Splunk Enterprise Security

Is it possible to use two Splunk Enterprise Security Apps on single Indexer cluster?

kiran331
Builder

Hi

is it possible to use 2 Splunk Enterprise Security apps on 2 stand alone search heads with same Indexer cluster? we have a requirement to separate the Enterprise Security using different indexes.

0 Karma
1 Solution

ekost
Splunk Employee
Splunk Employee

No. For practical purposes, it's technically possible but an administration nightmare. There's a specific use-case you have in mind, and it's better to address the use-case in detail instead of hacking up a workaround.

I have a separate AD Domain and about 200 servers and separate firewalls etc.. if I have to use same ES, is there a way to differentiate this them?
Yes. You can use the Asset identification system in ES to categorize Assets by fields such as owner, business unit, and category. These fields can be used in ES searches and Notable Events to easily display who owns/manages the asset. The Asset fields option is completely independent of writing each data center's data into unique indexes in Splunk, thereby allowing role-based access controls to the indexes.

Is there a way to identify alert from this environment and can make it high and can add a filter in the ES app to show all related events.

Notable Events in ES are designed to perform this function.

Reading between the lines of your questions, it sounds like you're attempting to use ES similar to how an MSSP does. Again, I suggest discussing the use-case, and you can use examples such as what needs to be managed and/or displayed for one user/group that should not be made available to another ES user/group. One additional option is to discuss your requirements with your Splunk-assigned Sales Engineer.

Good luck!

View solution in original post

0 Karma

ekost
Splunk Employee
Splunk Employee

No. For practical purposes, it's technically possible but an administration nightmare. There's a specific use-case you have in mind, and it's better to address the use-case in detail instead of hacking up a workaround.

I have a separate AD Domain and about 200 servers and separate firewalls etc.. if I have to use same ES, is there a way to differentiate this them?
Yes. You can use the Asset identification system in ES to categorize Assets by fields such as owner, business unit, and category. These fields can be used in ES searches and Notable Events to easily display who owns/manages the asset. The Asset fields option is completely independent of writing each data center's data into unique indexes in Splunk, thereby allowing role-based access controls to the indexes.

Is there a way to identify alert from this environment and can make it high and can add a filter in the ES app to show all related events.

Notable Events in ES are designed to perform this function.

Reading between the lines of your questions, it sounds like you're attempting to use ES similar to how an MSSP does. Again, I suggest discussing the use-case, and you can use examples such as what needs to be managed and/or displayed for one user/group that should not be made available to another ES user/group. One additional option is to discuss your requirements with your Splunk-assigned Sales Engineer.

Good luck!

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

This can be done. But as maciep points out, ES is very resource intensive. Depending on your data volumes and available resources, this wouldnt be friendly to the indexers. ES places heavy load on the indexers due to heavy data model usage via data model acceleration, along with the increased load from TA and correlation searches.

If you have to actually run two instances of ES, you'd need to make sure that you not only tune your environment properly, but that you also have available underlying resources available. Mainly disk IOPS, anything less then 1200 IOPS and its going to be a miserable experience at best. OTher then that, you can tune DMA and the TAs deployed to try and reduce resource requirements but typically this is where Splunk's Professional Services team should be contacted.

maciep
Champion

Not sure about licensing, but I think that could be really mean to do to your indexer cluster. ES runs lots of searches, dm acceleration, etc - doubling those up could be a burden on your indexers (maybe not, depends on env).

What exactly is the requirement?

0 Karma

adonio
Ultra Champion

on top of @maciep said above, imho it is a terrible idea,
double data in datamodels, and other painful processes are guaranteed:
look at these answers for example:
https://answers.splunk.com/answers/424887/where-do-data-model-summaries-reside-in-a-distribu.html
https://answers.splunk.com/answers/454932/indexer-cluster-and-search-head-cluster-with-datam.html
https://answers.splunk.com/answers/544456/is-there-a-way-to-share-a-data-model-across-2-sear.html
read a little about datamodel acceleration caveats here:
http://docs.splunk.com/Documentation/Splunk/6.6.1/Knowledge/Acceleratedatamodels
like mentioned above, what is the problem you are trying to solve?
what is the requirement you need to fulfill?
hope it helps

0 Karma

kiran331
Builder

Hello,

I have a separate AD Domain and about 200 servers and separate firewalls etc.. if I have to use same ES, is there a way to differentiate this them?

0 Karma

maciep
Champion

differentiate how? do you just need to identify for a given alert, where it came from? Ore are there different security teams or SOCs that need to work/document the incdients? Or different thresholds/rules between the domains?

If it's just a matter of the data will be in different indexes and that's it, then you should be able to get away with one instance of ES. If there are more complex requirements around roles, accessibility, permissions, etc, then you might want to elaborate on those here.

0 Karma

kiran331
Builder

We have a requirement to show metrics and Incidents related to this environment and this Environment has some different priorities and has to document every incident related to this.

I thought of creating separate indexes for windows, firewall and endpoint logs from these servers and domain controllers and install a new es with only enabling these indexes in datamodel

Is there a way to identify alert from this environment and can make it high and can add a filter in the ES app to show all related events.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...