null is used
frozenTimePeriodInSecs = 15897600
# Total size of Hot, Warm and Cold Buckets should never exceed 184 GB
# Based on maximum daily volume of 1 GB
maxTotalDataSizeMB = 184000
# Replication setting
repFactor = auto
Then I deploy the TA-cisco-ios onto the Cluster peers and onto the Search Head
I deploy the TA-cisco-wsa, TA-cisco-esa, TA-cisco-asa, TA-cisco-ios onto the Search Head
I deploy the SA-cisco-wsa, SA-cisco-esa, TA-cisco-asa onto the Search Head
I deploy the dasboard apps Cisco Security Suite cisco-ios onto the Search Head.

I modify the configuration, because I do not have to deploy indexer files onto the Forwarder or onto the Search Head ofcource.
So finally your answer:
I deploy the dashboard app onto the Search Head only. 😉

Frank Maasdam

0 Karma