Splunk Enterprise Security

How to deploy the Splunk App for Enterprise Security in an Indexer and Search Head Clustering environment?

masiddiqu
Explorer

Hi,

I am trying to simulate a cluster environment for the Splunk App for Enterprise Security. The setup is:

-Two Indexers in a cluster with Rep Factor =2 , search factor=2
-One search head for ES APP other one for third party apps.
-Dedicated Cluster Master & Deployer on a single machine.

I have installed the ES APP in the on the deployer and copied SA-ForIndexers, TA-*, Splunk_TA*, Splunk_SA* files to master-apps and pushed to the Indexer cluster. With this, it is able to create the indexes.

  1. Would like to know what are all the directories i need to copy/Push to the ES APP search head node?
  2. Do i need to create search head cluster, or just i can copy directly ES app related files for the search head?
  3. How do I ensure that the search head sends all the data to the Indexer cluster?

Thanks
siddiqu.T

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Indexer Clustering and Search Head Clustering are two separate and distinct features. You need to understand the basics of both in order to run ES in both. Based on your environment description, you do not have Search Head Clustering in mind.

Regarding Indexer Clustering, you need a working cluster before you install ES. Once you have a valid working clustered indexer environment, then you can install ES. There is a SA-ForIndexers that comes with ES, this would be placed on your Cluster Master and distributed to each indexer. This is not through the deployer, the deployer is used for SHC.

For SHC, again you need to understand how this works before you try and deploy ES on this. There is a large list of issues you need to be aware of and understand before you even attempt this. Make sure you read the documentation at :

http://docs.splunk.com/Documentation/ES/3.2.2/Install/AdvancedImp

esix_splunk
Splunk Employee
Splunk Employee

If you have SHC configured, you need 3 search heads, you can follow the Documentation for deploying ES in SHC. It will involve all SA-* SplunkforEnterpriseSecurity* DA-* folders.

0 Karma

masiddiqu
Explorer

Hi,

I have completed the Index cluster and pushed the SA-ForIndexesrs via cluster master to the indexers. The indexes are created on both indexers.

For the search Head cluster, would like to know what are all directories/files we need to push to the search head nodes via deployer.

Thanks
siddiqu.T

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...