- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- How to install a fresh install of Enterprise Secur...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to install a fresh install of Enterprise Security onto a search head cluster.
I uploaded the app via the GUI onto the shc deployer, but before I click start configuration process, I note the following message:
Splunk Enterprise Security is being configured on a single search head deployment.
How do I get it to recognize it is a search head cluster deployer?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ran into this same problem today. The short version is that the deployer's server.conf file needs a value for "pass4SymmKey" value in the [shclustering] stanza in order for the E.S. setup to detect that a Splunk instance is a Search Deployer (even though technically a Deployer doesn't seem to actually need this value explicitly set).
If you care for more technical detail:
Tracing backwards, you probably saw something like this in the logs:
2022-04-04 21:44:51,916+0000 INFO pid=85111 tid=MainThread file=ess_configured_handler.py:handle_ssl:230 | Standalone SH detected
Digging into /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/ess_configured_handler.py, you find the code:
def is_shc_deployer(session_key):
'''
Determine whether we are on a SHC deployer
'''
unused_r, c = rest.simpleRequest(
'configs/conf-server/shclustering', # noqa: X101
sessionKey=session_key,
getargs={'output_mode': 'json'},
raiseAllErrors=True
)
c = json.loads(c)['entry'][0]['content']
if c.get('pass4SymmKey'):
return True
return False
... so your server.conf file should have:
[shclustering]
pass4SymmKey=xxx
... in order for the auto-detection to work the way you'd expect in E.S.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ran into this same problem today. The short version is that the deployer's server.conf file needs a value for "pass4SymmKey" value in the [shclustering] stanza in order for the E.S. setup to detect that a Splunk instance is a Search Deployer (even though technically a Deployer doesn't seem to actually need this value explicitly set).
If you care for more technical detail:
Tracing backwards, you probably saw something like this in the logs:
2022-04-04 21:44:51,916+0000 INFO pid=85111 tid=MainThread file=ess_configured_handler.py:handle_ssl:230 | Standalone SH detected
Digging into /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/ess_configured_handler.py, you find the code:
def is_shc_deployer(session_key):
'''
Determine whether we are on a SHC deployer
'''
unused_r, c = rest.simpleRequest(
'configs/conf-server/shclustering', # noqa: X101
sessionKey=session_key,
getargs={'output_mode': 'json'},
raiseAllErrors=True
)
c = json.loads(c)['entry'][0]['content']
if c.get('pass4SymmKey'):
return True
return False
... so your server.conf file should have:
[shclustering]
pass4SymmKey=xxx
... in order for the auto-detection to work the way you'd expect in E.S.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@TheBravoSierra - Please make sure that you followed all pre-requisites for SHC and ES on SHC. (ex. forwarding logs, setting shclustering stanza on deployer, etc etc)
https://docs.splunk.com/Documentation/ES/7.0.1/Install/InstallEnterpriseSecuritySHC
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
