Dear Team,
I installed enterprise security on the search head and downloaded Splunk_TA_ForIndexer from ES General settings
now i am stuck for UF technology add-on, from where i can find it? no option from the ES interface and i can't find it on splunkbase portal
I tried multiple search keyword on splunkbase with no luck
Might be that those particular kinds of sources are not covered by any ready-made addons.
Splunk-supported Add-ons usually have their documentation on https://docs.splunk.com/
Third-party addons - well, here you're on your own and on mercy of the addon creator.
I appreciate all your efforts,
Now to make things clear,
1- Does i need to install TA Add-on on UF regarding ES? (yes or no) noting that all my values on the security posture dashboard still zero although i enabled all correlation searches
2- If yes i need on UF, from where i can download it? noting that i didn't find any TA on splunkbase
thanks once again
First, do NOT enable all ES correlation searches. That will cause more problems than it will solve. Enable only the correlation searches that pertain to your use cases and for which you have data ingested in Splunk.
Where a TA should be installed depends on what the TA does. The installation instructions for the TA should specify the location. If it doesn't use the "Where to install" I link I provided earlier. Generally speaking, it can't hurt to install a TA on both indexers and UFs.
Splunkbase is the source for most Splunk TAs. Others can be downloaded from the vendors that created them for their products. Still others are available from GitHub. It can be difficult to locate a TA without knowing the name, however. What do you want the TA to do? Perhaps we can help you find something appropriate.
can u share the TA UF, specifically used for ES?
Or the download link or any helpful screenshot
There is no UF add-on specific to ES. ES can produce an add-on for your indexers, but that method can be used only in limited circumstances. See https://docs.splunk.com/Documentation/ES/7.2.0/Install/InstallTechnologyAdd-ons#Deploy_add-ons_to_fo... for when it can be used and alternatives for other environments. I recommend manual installation of add-ons.
Again - there is no such thing as "add on for UF". There are several different add-ons (which you install on various components of your Splunk Infrastructure, including UFs) needed for specific solution you want to ingest data from.
So if you want to process logs from Checkpoint firewalls, you use TA for Checkpoint. If you get logs from Proofpoint you install UF for Proofpoint. And so on.
So if i have 50 devices i need to install the TA on all 50? lets assume cisco, fortinet, palo alto ...
So its not enough installing TA on idexers and already such devices are sending the logs to the indexer?
TA_for_indexers contains only the installation part needed for indexers (definition of indexes) that are needed for ES to work. But it's just so that ES on its own is "fully installed".
Apart from that Splunk (and ES too) needs to know how to work with specific types of data provided by various kinds of sources. That's what TAs for those sources are for.
So yes, if you have 40 _types_ of devices, you might need 40 different TAs. Often TAs contain definitions, parsing rules and CIM-mappings for multiple sources from a single vendor (so you might not need to have a separate TA for every single type of Juniper firewalls, just a single TA able to parse JunOS events).
ok much clear,
i have cisco switches, tried to search for that Add-on but with no luck. I can see cisco ESA, WSA, ISE ... but not IOS as switches or routers?
Moreover, installation tab is empty they are not includes the installation steps
any advise here?
Might be that those particular kinds of sources are not covered by any ready-made addons.
Splunk-supported Add-ons usually have their documentation on https://docs.splunk.com/
Third-party addons - well, here you're on your own and on mercy of the addon creator.
Why are you looking for that TA? What problem are you trying to solve? What documentation said to install the UF TA?
If you are a Splunk Cloud customer, the UF TA is available from your Splunk Cloud search head. Open the "Universal Forwarder" app then click the green Download button. If you are not a Splunk Cloud customer then you probably don't need the TA, depending on the answers to the above questions.
i am using splunk fully on prem - no cloud option
as per documentation TA to be installed on UF, you can refer to below link
https://community.splunk.com/t5/Security/Universal-Forwarder-Technology-Add-On/m-p/669359#M17403
As i understood, TA to be installed on Indexers (already done) and on UF
Thanks
The link provided is to this question, not to any documentation.
If the TA is already installed on the indexers then you have what you need. Just install the same TA on the forwarders.
https://docs.splunk.com/Documentation/AddOns/released/Overview/Distributedinstall
here is the correct link
no one mentioned that it is the same TA for both, did you tried this before?
As per documentation it should be downloaded directly from splunkbase, but can't find it. The only thing i found is "Splunk-add-on-for-windows" but not sure if that's it or not
thanks
There's a lot of Splunk documentation so I understand why you don't have all the information yet. See https://docs.splunk.com/Documentation/AddOns/released/Overview/Wheretoinstall for tips on where to install TAs. The instructions that come with the TA are the best guide, however.
Splunkbase apps should be obtained directly from Splunkbase rather than via 3rd-party sources that may not be reputable. However, once you've downloaded the TA it does not need to be downloaded again until a new version is available. The one downloaded copy may be installed as many times as you wish.
It's a general method of installing addons. You need addons for your particular sources.