Hi
is it possible to use 2 Splunk Enterprise Security apps on 2 stand alone search heads with same Indexer cluster? we have a requirement to separate the Enterprise Security using different indexes.
No. For practical purposes, it's technically possible but an administration nightmare. There's a specific use-case you have in mind, and it's better to address the use-case in detail instead of hacking up a workaround.
I have a separate AD Domain and about 200 servers and separate firewalls etc.. if I have to use same ES, is there a way to differentiate this them?
Yes. You can use the Asset identification system in ES to categorize Assets by fields such as owner, business unit, and category. These fields can be used in ES searches and Notable Events to easily display who owns/manages the asset. The Asset fields option is completely independent of writing each data center's data into unique indexes in Splunk, thereby allowing role-based access controls to the indexes.Is there a way to identify alert from this environment and can make it high and can add a filter in the ES app to show all related events.
Notable Events in ES are designed to perform this function.
Reading between the lines of your questions, it sounds like you're attempting to use ES similar to how an MSSP does. Again, I suggest discussing the use-case, and you can use examples such as what needs to be managed and/or displayed for one user/group that should not be made available to another ES user/group. One additional option is to discuss your requirements with your Splunk-assigned Sales Engineer.
Good luck!
No. For practical purposes, it's technically possible but an administration nightmare. There's a specific use-case you have in mind, and it's better to address the use-case in detail instead of hacking up a workaround.
I have a separate AD Domain and about 200 servers and separate firewalls etc.. if I have to use same ES, is there a way to differentiate this them?
Yes. You can use the Asset identification system in ES to categorize Assets by fields such as owner, business unit, and category. These fields can be used in ES searches and Notable Events to easily display who owns/manages the asset. The Asset fields option is completely independent of writing each data center's data into unique indexes in Splunk, thereby allowing role-based access controls to the indexes.Is there a way to identify alert from this environment and can make it high and can add a filter in the ES app to show all related events.
Notable Events in ES are designed to perform this function.
Reading between the lines of your questions, it sounds like you're attempting to use ES similar to how an MSSP does. Again, I suggest discussing the use-case, and you can use examples such as what needs to be managed and/or displayed for one user/group that should not be made available to another ES user/group. One additional option is to discuss your requirements with your Splunk-assigned Sales Engineer.
Good luck!
This can be done. But as maciep points out, ES is very resource intensive. Depending on your data volumes and available resources, this wouldnt be friendly to the indexers. ES places heavy load on the indexers due to heavy data model usage via data model acceleration, along with the increased load from TA and correlation searches.
If you have to actually run two instances of ES, you'd need to make sure that you not only tune your environment properly, but that you also have available underlying resources available. Mainly disk IOPS, anything less then 1200 IOPS and its going to be a miserable experience at best. OTher then that, you can tune DMA and the TAs deployed to try and reduce resource requirements but typically this is where Splunk's Professional Services team should be contacted.
Not sure about licensing, but I think that could be really mean to do to your indexer cluster. ES runs lots of searches, dm acceleration, etc - doubling those up could be a burden on your indexers (maybe not, depends on env).
What exactly is the requirement?
on top of @maciep said above, imho it is a terrible idea,
double data in datamodels, and other painful processes are guaranteed:
look at these answers for example:
https://answers.splunk.com/answers/424887/where-do-data-model-summaries-reside-in-a-distribu.html
https://answers.splunk.com/answers/454932/indexer-cluster-and-search-head-cluster-with-datam.html
https://answers.splunk.com/answers/544456/is-there-a-way-to-share-a-data-model-across-2-sear.html
read a little about datamodel acceleration caveats here:
http://docs.splunk.com/Documentation/Splunk/6.6.1/Knowledge/Acceleratedatamodels
like mentioned above, what is the problem you are trying to solve?
what is the requirement you need to fulfill?
hope it helps
Hello,
I have a separate AD Domain and about 200 servers and separate firewalls etc.. if I have to use same ES, is there a way to differentiate this them?
differentiate how? do you just need to identify for a given alert, where it came from? Ore are there different security teams or SOCs that need to work/document the incdients? Or different thresholds/rules between the domains?
If it's just a matter of the data will be in different indexes and that's it, then you should be able to get away with one instance of ES. If there are more complex requirements around roles, accessibility, permissions, etc, then you might want to elaborate on those here.
We have a requirement to show metrics and Incidents related to this environment and this Environment has some different priorities and has to document every incident related to this.
I thought of creating separate indexes for windows, firewall and endpoint logs from these servers and domain controllers and install a new es with only enabling these indexes in datamodel
Is there a way to identify alert from this environment and can make it high and can add a filter in the ES app to show all related events.