Search Head Clustering

Required configuration for Search Head clusters


The Recorded Future Add-on for Splunk Enterprise Security is designed to run on Search Heads within a Splunk system. In the case of a Search Head cluster (SHC) the installation proceedure is the standard one for SHCs, ie it should be installed on the deployer node and then deployed the SHC nodes.

Before deploying the app the required configuration change below should have been made to ensure SHC configuration coherency.

The app will detect that it is operated on a SHC. Only the captain node of the SHC will run the modular inputs for updating risklists and alerts.

Required configuration

In order to maintain coherent configuration across the SHC it is necessary to modify the list of configuration file types that are synchronized across the SHC. Two additional configuration files are required:

  • input.conf which contains the configured modular inputs used to update risklists and alers.
  • ta_recorded_future_settings.conf which contains the configure API key (encrypted) and various app specific settings.

Splunk does not allow apps to ship with the required configuration settings at this time so this configuration must be done by the client.

The following stanza is needed in $SPLUNK_HOME/etc/system/local/server.conf:

conf_replication_include.ta_recorded_future_settings = true
conf_replication_include.inputs = true

Once this change had been made and the app has been deployed it's possible to connect to any of the SCH search head nodes and perform setup.