Splunk® User Behavior Analytics

Release Notes

This documentation does not apply to the most recent version of Splunk® User Behavior Analytics. For documentation on the most recent version, go to the latest release.

Known Issues in Splunk UBA

This version of Splunk UBA has the following known issues and workarounds.

If no issues are listed, there are no known issues at this time.


Date filed Issue number Description
2022-09-06 UBA-16289 7-node UBA deployment has an invalid value for system.messaging.rawdatatopic.retention.time in caspidatunables-7_node.conf

Workaround:
SSH into the management node as the caspida user

1. Edit the following two files:

/etc/caspida/local/conf/deployment/uba-tuning.properties
/opt/caspida/conf/deployment/recipes/caspida/caspidatunables-7_node.conf
Correct field
system.messaging.rawdatatopic.retention.time
to be
1d
instead of
1dq

2. Sync-cluster

/opt/caspida/bin/Caspida sync-cluster /etc/caspida/local/conf/deployment/
/opt/caspida/bin/Caspida sync-cluster /opt/caspida/conf/deployment/recipes/caspida/

3.Restart cluster

/opt/caspida/bin/Caspida stop-all
/opt/caspida/bin/Caspida start-all
2022-04-14 UBA-15607, UBA-14237 Unable to create Anomaly Table filter or AAR specifying filter for Specific Devices when specifying over 20 CIDR/s
2022-04-14 UBA-15608, UBA-14502 Exporting >4.3K Anomalies table results - crashes UBA UI (Permanent fix for UBA-14502)
2022-02-14 UBA-15364 Spark HistoryServer running out of memory for large deployments with error: "java.lang.OutOfMemoryError: GC overhead limit exceeded"

Workaround:
Open the following file to edit on the Spark History Server: /var/vcap/packages/spark/conf/spark-env.sh

You can check deployments.conf field spark.history to find out which node runs the Spark History Server.

Update the following setting to 3G: SPARK_DAEMON_MEMORY=3G

Afterwards, restart the spark services:

/opt/caspida/bin/Caspida stop-spark && /opt/caspida/bin/Caspida start-spark
2022-01-25 UBA-15321 Upgrade script for ubuntu systems need revised commands to install external packages correctly

Workaround:
If the upgrade to UBA 5.0.5 failed in a lockdown environment with no internet connection, perform the following steps on the failed UBA node:
  1. Edit the file: /home/caspida/patch_uba_505/bin/utils/patch_uba.sh
  2. Replace the line ssh ${host} "${SUDOCMD} apt-get -y -f install ${ExtPkgsDir}/openjdk*.deb && exit" with ssh ${host} "${SUDOCMD} dpkg --force-confold --force-all --refuse-downgrade -i ${ExtPkgsDir}/openjdk*.deb && exit"
  3. Replace the line ${SUDOCMD} apt-get -y -f install ${ExtPkgsDir}/ca-certificates*.deb with ${SUDOCMD} dpkg --force-confnew --refuse-downgrade -i ${ExtPkgsDir}/ca-certificates*.deb
  4. Save the file.
  5. Run the upgrade script again.

2021-12-06 UBA-15164 Download Diagnostics "Parsers" for multi-node misses /var/log/caspida/jobexecutor*
2021-09-29 UBA-14894 UBA EPS drops after Splunk 8.2.1/8.2.2 upgrade on search heads used by data sources
2021-08-05 UBA-14678 Splunk UBA Kafka App is missing the distsearch.conf file
2021-07-26 UBA-14629 Need to handle upgrade for TimeSeries Custom Model
2021-05-04 UBA-14516 Health Monitor - An error occurred while retrieving data - Error from /uba/monitor Invalid Json response: Error in getting the response Parameters: {"queryStatus":true,"queryDataQualityStatus":true}

Workaround:
  1. Stop all Splunk UBA services on node 1:
    /opt/caspida/bin/Caspida stop-all
  2. On each Splunk UBA node, edit the java.security file in -
    /usr/lib/jvm/java-*/jre/lib/security/java.security
    and remove TLSv1 and TLSv1.1 from the following property
     jdk.tls.disabledAlgorithms 
  3. The folder in /usr/lib/jvm will be different on different environments. For example- The absolute path for java.security file in Ubuntu is,
    /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/java.security
  4. Start all Splunk UBA services on node 1:
    /opt/caspida/bin/Caspida start-all
  5. Verify there are no more errors in UI.

2021-01-25 UBA-14390 New threats sent to ES have incorrect "status" field value
2021-01-12 UBA-14382 "HTTP 400 -- Error in 'sendtoubakafka' command: External search command exited unexpectedly with non-zero error code 1."
2021-01-11 UBA-14379 Discrepancy between Threats and notable events in ES

Workaround:
As a temporary workaround, edit the search in ES. Look for the "UEBA Threat Detected" correlation search removing '| search uba_threat_status != closed'



2021-01-05 UBA-14376 Custom Model Invalid anomaly custom field 'uniqueDestinations
2020-12-03 UBA-14354 Spark Nodes out of sync with Master after 5.0.4 Upgrade
2020-11-20 UBA-14339 Custom Models TimeSeries model errors associated with missing skipOldAnomaliesThreshold
2020-11-09 UBA-14305 Upgrading to 5.0.4 /opt/caspida/lib/CaspidaSecurity.jar is not synced after upgrade

Workaround:
After completing the upgrade to Splunk UBA 5.0.4, run the following commands on the master node in your Splunk UBA deployment:
/opt/caspida/bin/Caspida stop
/opt/caspida/bin/Caspida sync-cluster
/opt/caspida/bin/Caspida start
2020-10-30 UBA-14287, UBA-17142 Issue while deleting datasource referencing other UBA original primary cluster
2020-06-29 UBA-14199, UBA-12111 Impala jdbc connections leak

Workaround:
  1. Create a file containing the following script on node 1 in your Splunk UBA deployment (node 2 on a 20-node Splunk UBA deployment). For example, copy and paste the script to a new file in /etc/caspida/local/conf/impala_status_check.sh:
    #!/bin/bash
    log_file=$1
    if test -f "$log_file"; then
       tail -n 100 $log_file > /tmp/tmp_log_file.log
       mv /tmp/tmp_log_file.log $log_file
    fi
    connection_count=$(netstat -an | grep :21050 | grep ESTABLISHED | wc -l)
    now=$(date)
    if [ "$connection_count" -gt 500 ]; then
       echo "[$now] $connection_count impala connection(s), restarting impala"
       sudo service impala-server restart
       if [ $? -eq 0 ]; then
          echo "restart succeeded"
        else
          echo "restart failed. return code: $?"
       fi
    else
       echo "[$now] $connection_count impala connection(s), status is good"
    fi
    
  2. Make the script executable:
    chmod +x /etc/caspida/local/conf/impala_status_check.sh
    
  3. Add the following line to cron using crontab -e:
    0 8 * * * /etc/caspida/local/conf/impala_status_check.sh >> /var/log/impala/impala_status.log 2>&1
    

2020-04-10 UBA-13810 CSV Export of 3000 or More Anomalies Fails
2020-04-07 UBA-13804 Kubernetes certificates expire after one year

Workaround:
Run the following commands on the Splunk UBA master node:
/opt/caspida/bin/Caspida remove-containerization
/opt/caspida/bin/Caspida setup-containerization
/opt/caspida/bin/Caspida stop-all
/opt/caspida/bin/Caspida start-all
2019-10-07 UBA-13227 Backend anomaly and custom model names are displayed in Splunk UBA

Workaround:
Click the reload button in the web browser to force reload the UI page.
2019-08-29 UBA-13020 Anomalies migrated from test-mode to active-mode won't be pushed to ES
2019-08-06 UBA-12910 Splunk Direct - Cloud Storage does not expose src_ip field

Workaround:
When ingesting Office 365 Sharepoint/OneDrive logs through Splunk Direct - Cloud Storage, add an additional field mapping for src_ip in the final SPL to be mapped from ClientIP (| eval src_ip=ClientIP). Make sure to add src_ip in the final list of fields selected using the fields command. For example:
| fields app,change_type,dest_user,file_hash,file_size,object,object_path,object_type,parent_category,parent_hash,sourcetype,src_user,tag,src_ip

Last modified on 11 July, 2023
Welcome to Splunk UBA 5.0.4   Fixed Issues in Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.4


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters