
Splunk and the VMware Tanzu Ecosystem. An external Splunk Enterprise or Splunk Cloud 6.x or above deployment, configured with a HTTP Event Collector (HEC) token to receive data. Splunk Firehose Nozzle for VMware Tanzu has the following system requirements.
Splunk Enterprise Requirements Install Splunk In
To query the server/health/splunkd endpoint directly requires access to the splunkd management port (default port 8089) over http.The following guide has been assembled to provide a checklist for and considerations for the Installation and Configuration of Enterprise Security. You can view this information in the splunkd health report in Splunk Web. Proactive Splunk component monitoring displays information from the server/health/splunkd endpoint. An Enterprise Security Use CaseREST endpoint access requirements. You can now deploy a single Ubuntu Virtual Machine or.This guide is for help with the overall tasks needed to install Splunk in a Distributed Deployment suitable for the Enterprise, e.g.

Create a local Splunk account and a splunk domain user for system activities.Ensure Splunk Admin has installed or downloaded the necessary software.* Binaries of Splunk Enterprise, Splunk Universal Forwarder, Splunk Enterprise Security* Designate and Setup Contacts for your Support Entitlement (accessible on customer¹s account page)* Splunk license keys (accessible on customer¹s account page)* Ability to Collect and Submit Support Health Check Diagnostic filesES is typically setup in a distributed Splunk deployment which consists of different systems which are dedicated to running Splunk, configured in the following roles Install OS of choice, decide on the mount points for your warm, cold and frozen data. See the "Hardware capacity planning for your Splunk deployment" in the Splunk documentationGuidelines on the sizing needs of a deployment server
Consider Data Sources for perimeters like firewalls, core routers, etc. Understand the data sources that are required and recommended to make the most meaningful correlations for security content for your organization. Review Current log collection capabilities and goals Splunk Search Head for only Enterprise Security App.Review these links for the latest Splunk Core Deployment information: Planning to collect Enterprise Security Data Sources Splunk Dedicated Forwarder on Linux for Syslog, and appliance data sources Splunk Dedicated Forwarder on Windows OS for if Microsoft Data Sources
Consider Data sources for Assets and Identities *** critical to using Splunk workflowPlan and develop the Assets and Identities feeds with attention to identify the known/Expected devices and hostsThese are key files to make sure are filled out to the best of the ability of the system owner.This includes understanding your enterprise's assets and identities on the "blue" team defenders side. Consider the destination of syslog traffic sources to a log management system. Linux, Solaris, and deploy a Splunk Universal Forwarder Consider other operating system logs, e.g. Consider Collecting windows logs, by deploying out the Splunk Universal Forwarder to Windows Servers
Need a firewall / proxy Whitelist rule to allow access to download the desired threatlists and APIs to enrich data, e.g. Need a firewall / proxy whitelist for *.splunk.com with web proxy for software notifications and updates Privileged accounts.Use this CSV header line for identity information:Identity,prefix,nick,first,last,suffix,email,phone,phone2,managedBy,priority,bunit,category,watchlist,startDate,endDateIF YOU HAVE AD / LDAP ACCESS here is a sample search|ldapsearch domain= search="(&(objectclass=user)(!(objectClass=computer)))"|search userAccountControl="NORMAL_ACCOUNT"If you are collecting Windows Active Directory information then a search like this will help validate you have added them to assets.Interdependencies with other teams, systems Establish criticality of assets by bunit.Note: This default set of column headers must be in any asset file you use.Ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_avYou need at minimum a list of known default, privileged, service and administrator accounts.All members of the security team, key data access users, e.g. Plan to have a script run from a cmdb or a network nMAP scan to collect this data regularly about the environmentPlan to survey server owners on the impact of data compromise of their systems. You need at minimum the IP addresses of the systems you want to gather data from and enter these into this csv file.
Create a VIP and DNS entry for the search head tier. Create SSL certificates for each Splunk device Verify NTP is configured correctly with the right time on Splunk devices Verify DNS is configured on the network See Splunk Ports Network connectivity - What are the Splunk ports that I need to open Create firewall routes for assets that will forward data to the Heavy Forwarder, or Indexers

Collecting UCS logs may or may not be relevant to some security teams but is interesting to a NOC.Installing Splunk Enterprise Security ApplicationIf you have a support contract for Enterprise Security, then you can download the SPL file from SplunkBase.Contact your Splunk Sales team if you need access.Before getting started take a look at known issuesOn the Dedicated Enterprise Security Search Head, perform the following: When developing a TA for ES consider these necessary field extractions: Review the standard logging for other device types like these:Cisco Devices -Know which components you have installed, FWSM, ASA, PIX, ACS When gathering log types, consider other teams use cases. If Database connections are desired, a database service account for Splunk needs to be created.Create a domain windows service account for splunk userIdentify a SME for each technology add-on you want to deploy and feed into ES.Develop a TA for your data sources and install on the Indexer and Enterprise Security Search Head. If Sign Sign on is desired then access to LDAP, AD, Apache HTTP (web proxy, SSO)
