Splunk Enterprise Security

How to install a fresh install of Enterprise Security onto a search head cluster?

TheBravoSierra
Path Finder

I'm trying to install a fresh install of Enterprise Security onto a search head cluster. 

I uploaded the app via the GUI onto the shc deployer, but before I click start configuration process, I note the following message: 

Single Search Head Deployment

Splunk Enterprise Security is being configured on a single search head deployment.

How do I get it to recognize it is a search head cluster deployer? 

Labels (1)
0 Karma
1 Solution

mattchiste
Explorer

Ran into this same problem today.  The short version is that the deployer's server.conf file needs a value for "pass4SymmKey" value in the [shclustering] stanza in order for the E.S. setup to detect that a Splunk instance is a Search Deployer (even though technically a Deployer doesn't seem to actually need this value explicitly set).


If you care for more technical detail:
Tracing backwards, you probably saw something like this in the logs:

2022-04-04 21:44:51,916+0000 INFO pid=85111 tid=MainThread file=ess_configured_handler.py:handle_ssl:230 | Standalone SH detected

Digging into /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/ess_configured_handler.py, you find the code:

def is_shc_deployer(session_key):
    '''
    Determine whether we are on a SHC deployer
    '''
    unused_r, c = rest.simpleRequest(
        'configs/conf-server/shclustering',  # noqa: X101
        sessionKey=session_key,
        getargs={'output_mode': 'json'},
        raiseAllErrors=True
    )

   c = json.loads(c)['entry'][0]['content']

    if c.get('pass4SymmKey'):
        return True
    return False

... so your server.conf file should have:

[shclustering]
pass4SymmKey=xxx

... in order for the auto-detection to work the way you'd expect in E.S.

View solution in original post

mattchiste
Explorer

Ran into this same problem today.  The short version is that the deployer's server.conf file needs a value for "pass4SymmKey" value in the [shclustering] stanza in order for the E.S. setup to detect that a Splunk instance is a Search Deployer (even though technically a Deployer doesn't seem to actually need this value explicitly set).


If you care for more technical detail:
Tracing backwards, you probably saw something like this in the logs:

2022-04-04 21:44:51,916+0000 INFO pid=85111 tid=MainThread file=ess_configured_handler.py:handle_ssl:230 | Standalone SH detected

Digging into /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/ess_configured_handler.py, you find the code:

def is_shc_deployer(session_key):
    '''
    Determine whether we are on a SHC deployer
    '''
    unused_r, c = rest.simpleRequest(
        'configs/conf-server/shclustering',  # noqa: X101
        sessionKey=session_key,
        getargs={'output_mode': 'json'},
        raiseAllErrors=True
    )

   c = json.loads(c)['entry'][0]['content']

    if c.get('pass4SymmKey'):
        return True
    return False

... so your server.conf file should have:

[shclustering]
pass4SymmKey=xxx

... in order for the auto-detection to work the way you'd expect in E.S.

VatsalJagani
SplunkTrust
SplunkTrust

@TheBravoSierra  - Please make sure that you followed all pre-requisites for SHC and ES on SHC. (ex. forwarding logs, setting shclustering stanza on deployer, etc etc)

https://docs.splunk.com/Documentation/ES/7.0.1/Install/InstallEnterpriseSecuritySHC 

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...