Splunk® User Behavior Analytics

Release Notes

This documentation does not apply to the most recent version of Splunk® User Behavior Analytics. For documentation on the most recent version, go to the latest release.

Known Issues in Splunk UBA

This version of Splunk UBA has the following known issues and workarounds.


Date filed Issue number Description
2022-09-06 UBA-16289 7-node UBA deployment has an invalid value for system.messaging.rawdatatopic.retention.time in caspidatunables-7_node.conf

Workaround:
SSH into the management node as the caspida user

1. Edit the following two files:

/etc/caspida/local/conf/deployment/uba-tuning.properties
/opt/caspida/conf/deployment/recipes/caspida/caspidatunables-7_node.conf
Correct field
system.messaging.rawdatatopic.retention.time
to be
1d
instead of
1dq

2. Sync-cluster

/opt/caspida/bin/Caspida sync-cluster /etc/caspida/local/conf/deployment/
/opt/caspida/bin/Caspida sync-cluster /opt/caspida/conf/deployment/recipes/caspida/

3.Restart cluster

/opt/caspida/bin/Caspida stop-all
/opt/caspida/bin/Caspida start-all
2021-05-04 UBA-14516 Health Monitor - An error occurred while retrieving data - Error from /uba/monitor Invalid Json response: Error in getting the response Parameters: {"queryStatus":true,"queryDataQualityStatus":true}

Workaround:
  1. Stop all Splunk UBA services on node 1:
    /opt/caspida/bin/Caspida stop-all
  2. On each Splunk UBA node, edit the java.security file in -
    /usr/lib/jvm/java-*/jre/lib/security/java.security
    and remove TLSv1 and TLSv1.1 from the following property
     jdk.tls.disabledAlgorithms 
  3. The folder in /usr/lib/jvm will be different on different environments. For example- The absolute path for java.security file in Ubuntu is,
    /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/java.security
  4. Start all Splunk UBA services on node 1:
    /opt/caspida/bin/Caspida start-all
  5. Verify there are no more errors in UI.

2020-09-28 UBA-14251 UBA triggers Anomalies Related to Job Search When Users Visit Unrelated Sites
2020-06-27 UBA-14198 Anomaly actions rules with wildcards can cause syntax error and failure

Workaround:
Contact support to fix your sql query
2020-06-25 UBA-14197 SplunkDirect Cloud model errors with unsupported object_type fields

Workaround:
This issue is observed while ingesting SplunkDirect Cloud category data. Only the following values for the "object_type" field are supported:
Collaboration, Cookie, File, FileSystem, Folder, Registry, SecretObject, ServiceObject, SamDomain, Computer, Share, SharePoint, Token, USB, User, Unknown

If there are any other values in your environment for "object_type" field, modify the SPL to evaluate unsupported values to "Unknown". For example:

| eval object_type=case(object_type == "File", "File", object_type == "Folder", "Folder", object_type == "Web", "Unknown")
2020-06-05 UBA-14140 HA/DR failover fails if Primary is down during failover
2020-06-02 UBA-14097 First attempt to create new AAR rules fails after standby failover
2020-05-11 UBA-13948 HA/DR After failover, the scheduled datasources (hrdata and assets) are not running on schedule

Workaround:
On node1 of promoted system, run
curl -X PUT -Ssk -v -H "Authorization: Bearer $(grep '^\s*jobmanager.restServer.auth.user.token=' /opt/caspida/conf/uba-default.properties | cut -d'=' -f2)" https://localhost:9002/datasources/moveDS?name=<Name of Datasouce>

Where <Name of Datasouce> is the data source name displayed on UI

2020-05-11 UBA-13950 HA/DR after failover system does not restart until setup-containerization is run on standby system

Workaround:
After failover, run
/opt/caspida/bin/Caspida stop
/opt/caspida/bin/Caspida setup-containerization
/opt/caspida/bin/Caspida start
2020-05-11 UBA-13947 HA/DR switching roles of Primary/Secondary can fail
2020-05-11 UBA-13942 HA/DR Standby failover failed when Postgres on Primary is down

Workaround:
On node hosting Postgres, run
psql -d caspidadb -c 'ALTER SUBSCRIPTION subscription_caspida DISABLE'
psql -d caspidadb -c 'ALTER SUBSCRIPTION subscription_caspida SET (slot_name = NONE)'
psql -d caspidadb -c 'DROP SUBSCRIPTION IF EXISTS subscription_caspida'

On master node, run failover again

touch /opt/caspida/conf/replication/properties/standby
/opt/caspida/bin/replication/failover
2020-05-06 UBA-13921 UBA Self-signed certificates no longer pass current browser checks
2020-05-01 UBA-13896 HA/DR CaspidaCleanup breaks for system in standby mode

Workaround:
Run the following commands on the Splunk UBA node hosting Postgres before cleanup:
psql -d caspidadb -c 'BEGIN; SET transaction read write; ALTER DATABASE caspidadb SET default_transaction_read_only = off; COMMIT
psql -d caspidadb -c 'DROP PUBLICATION IF EXISTS publication_caspida'
psql -d caspidadb -c 'DROP SUBSCRIPTION IF EXISTS subscription_caspida' 
2020-04-22 UBA-13845 Backup/Restore and Replication logs not included in "Download Diagnostics"
2020-04-19 UBA-13824 HA/DR HDFS data transfer fails with ssh timeout

Workaround:
Edit /opt/caspida/conf/replication/ssh_config file on master node on both primary and standby clusters so it looks like this:
Host *
    ControlMaster no
    ControlPath /var/vcap/sys/tmp/caspida/%r@%h-%p
    ControlPersist 3600
    StrictHostKeyChecking no
    ServerAliveInterval 30
    ServerAliveCountMax 10

Sync on both primary and standby cluster:

/opt/caspida/bin/Caspida sync-cluster /opt/caspida/conf/replication

Then rerun setup with reset option on primary and standby systems, and kick off the first sync cycle.

2020-04-07 UBA-13804 Kubernetes certificates expire after one year

Workaround:
Run the following commands on the Splunk UBA master node:
/opt/caspida/bin/Caspida remove-containerization
/opt/caspida/bin/Caspida setup-containerization
/opt/caspida/bin/Caspida stop-all
/opt/caspida/bin/Caspida start-all
2020-03-22 UBA-13731 User hrAccountType is not being updated in "Users Table"
2020-03-12 UBA-13704 Microbatch interval property splunk.live.micro.batching.interval.second it's not being honored
2020-03-05 UBA-13673 Some AD anomaly rules display Name/NA in UI
2020-01-17 UBA-13546, UBA-13166 Custom model configuration is not getting replicated on the standby

Workaround:

Run the following commands on node 1 in the standby cluster to copy files from the primary cluster to the standby cluster, then restart job manager. Be sure to replace <p_node1> in the example with the actual name or IP address of node 1 in your cluster.

rsync -av <p_node1>:/etc/caspida/local/conf/[am]* /etc/caspida/local/conf
sudo service caspida-jobmanager restart
2020-01-16 UBA-13543 Upgrade to JDK 8u241 to patch known CVEs
2020-01-13 UBA-13533 Asset query could be broken with latest Splunk ES 6.0
2019-12-03 UBA-13455 An error may appear when a time range is selected from the Scope menu on pages containing anomaly and device information.
2019-11-20 UBA-13412 Unable to create Anomaly Action rules when specifying filter - Error from /uba/anomalyRules Cannot read property 'body' of undefined
2019-11-17 UBA-13386 Fix homepage EPS
2019-11-13 UBA-13355 Datasources aren't automatically starting after a stop-all/start-all

Workaround:
Start the data sources manually using the following command on the management node:
/opt/caspida/bin/Caspida start-datasources
2019-11-11 UBA-13332 On the restored UBA host the uiServer.host= in site property file shows the backup hostname

Workaround:
Perform the following steps on the management node:
  1. As the caspida user, edit the /etc/caspida/local/conf/uba-site.properties file.
  2. Search for the uiServer.host key and change the value of the key to the correct hostname for the management node.
  3. Save your changes and close the editor.
  4. Run the following commands:
    /opt/caspida/bin/Caspida stop-all
    /opt/caspida/bin/Caspida sync-cluster
    /opt/caspida/bin/Caspida start-all
    

2019-11-05 UBA-13309 Custom data ingest requires switching to ETLv1

Workaround:
Perform the following tasks on the management node:
  1. Add the following properties to /etc/caspida/local/conf/uba-site.properties:
    parser.morphlines.name.policy=file
    parser.morphlines.selected.formats=
    
  2. Synchronize the cluster:
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
  3. Restart the containers:
    /opt/caspida/bin/Caspida stop-containers
    /opt/caspida/bin/Caspida start-containers
    

Adding these properties may have negative performance impact on your Splunk Direct, AD/Multiline, Cisco ASA, and PAN data sources.


2019-10-24 UBA-13265 UBA stale Spark workers jvms cause spark restarts

Workaround:
  1. Stop the Spark services in the management node:
    /opt/caspida/bin/Caspida stop-spark
  2. Make sure that the Spark JVMs are killed in the worker nodes. On each node where the Spark workers are running, run the following command:
    /opt/caspida/bin/uba-spark/stop-all-spark.py -nv
  3. Start Spark services on the management node.
    /opt/caspida/bin/Caspida start-spark
  4. Monitor for stability.
    tail -f /var/log/caspida/spark/spark-server.log

The issue reappears when the Spark server is restarted (for example, due to a configuration change).

2019-10-07 UBA-13227 Backend anomaly and custom model names are displayed in Splunk UBA

Workaround:
Click the reload button in the web browser to force reload the UI page.
2019-09-28 UBA-13187 Some Custom Model raised Anomaly with incorrect anomaly categories
2019-09-19 UBA-13121 Deactivated custom models may get "Last Execution Time per Model" indicator Error
2019-08-29 UBA-13020 Anomalies migrated from test-mode to active-mode won't be pushed to ES
2019-08-16 UBA-12964 User and device attributions time out and do not load

Workaround:
In some cases, the User Attribution section on the User Details page and the Device Attribution section on the Device Details page do not load because the Advanced Identity Lookup queries are taking a long time to complete.

Perform the following tasks on the management node to work around this issue:

  1. Edit or add the identity.resolution.attribution.query.timerange property in /etc/caspida/local/conf/uba-site.properties and set the time range of the query to a smaller number of days. The default is seven days. This example sets the time range to three days:
    identity.resolution.attribution.query.timerange=3d
  2. In distributed deployments, synchronize the cluster. Run the following command:
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
  3. Run the following commands to restart the Splunk UBA containers:
    /opt/caspida/bin/Caspida stop-containers
    /opt/caspida/bin/Caspida start-containers
    

2019-08-06 UBA-12910 Splunk Direct - Cloud Storage does not expose src_ip field

Workaround:
When ingesting Office 365 Sharepoint/OneDrive logs through Splunk Direct - Cloud Storage, add an additional field mapping for src_ip in the final SPL to be mapped from ClientIP (| eval src_ip=ClientIP). Make sure to add src_ip in the final list of fields selected using the fields command. For example:
| fields app,change_type,dest_user,file_hash,file_size,object,object_path,object_type,parent_category,parent_hash,sourcetype,src_user,tag,src_ip
2019-06-26 UBA-12736 Too many TriggeringEventsCalculator jobs running

Workaround:
Perform the following steps on the master node:
  1. Set the following property in the /etc/caspida/local/conf/uba-site.properties file:
    triggering.event.pre.calculate.links=false
  2. Add a cron job to kill the TriggeringEventCalculator processes in crontab for user=caspida:
    0 12 * * *  pkill -f TriggeringEventsCalculator
  3. Sync the cluster in distributed deployments:
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf

2019-03-13 UBA-12111, UBA-14199, UBA-13051 Impala jdbc connections leak

Workaround:
Perform the following tasks on the master node:
  1. Reduce the frequency of StatsCollector job from running every hour to once a day at 8PM. Edit the /opt/caspida/conf/jobconf/caspida-jobs.json file and change:
    "cronExpr"     : "0 0/60 * * * ?"

    to

    "cronExpr"     : "0 0 20 * * ?"
  2. Sync the cluster in distributed deployments:
    /opt/caspida/bin/Caspida sync-cluster /opt/caspida/conf/jobconf/
  3. Restart the job-manager service:
    sudo service caspida-jobmanager restart

Last modified on 07 June, 2023
Welcome to Splunk UBA 5.0.0   Fixed Issues in Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters