Where should the "Cisco AMP for Endpoints CIM Add-On" and the "Cisco AMP for Endpoints Events Input" be installed?
Has anyone used this in a distributed environment, the doco is a bit sketchy in that it doesn't say whether to install this add-on on the indexers or search heads. It only briefy mentions a 'local Splunk instance'. Would it be better to run it on a dedicated heavy forwarder instead of across a searchhead cluster or indexer cluster?
Thanks.
We have it installed on a heavy forwarder.