検索ヘッド・クラスターに必要な構成

概要

The Recorded Future Add-on for Splunk Enterprise Security is designed to run on Search Heads within a Splunk system. In the case of a Search Head cluster (SHC) the installation proceedure is the standard one for SHCs, ie it should be installed on the deployer node and then deployed the SHC nodes.

アプリを展開する前に、SHC 構成の一貫性を確保するために、以下の必要な構成変更を行う必要があります。

The app will detect that it is operated on a SHC. Only the captain node of the SHC will run the modular inputs for updating risklists and alerts.

Required configuration

In order to maintain coherent configuration across the SHC it is necessary to modify the list of configuration file types that are synchronized across the SHC. Two additional configuration files are required:

• input.conf which contains the configured modular inputs used to update risklists and alers.
• ta_recorded_future_settings.conf which contains the configure API key (encrypted) and various app specific settings.

Splunk does not allow apps to ship with the required configuration settings at this time so this configuration must be done by the client.

The following stanza is needed in $SPLUNK_HOME/etc/system/local/server.conf:

[シュクラスタリング]
conf_replication_include.ta_recorded_future_settings = trueです
conf_replication_include.入力 = true

Once this change had been made and the app has been deployed it's possible to connect to any of the SCH search head nodes and perform setup.