검색 헤드 클러스터에 필요한 구성

개요

The Recorded Future Add-on for Splunk Enterprise Security is designed to run on Search Heads within a Splunk system. In the case of a Search Head cluster (SHC) the installation proceedure is the standard one for SHCs, ie it should be installed on the deployer node and then deployed the SHC nodes.

앱을 배포하기 전에 SHC 구성 일관성을 보장하기 위해 아래 필수 구성 변경을 수행해야 합니다.

The app will detect that it is operated on a SHC. Only the captain node of the SHC will run the modular inputs for updating risklists and alerts.

Required configuration

In order to maintain coherent configuration across the SHC it is necessary to modify the list of configuration file types that are synchronized across the SHC. Two additional configuration files are required:

• input.conf which contains the configured modular inputs used to update risklists and alers.
• ta_recorded_future_settings.conf which contains the configure API key (encrypted) and various app specific settings.

Splunk does not allow apps to ship with the required configuration settings at this time so this configuration must be done by the client.

The following stanza is needed in $SPLUNK_HOME/etc/system/local/server.conf:

[shclustering]
conf_replication_include.ta_recorded_future_settings = true
conf_replication_include.inputs = true

Once this change had been made and the app has been deployed it's possible to connect to any of the SCH search head nodes and perform setup.