my distributed environment consists of:
1) Splunk Enterprise Security (Deployment Server/Search Head) - RHEL7.9
2) Splunk Indexer (Deployment Client) - RHEL7.9
3) WEF server (Windows Server 2016) which collects Windows Event Logs and sysmon events from systems that belong to the domain. There is a Splunk UF installed which forwards the events to Splunk Indexer (2).
I want to keep the data to indexer (2), but I want to be able to populate the respective datamodels in Splunk ES and get notable events for suspicious traffic in the domain.
Where do I have to install the necessary addons that will normalize the data? On Splunk ES (1) or Splunk Indexer (2) ?
Thank you in advance,
Most add-ons should be installed on BOTH the indexer and the search head. That's because they often have some properties that apply at index time and others that apply at search time.
Thanks for your reply. I see a lot of posts though mentioning that installing addons (eg CIM) on indexers is not recommended as this might cause performance issue to an already stressed indexer. Eg. it might cause an additional attempt for datamodel acceleration.
What is the best practice?
That depends on the add-on, which is why each should be examined (or at least read the docs) before it is installed.
Datamodel accelerations are initiated by search heads rather than indexers.
Configurations and updates needed for the data model to normalize the data are done on search heads only.
You need to deploy the add-ons on search head - Splunk ES (1).
If this reply helps you, a like would be appreciated.
Thanks for your rapid reply.
What is the best solution to bring indexed data in Splunk ES and populate lookups? I see Sec-Kit app is built to do that. Shall I install Sec-Kit in Splunk ES directly?