Splunk Enterprise Security

How to deploy the Splunk App for Enterprise Security in an Indexer and Search Head Clustering environment?

masiddiqu
Explorer

Hi,

I am trying to simulate a cluster environment for the Splunk App for Enterprise Security. The setup is:

-Two Indexers in a cluster with Rep Factor =2 , search factor=2
-One search head for ES APP other one for third party apps.
-Dedicated Cluster Master & Deployer on a single machine.

I have installed the ES APP in the on the deployer and copied SA-ForIndexers, TA-*, Splunk_TA*, Splunk_SA* files to master-apps and pushed to the Indexer cluster. With this, it is able to create the indexes.

  1. Would like to know what are all the directories i need to copy/Push to the ES APP search head node?
  2. Do i need to create search head cluster, or just i can copy directly ES app related files for the search head?
  3. How do I ensure that the search head sends all the data to the Indexer cluster?

Thanks
siddiqu.T

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Indexer Clustering and Search Head Clustering are two separate and distinct features. You need to understand the basics of both in order to run ES in both. Based on your environment description, you do not have Search Head Clustering in mind.

Regarding Indexer Clustering, you need a working cluster before you install ES. Once you have a valid working clustered indexer environment, then you can install ES. There is a SA-ForIndexers that comes with ES, this would be placed on your Cluster Master and distributed to each indexer. This is not through the deployer, the deployer is used for SHC.

For SHC, again you need to understand how this works before you try and deploy ES on this. There is a large list of issues you need to be aware of and understand before you even attempt this. Make sure you read the documentation at :

http://docs.splunk.com/Documentation/ES/3.2.2/Install/AdvancedImp

esix_splunk
Splunk Employee
Splunk Employee

If you have SHC configured, you need 3 search heads, you can follow the Documentation for deploying ES in SHC. It will involve all SA-* SplunkforEnterpriseSecurity* DA-* folders.

0 Karma

masiddiqu
Explorer

Hi,

I have completed the Index cluster and pushed the SA-ForIndexesrs via cluster master to the indexers. The indexes are created on both indexers.

For the search Head cluster, would like to know what are all directories/files we need to push to the search head nodes via deployer.

Thanks
siddiqu.T

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...