Splunk Enterprise

Add Enterprise Security to on prem clustered environment

SplunkExplorer
Contributor

Hi Splunkers, I have a doubt about setting for Splunk Enterprise Security.

As usual when I put a question here, let me share a minimal of context and assumption.

Environment:

  • A completely on prem Splunk Enterprise (no Slunk Cloud SaaS).
  • Currently, only one SH
  • Clustered indexers

Task: 

  • Install and configure a SH with Splunk Enterprise Security.

Assumption:

  • I know the full installation procedure (doc + Splunk Enterprise Admin course)
  • I know how to manage a cluster environment (doc + Architect course). For example, I know that if I have to set a Splunk instance as SH I can use, from CLI:
> splunk edit cluster-config
-mode searchhead
-manager_uri https://<manager node address>
-secret <cluster secret>

 
Questions:

  • This syntax is still valid to add a SH with ES installed on it? The doubt is if the ES presence should lead me to use a different approach to tell "Hey, SH wth ES: indexers to query are those".
  • SH with ES component should be  add as single SH (so, decoupled from already existing SH) or should I create a SH Cluster with normal SH + ES ES?
Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

You install ES differently on a standalone SH and on a SHC. So you must either firstly set up a SHC (and for that you don't use an existing SH - you spin up a clear SH and join it to the SHC). Whether you want a SHC depends on your needs and expected workload. You can create a SHC (but again - you must create a new SHC and then possibly migrate some of your settings from existing standalone SH manually) and install ES on it. But just as well you could set up a dedicated SH just for ES use (and use the other SH for "normal" Splunk work). Both approaches have their pros and cons. Single SHC is bigger in minimal option (you need at least three SHs for the SHC and a deployer) but is probably easier to manage than two separate SHs - they can be painful to keep relevant configs in sync.

View solution in original post

SplunkExplorer_
Engager

@SplunkExplorer wrote:

Hi Splunkers, I have a doubt about setting for Splunk Enterprise Security.

As usual when I put a question here, let me share a minimal of context and assumption.

Environment:

  • A completely on prem Splunk Enterprise (no Slunk Cloud SaaS).
  • Currently, only one SH
  • Clustered indexers

Task: 

  • Install and configure a SH with Splunk Enterprise Security.

Assumption:

  • I know the full installation procedure (doc + Splunk Enterprise Admin course)
  • I know how to manage a cluster environment (doc + Architect course). For example, I know that if I have to set a Splunk instance as SH I can use, from CLI:

 

> splunk edit cluster-config
-mode searchhead
-manager_uri https://<manager node address>
-secret <cluster secret>

 

 
Questions:

  • This syntax is still valid to add a SH with ES installed on it? The doubt is if the ES presence should lead me to use a different approach to tell "Hey, SH wth ES: indexers to query are those".
  • SH with ES component should be  add as single SH (so, decoupled from already existing SH) or should I create a SH Cluster with normal SH + ES ES?


@SplunkExplorer wrote:

Hi Splunkers, I have a doubt about setting for Splunk Enterprise Security.

As usual when I put a question here, let me share a minimal of context and assumption.

Environment:

  • A completely on prem Splunk Enterprise (no Slunk Cloud SaaS).
  • Currently, only one SH
  • Clustered indexers

Task: 

  • Install and configure a SH with Splunk Enterprise Security.

Assumption:

  • I know the full installation procedure (doc + Splunk Enterprise Admin course)
  • I know how to manage a cluster environment (doc + Architect course). For example, I know that if I have to set a Splunk instance as SH I can use, from CLI:

 

> splunk edit cluster-config
-mode searchhead
-manager_uri https://<manager node address>
-secret <cluster secret>

 

 
Questions:

  • This syntax is still valid to add a SH with ES installed on it? The doubt is if the ES presence should lead me to use a different approach to tell "Hey, SH wth ES: indexers to query are those".
  • SH with ES component should be  add as single SH (so, decoupled from already existing SH) or should I create a SH Cluster with normal SH + ES ES?

Check DM. 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

You install ES differently on a standalone SH and on a SHC. So you must either firstly set up a SHC (and for that you don't use an existing SH - you spin up a clear SH and join it to the SHC). Whether you want a SHC depends on your needs and expected workload. You can create a SHC (but again - you must create a new SHC and then possibly migrate some of your settings from existing standalone SH manually) and install ES on it. But just as well you could set up a dedicated SH just for ES use (and use the other SH for "normal" Splunk work). Both approaches have their pros and cons. Single SHC is bigger in minimal option (you need at least three SHs for the SHC and a deployer) but is probably easier to manage than two separate SHs - they can be painful to keep relevant configs in sync.

richgalloway
SplunkTrust
SplunkTrust

The ES SH should be kept separate and not joined with the existing SH into a cluster because: 1) you need at least 3 SHs to make a cluster; 2) SHs must be virgin to form a cluster; 3) ES doesn't play well with other apps and so needs to be on its own.

---
If this reply helps you, Karma would be appreciated.

SplunkExplorer
Contributor

Thanks a lot @richgalloway. Answer to Question 2 is exactly what I supposed. 

Regarding point 1, is the syntax I posted is the one to use to "insert" ES on environment or should I use another one?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The syntax you gave is the right one for adding a new SH to a cluster, but you don't need it just to install ES on an SH.  Create a new SH and install ES on it using the instructions in the ES manual.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...