Configure warm standby in Splunk UBA
Configure a warm standby failover solution for Splunk UBA. When configured, the primary system synchronizes data with the standby system so that the standby system can be used in a read-only capacity. All platform services such as Zookeeper, Hadoop, Postgres, Impala, Redis, and containers are running on the standby system, but all Splunk UBA services are stopped.
See How Splunk UBA synchronizes the primary and standby systems for more information about synchronization between the primary and standby systems.
Set the roles of the primary and standby systems
Configuring warm standby in Splunk UBA requires that you clearly define the role of each system whenever there is a change.
- When a primary system (System A) becomes unavailable due to an unexpected outage or a planned upgrade, you can manually failover to the standby system (System B).
- In order for System B to act as the primary system, you must configure System B to be the primary system and System A to be the standby system. Splunk UBA can't change system roles automatically.
- Then, if you want System A to return as the primary system, you must first failover from System B to System A, then switch the roles of both systems so that System A is the primary system and System B is the standby system.
The following table shows how you must change the roles of both systems. In the example, System A is the system currently running Splunk UBA, and System B will be set up as the backup system.
Scenario | Description |
---|---|
Configure the standby Splunk UBA system (System B), so that all platform services are running and all Splunk UBA services are stopped. System A synchronizes data to System B in read-only mode.
System B should run in read-only mode. Do not start any Splunk UBA services in the standby system. If you do, the PostgreSQL logs can fill up and negatively affect performance. See Clean up the standby system if you accidentally started Splunk UBA services. | |
As needed, manually failover from the primary system to the standby system. See Failover to a standby Splunk UBA system.
| |
If needed, recover the system that became unavailable (System A) and change its role to be the standby system. If you performed a failover as part of a planned upgrade or HA/DR test, power System A back up, then change its role to be the standby system. Both of the following tasks must be performed:
| |
If you want to continue with System B as the primary system and System A as the standby system, you don't need to do anything else.
| |
Manually failover from System B back to System A. See Failover to a standby Splunk UBA system. The failover operation disables replication between the systems. | |
Change the roles of both systems to make System A the primary system again. Both of the following tasks must be performed:
|
Disable automated incremental backups | Requirements to set up warm standby for Splunk UBA |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.4, 5.0.4.1
Feedback submitted, thanks!