Atlas Splunk Cloud Deployment Instructions
Installation Overview
Atlas for Splunk Cloud requires that a Splunk Search Head be deployed in your local environment that will connect to your Splunk Cloud environment. This Search Head must be configured as a Federated Search Head. Atlas will be installed on this Search Head and will connect to your Splunk Cloud environment. This Search Head will be referred to as the “Atlas Search Head” throughout the remainder of this article. The Splunk Cloud environment that the Atlas Search Head connects to will be denoted as "Splunk Cloud Environment". Once deployed, you will add the Splunk Cloud Search Head as a search peer on your local Atlas Search Head to allow use of the Splunk REST command.
The Atlas Search Head Deployment Guidelines
- Can be deployed in a clustered or non-clustered architecture or can also be an all-in-one (AIO) Splunk deployment
- Must be deployed to an environment that is outside of your Splunk Cloud environment
- Must be able to connect to Splunk Cloud over the internet (Typically over ports 8089, 8181, and 8191)
- Meet the Installation Prerequisites
Feature Restrictions Specific to Deployment
Due to deployment architecture, the ability to modify searches on the target environment requires the set up of Atlas Targets. The ability to use the Autobalancer is deactivated for Splunk Cloud deployments.
Atlas Installation
For additional assistance with completing these steps, please reach out to your Expertise on Demand Team or submit a request to support@kinneygroup.com.
Configure the Atlas Search Head and REST Connections
Once you have installed and configured your Atlas Search Head you will need to connect it to your Splunk Cloud environment. If you are completing these items yourself, these steps are best executed using Splunk Cloud's Admin Config Service (ACS).
-
Allow your Atlas Search Head's public IP on your Splunk Cloud Environment for REST API access.
- This can be accomplished using the following methods:
- ACS
- Splunk server settings UI
- Opening a request to Splunk Cloud support
- This can be accomplished using the following methods:
-
Configure Federated Search on the Atlas Search Head
-
Create an account on your Splunk Cloud instance with
fsh_managepermission -
On the Atlas Search Head, in Splunk Web, navigate to Settings -> Federated Search -> Add Federated Provider
-
Create a new Federated Provider in transparent mode using your Splunk Cloud URI and the account that was created above
-
See the Splunk documentation for more information on this topic
-
-
Add the Splunk Cloud Search Head as a search peer on the Atlas Search Head
-
In Splunk Web on the Atlas Search Head, navigate to Settings -> Distributed Search -> Search Peers. Your indexers (both Splunk Cloud and local if applicable), should already be listed here.
-
Using the New Search Peer button on this page, add any other Splunk instances that you wish to be able to search or perform REST calls against.
- Adding instances from your Splunk Cloud deployment requires the user credentials of a Splunk Cloud user with the role of
sc_admin - The search heads that you add, must be an equal or higher version than the search peers.
- Adding instances from your Splunk Cloud deployment requires the user credentials of a Splunk Cloud user with the role of
-
Atlas Distributed Install Matrix
Use the tables below to determine where and how to install the Atlas Platform. Depending on your environment, your preferences, and the requirements of the add-on, you may need to install Atlas Elements and Technical Add-Ons (TAs) in multiple places.
| Atlas Element | Dedicated Search Head | Remote Search Heads | Remote Indexers | Heavy Forwarders | Universal Forwarders | Comments |
|---|---|---|---|---|---|---|
| Atlas 4.0 | Yes | No | No | No | No | - |
| Atlas Assessment | Yes | No | No | No | No | - |
| STIG Compliance | Yes | No | No | No | No | - |
| STIG Compliance STIG TA | Yes | No | Yes | Yes | No | Install on Index & Search Head Layer to create required Indexes & Data Transformations |
| STIG Compliance SCAP TA | Yes | No | Yes | Yes | No | Install on Index & Search Head Layer to create required Indexes & Data Transformations |
Installing the Atlas Platform on the Search Head
To install Atlas, follow standard Splunk procedure for installing a Splunk Application or TA.