Splunk Enterprise Security

How to install a fresh install of Enterprise Security onto a search head cluster?

TheBravoSierra
Path Finder

I'm trying to install a fresh install of Enterprise Security onto a search head cluster. 

I uploaded the app via the GUI onto the shc deployer, but before I click start configuration process, I note the following message: 

Single Search Head Deployment

Splunk Enterprise Security is being configured on a single search head deployment.

How do I get it to recognize it is a search head cluster deployer? 

Labels (1)
0 Karma
1 Solution

mattchiste
Explorer

Ran into this same problem today.  The short version is that the deployer's server.conf file needs a value for "pass4SymmKey" value in the [shclustering] stanza in order for the E.S. setup to detect that a Splunk instance is a Search Deployer (even though technically a Deployer doesn't seem to actually need this value explicitly set).


If you care for more technical detail:
Tracing backwards, you probably saw something like this in the logs:

2022-04-04 21:44:51,916+0000 INFO pid=85111 tid=MainThread file=ess_configured_handler.py:handle_ssl:230 | Standalone SH detected

Digging into /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/ess_configured_handler.py, you find the code:

def is_shc_deployer(session_key):
    '''
    Determine whether we are on a SHC deployer
    '''
    unused_r, c = rest.simpleRequest(
        'configs/conf-server/shclustering',  # noqa: X101
        sessionKey=session_key,
        getargs={'output_mode': 'json'},
        raiseAllErrors=True
    )

   c = json.loads(c)['entry'][0]['content']

    if c.get('pass4SymmKey'):
        return True
    return False

... so your server.conf file should have:

[shclustering]
pass4SymmKey=xxx

... in order for the auto-detection to work the way you'd expect in E.S.

View solution in original post

mattchiste
Explorer

Ran into this same problem today.  The short version is that the deployer's server.conf file needs a value for "pass4SymmKey" value in the [shclustering] stanza in order for the E.S. setup to detect that a Splunk instance is a Search Deployer (even though technically a Deployer doesn't seem to actually need this value explicitly set).


If you care for more technical detail:
Tracing backwards, you probably saw something like this in the logs:

2022-04-04 21:44:51,916+0000 INFO pid=85111 tid=MainThread file=ess_configured_handler.py:handle_ssl:230 | Standalone SH detected

Digging into /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/bin/ess_configured_handler.py, you find the code:

def is_shc_deployer(session_key):
    '''
    Determine whether we are on a SHC deployer
    '''
    unused_r, c = rest.simpleRequest(
        'configs/conf-server/shclustering',  # noqa: X101
        sessionKey=session_key,
        getargs={'output_mode': 'json'},
        raiseAllErrors=True
    )

   c = json.loads(c)['entry'][0]['content']

    if c.get('pass4SymmKey'):
        return True
    return False

... so your server.conf file should have:

[shclustering]
pass4SymmKey=xxx

... in order for the auto-detection to work the way you'd expect in E.S.

VatsalJagani
Champion

@TheBravoSierra  - Please make sure that you followed all pre-requisites for SHC and ES on SHC. (ex. forwarding logs, setting shclustering stanza on deployer, etc etc)

https://docs.splunk.com/Documentation/ES/7.0.1/Install/InstallEnterpriseSecuritySHC 

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...