Deployment Architecture

How to deploy the Splunk Add-on for Check Point OPSEC LEA in a multisite indexer cluster?

rccargill
New Member

Hi,

Can anyone please offer advice on how to best deploy the Splunk Add-on for Check Point OPSEC LEA on a multisite Indexer cluster?

0 Karma

mreynov_splunk
Splunk Employee
Splunk Employee

It's definitely a bad idea to install this app directly on an indexer, you will slow things down at best or grind them to a hault at worst.
re: installing on search head, yes, you need to do that, just with inputs disabled.

0 Karma

hassanali
Explorer

I was having the same problem. We do have a heavy forwarder, however, when the documentation is not very clear on how to setup the HF setup. When I configure as I would on an Indexer and just add an outputs.conf it is not working.

0 Karma

gjanders
SplunkTrust
SplunkTrust

Your heavy forwarder needs to forward data to the indexer cluster, it would be best practice that your search heads are already forwarding this data so you can re-use that same configuration.

If not create an outputs.conf to send data to the indexer cluster.

After that , the application should be straightforward to setup...

0 Karma

mikelanghorst
Motivator

While you'll want the app deployed to your indexed clusters, thru the normal Cluster Master -> Indexer deployment, the inputs should definitely NOT be enabled/configured there.

You'll want a seperate Heavy Forwarder somewhere in your environment, setup the Opsec app there, and have the HF forward the data to your indexers.

Chubbybunny
Splunk Employee
Splunk Employee

I'm certain this app is not supported in a cluster, you'll want to setup a Heavy forwarder then send the OPSEC data to the Indexers instead.

mreynov_splunk
Splunk Employee
Splunk Employee

If you cannot have a heavy forwarder, then install it on an indexer to ingest the data and install on SH for search time extractions (inputs disabled). The TA needs to live in both places at the same time to perform the various parts of the process.

0 Karma

gjanders
SplunkTrust
SplunkTrust

Keep in mind that since your running the application from 1 indexer the data will be on 1 indexer of your cluster (plus any replication settings you have...).

0 Karma

rccargill
New Member

Hi, thanks for both of your answers. Unfortunately we have not allowed for a Heady forwarder in our Splunk environment so have no option but to configure OPSEC inputs on one of our 4 Indexer servers. I've been unable to find anything in the documentation to determine whether or not this would be supporterted. Can you advise where I may be able to find clarification on this. Sorry I'm new to Splunk. If we can do this I would intend to install the app via the normal Cluster Master -> Indexer deployment and configure OPSEC input on one of the Indexers. I believe I may also need to install the app on the Search Head servers. Any further advice would be greatly appreciated.

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...