Known Issues in Splunk UBA
This version of Splunk UBA has the following known issues and workarounds.
Date filed | Issue number | Description |
---|---|---|
2022-09-06 | UBA-16289 | 7-node UBA deployment has an invalid value for system.messaging.rawdatatopic.retention.time in caspidatunables-7_node.conf Workaround: SSH into the management node as the caspida user 1. Edit the following two files: /etc/caspida/local/conf/deployment/uba-tuning.properties /opt/caspida/conf/deployment/recipes/caspida/caspidatunables-7_node.confCorrect field system.messaging.rawdatatopic.retention.timeto be 1dinstead of 1dq 2. Sync-cluster /opt/caspida/bin/Caspida sync-cluster /etc/caspida/local/conf/deployment/ /opt/caspida/bin/Caspida sync-cluster /opt/caspida/conf/deployment/recipes/caspida/ 3.Restart cluster /opt/caspida/bin/Caspida stop-all /opt/caspida/bin/Caspida start-all |
2021-05-04 | UBA-14516 | Health Monitor - An error occurred while retrieving data - Error from /uba/monitor Invalid Json response: Error in getting the response Parameters: {"queryStatus":true,"queryDataQualityStatus":true} Workaround:
|
2020-09-28 | UBA-14251 | UBA triggers Anomalies Related to Job Search When Users Visit Unrelated Sites |
2020-06-27 | UBA-14198 | Anomaly actions rules with wildcards can cause syntax error and failure Workaround: Contact support to fix your sql query |
2020-06-25 | UBA-14197 | SplunkDirect Cloud model errors with unsupported object_type fields Workaround: This issue is observed while ingesting SplunkDirect Cloud category data. Only the following values for the "object_type" field are supported: Collaboration, Cookie, File, FileSystem, Folder, Registry, SecretObject, ServiceObject, SamDomain, Computer, Share, SharePoint, Token, USB, User, Unknown If there are any other values in your environment for "object_type" field, modify the SPL to evaluate unsupported values to "Unknown". For example: | eval object_type=case(object_type == "File", "File", object_type == "Folder", "Folder", object_type == "Web", "Unknown") |
2020-06-05 | UBA-14140 | HA/DR failover fails if Primary is down during failover |
2020-06-02 | UBA-14097 | First attempt to create new AAR rules fails after standby failover |
2020-05-11 | UBA-13948 | HA/DR After failover, the scheduled datasources (hrdata and assets) are not running on schedule Workaround: On node1 of promoted system, run curl -X PUT -Ssk -v -H "Authorization: Bearer $(grep '^\s*jobmanager.restServer.auth.user.token=' /opt/caspida/conf/uba-default.properties | cut -d'=' -f2)" https://localhost:9002/datasources/moveDS?name=<Name of Datasouce> Where <Name of Datasouce> is the data source name displayed on UI |
2020-05-11 | UBA-13950 | HA/DR after failover system does not restart until setup-containerization is run on standby system Workaround: After failover, run /opt/caspida/bin/Caspida stop /opt/caspida/bin/Caspida setup-containerization /opt/caspida/bin/Caspida start |
2020-05-11 | UBA-13947 | HA/DR switching roles of Primary/Secondary can fail |
2020-05-11 | UBA-13942 | HA/DR Standby failover failed when Postgres on Primary is down Workaround: On node hosting Postgres, run psql -d caspidadb -c 'ALTER SUBSCRIPTION subscription_caspida DISABLE' psql -d caspidadb -c 'ALTER SUBSCRIPTION subscription_caspida SET (slot_name = NONE)' psql -d caspidadb -c 'DROP SUBSCRIPTION IF EXISTS subscription_caspida' On master node, run failover again touch /opt/caspida/conf/replication/properties/standby /opt/caspida/bin/replication/failover |
2020-05-06 | UBA-13921 | UBA Self-signed certificates no longer pass current browser checks |
2020-05-01 | UBA-13896 | HA/DR CaspidaCleanup breaks for system in standby mode Workaround: Run the following commands on the Splunk UBA node hosting Postgres before cleanup: psql -d caspidadb -c 'BEGIN; SET transaction read write; ALTER DATABASE caspidadb SET default_transaction_read_only = off; COMMIT psql -d caspidadb -c 'DROP PUBLICATION IF EXISTS publication_caspida' psql -d caspidadb -c 'DROP SUBSCRIPTION IF EXISTS subscription_caspida' |
2020-04-22 | UBA-13845 | Backup/Restore and Replication logs not included in "Download Diagnostics" |
2020-04-19 | UBA-13824 | HA/DR HDFS data transfer fails with ssh timeout Workaround: Edit /opt/caspida/conf/replication/ssh_config file on master node on both primary and standby clusters so it looks like this:
Host * ControlMaster no ControlPath /var/vcap/sys/tmp/caspida/%r@%h-%p ControlPersist 3600 StrictHostKeyChecking no ServerAliveInterval 30 ServerAliveCountMax 10 Sync on both primary and standby cluster: /opt/caspida/bin/Caspida sync-cluster /opt/caspida/conf/replication Then rerun setup with reset option on primary and standby systems, and kick off the first sync cycle. |
2020-04-07 | UBA-13804 | Kubernetes certificates expire after one year Workaround: Run the following commands on the Splunk UBA master node: /opt/caspida/bin/Caspida remove-containerization /opt/caspida/bin/Caspida setup-containerization /opt/caspida/bin/Caspida stop-all /opt/caspida/bin/Caspida start-all |
2020-03-22 | UBA-13731 | User hrAccountType is not being updated in "Users Table" |
2020-03-12 | UBA-13704 | Microbatch interval property splunk.live.micro.batching.interval.second it's not being honored |
2020-03-05 | UBA-13673 | Some AD anomaly rules display Name/NA in UI |
2020-01-17 | UBA-13546, UBA-13166 | Custom model configuration is not getting replicated on the standby Workaround: Run the following commands on node 1 in the standby cluster to copy files from the primary cluster to the standby cluster, then restart job manager. Be sure to replace rsync -av <p_node1>:/etc/caspida/local/conf/[am]* /etc/caspida/local/conf sudo service caspida-jobmanager restart |
2020-01-16 | UBA-13543 | Upgrade to JDK 8u241 to patch known CVEs |
2020-01-13 | UBA-13533 | Asset query could be broken with latest Splunk ES 6.0 |
2019-12-03 | UBA-13455 | An error may appear when a time range is selected from the Scope menu on pages containing anomaly and device information. |
2019-11-20 | UBA-13412 | Unable to create Anomaly Action rules when specifying filter - Error from /uba/anomalyRules Cannot read property 'body' of undefined |
2019-11-17 | UBA-13386 | Fix homepage EPS |
2019-11-13 | UBA-13355 | Datasources aren't automatically starting after a stop-all/start-all Workaround: Start the data sources manually using the following command on the management node: /opt/caspida/bin/Caspida start-datasources |
2019-11-11 | UBA-13332 | On the restored UBA host the uiServer.host= in site property file shows the backup hostname Workaround: Perform the following steps on the management node:
|
2019-11-05 | UBA-13309 | Custom data ingest requires switching to ETLv1 Workaround: Perform the following tasks on the management node:
Adding these properties may have negative performance impact on your Splunk Direct, AD/Multiline, Cisco ASA, and PAN data sources. |
2019-10-24 | UBA-13265 | UBA stale Spark workers jvms cause spark restarts Workaround:
The issue reappears when the Spark server is restarted (for example, due to a configuration change). |
2019-10-07 | UBA-13227 | Backend anomaly and custom model names are displayed in Splunk UBA Workaround: Click the reload button in the web browser to force reload the UI page. |
2019-09-28 | UBA-13187 | Some Custom Model raised Anomaly with incorrect anomaly categories |
2019-09-19 | UBA-13121 | Deactivated custom models may get "Last Execution Time per Model" indicator Error |
2019-08-29 | UBA-13020 | Anomalies migrated from test-mode to active-mode won't be pushed to ES |
2019-08-16 | UBA-12964 | User and device attributions time out and do not load Workaround: In some cases, the User Attribution section on the User Details page and the Device Attribution section on the Device Details page do not load because the Advanced Identity Lookup queries are taking a long time to complete. Perform the following tasks on the management node to work around this issue:
|
2019-08-06 | UBA-12910 | Splunk Direct - Cloud Storage does not expose src_ip field Workaround: When ingesting Office 365 Sharepoint/OneDrive logs through Splunk Direct - Cloud Storage, add an additional field mapping for src_ip in the final SPL to be mapped from ClientIP (| eval src_ip=ClientIP ). Make sure to add src_ip in the final list of fields selected using the fields command. For example:
| fields app,change_type,dest_user,file_hash,file_size,object,object_path,object_type,parent_category,parent_hash,sourcetype,src_user,tag,src_ip |
2019-06-26 | UBA-12736 | Too many TriggeringEventsCalculator jobs running Workaround: Perform the following steps on the master node:
|
2019-03-13 | UBA-12111, UBA-14199, UBA-13051 | Impala jdbc connections leak Workaround: Perform the following tasks on the master node:
|
Welcome to Splunk UBA 5.0.0 | Fixed Issues in Splunk UBA |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0
Feedback submitted, thanks!