Splunk Enterprise Security

Enterprise Security, Staging Servers and Splunk v6.4

ChrisChalmers01
Explorer

Currently looking to upgrade from Splunk 6.3.1 to Splunk 6.4. We run a multi-sited Clustered environment with Enterprise Security 4.0.

Before upgrading I'd like to know if we are still required to stage our apps on a staging server before they are deployed to our Search head Cluster?

Information listed in "Installing a Technology Add-ons" under the heading "Distributing add-ons in a search head cluster with Splunk Enterprise 6.4" suggest we may not have to do this anymore.

Is anyone able to verify or have I misinterpreted this?

Thanks in Advance

0 Karma
1 Solution

esix_splunk
Splunk Employee
Splunk Employee

If you are using a SHC, you will still need to stage the apps, and then deploy them using the deployer to the the search head cluster.

ES adds a bit more difficulty into this, as there are some components in ES that are not able to be configured via the SHC, and these need to be configured via the DEV/Staging instance. Things such as modular inputs and threatlists still need to be configured outside of the SHC.

View solution in original post

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

If you are using a SHC, you will still need to stage the apps, and then deploy them using the deployer to the the search head cluster.

ES adds a bit more difficulty into this, as there are some components in ES that are not able to be configured via the SHC, and these need to be configured via the DEV/Staging instance. Things such as modular inputs and threatlists still need to be configured outside of the SHC.

0 Karma

shandman
Path Finder

I thought the threatlists are pulled down by the individual Search Heads within the cluster? (from the internet)

0 Karma

ChrisChalmers01
Explorer

Hi esix, thanks for your reply. Using the Deployer to push the apps to the SHC is fine. I was more hoping from the link attatched we no longer had to use a staging server before pushing the apps from the Deployer.

Using a staging server in such a large environment becomes tedious. Would you be able to confirm the following?

  1.   Is Staging Server required for every-time installation/update of Addons? (i.e. if we need to enable a new data collection of  TA_Unix, does it have to be published in Staging Server and then pushed to deployer?)
    
  2.   Is there a way to determine which “configuration item” require Staging Server as mandatory? (or every single update needs to follow Staging Server -> deployer model)
    
0 Karma

ChrisChalmers01
Explorer

Sorry - I don't have enough Karma to post links in my questions. This may work - vhttp://docs.splunk.com/Documentation/ES/4.1.1/Install/InstallTechnologyAdd-ons

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...