Splunk Enterprise Security

Error installing Splunk Security Essentials

JackieTech
Explorer

Hi all, 

I am trying to install Splunk Security Essentials into a single instance of Splunk with a downloaded file of the app, via the GUI. The documentation does not have any pre-install steps.

Any suggestions would be welcome thanks. 

 

Splunk 9.3.1

Splunk Security Essentials 3.8.0

Error: 

There was an error processing the upload. Error during app install: failed to extract app from /tmp/tmp6xz06m51 to /opt/splunk/var/run/splunk/bundle_tmp/7364272378fc0528: No such file or directory

 

Labels (1)
0 Karma
1 Solution

ptothehil
Explorer

Yes. I had to download Splunk Security Essentials on my personal laptop and then safe apps it to my work laptop. Next I copied the zip file up to the secure network and was able to install the application. My issues was that DISA was blocking some of the files when I downloaded from Splunk. Not sure if this helps your situation.

View solution in original post

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Try raising upload file size limits - analogically as with ES installation (and if it helps, post docs feedback)

0 Karma

ptothehil
Explorer

I have Splunk Enterprise 9.3.1. I looked through the limits.conf but not sure where to edit. How do I increase the upload size?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf

max_upload_size = <integer>
* The hard maximum limit, in megabytes, of uploaded files.
* Default: 500

But it seems that might not be it. SSE app is just slightly over 50MBs in size whereas ES is - as far as I remember around 700MB.

Unless someone lowered that limit in your environment from the default value.

Anyway, you can just deploy the app either by uploading the file to the server and running

splunk install app your_sse_archive_name_here.tgz

Or just unpack it to its proper directory in $SPLUNK_HOME/etc/apps.

SSE as far as I remember doesn't include any fancy installation process like ES does.

0 Karma

ptothehil
Explorer

I was not able to install the app so I decided to go the last path by unzipping and adding to the apps location, but I get an error 0x8000ffff catastrophic failure when trying to extract. I went to download again from Splunk and the same issue. I tried with Edge, Chrome and Firefox. Other apps I downloaded I have no issue with but this one I do.

0 Karma

ptothehil
Explorer

DISA is blocking me so will have to create a work around.

Will update when I figure it out.

0 Karma

JackieTech
Explorer

@ptothehil did you manage to get any further with this issue?

0 Karma

ptothehil
Explorer

Yes. I had to download Splunk Security Essentials on my personal laptop and then safe apps it to my work laptop. Next I copied the zip file up to the secure network and was able to install the application. My issues was that DISA was blocking some of the files when I downloaded from Splunk. Not sure if this helps your situation.

0 Karma

JackieTech
Explorer

@ptothehil This is the resolution for me too. I downloaded it on a personal device and hashed it and it was the correct hash. When attempting to bring it onto the corporate network it is being corrupted as it is being flagged as containing a virus. 

ptothehil
Explorer

That's awesome. Glad it worked for you too 🙂

0 Karma

JackieTech
Explorer

I got the same trying to extract the file and when I tried it with a previous version 3.7.1.

I tried the command line install but didn't have an account it would allow. 

0 Karma

JackieTech
Explorer

I have just tried to increase the upload max size as described here but when attempting to install I get the same error message.

Step 2. Install Splunk Enterprise Security

The installer dynamically detects if you're installing in a single search head environment or search head cluster environment. The installer is also bigger than the default upload limit for Splunk Web.

  1. Increase the Splunk Web upload limit to at least 2 GB by creating a file called $SPLUNK_HOME/etc/system/local/web.conf with the following stanza.
    [settings]
    max_upload_size = 2048
  2. To restart Splunk from the Splunk toolbar, select Settings > Server controls and click Restart Splunk.
  3. On the Splunk toolbar, select Apps > Manage Apps and click Install App from File.
  4. Click Choose File and select the Splunk Enterprise Security product file.
  5. Click Upload to begin the installation.
  6. Click Set up now to start setting up Splunk Enterprise Security
0 Karma

ptothehil
Explorer

Has there been any futhure information regarding this error? I am still unable to install the app in Slunk.

0 Karma

JackieTech
Explorer

I haven't heard anything yet. I don't know if this place is active. 

0 Karma

ptothehil
Explorer

I ran into the same issue. Waiting for a resolution as well.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...