Splunk Enterprise Security Post-Install Configuration

Gregski11 · ‎01-13-2023

Splunk 9.0.0 on Windows servers

So I clicked on Apps \ Enterprise Security and I was greeted with that error

App configuration

The "Enterprise Security" app has not been fully configured yet.

This app has configuration properties that can be customized for this Splunk instance. Depending on the app, these properties may or may not be required.

Unknown search command 'essinstall'.

OK

PickleRick · ‎01-14-2023

1. SA-EndpointProtection has nothing to do with Symantec.

2. Did you bother to read https://docs.splunk.com/Documentation/ES/7.0.2/Install/Overview ?

Gregski11 · ‎01-13-2023

next I attempted to install the app using the CLI as per the manual

https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/Managingappobjects?ref=hk

splunk install app <app_package_filename> -update 1 -auth <username>:<password>

Gregski11 · ‎01-13-2023

alright this one really bothers me because Splunk is saying we MUST have a branded product called Symantec Endpoint Protection enabled in order to configure Enterprise Security

Think about it, do you even own this product?

Gregski11 · ‎01-13-2023

I know stop it already, I get it:

so we gonna double up on these

Gregski11 · ‎01-13-2023

well now I'm pot committed

Gregski11 · ‎01-13-2023

ah yup

Error occurred attempting to enable SA-AuditAndDataProtection: .

Gregski11 · ‎01-13-2023

alright at this point I'm seriously thinking I should have read some sort of a prerequisits doc but:

SA-AuditDataProtection needs to be enabled as well

Gregski11 · ‎01-13-2023

and more of this

Error occurred attempting to enable SA-AuditAndDataProtection: .

Gregski11 · ‎01-13-2023

and then it was on to the next error

SA-IdentityManagement

Gregski11 · ‎01-13-2023

well I did not expect this: 503 Service Unavailable

Gregski11 · ‎01-13-2023

one step forward one step back

another click another error: SA-NetworkProtection app appears to be disabled

Gregski11 · ‎01-13-2023

alright, second verse same as the first, find the SA-NetworkProtection app and Enable it

Error occurred attempting to enable SA-NetworkProtection: .

Gregski11 · ‎01-13-2023

ok the CLI install was succesfull but now the

Splunk Enterprise Security Post-Install Configuration

fails with this error, why is this so difficult?

Gregski11 · ‎01-13-2023

ok so I recon that Splunk SA Scientific Python app was just disabled, no biggie, enabled it and pressed on

Gregski11 · ‎01-13-2023

so I downloaded the latest version of Splunk Enterprise Security and attempted to Install the App from File, only to be greeted with yet another vague error:

splunk-enterprise-security_710.spl

What is this error: Unknown search command 'essinstall'.?

App configuration

installation

Splunk Enterprise Security Post-Install Configuration

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation

What is this error: Unknown search command 'essinstall'.?

App configuration

installation

Splunk Enterprise Security Post-Install Configuration

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...