Splunk® User Behavior Analytics

Send and Receive Data from the Splunk Platform

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Send Splunk UBA audit events to Splunk ES

Send audit events from Splunk UBA to Splunk ES so that you can maintain a history of specific actions taken by analysts and hunters in Splunk UBA. For example, if there is a need to re-examine a closed threat, you can use the audit history to determine the analyst who closed the threat.

Perform the following tasks to send audit events to the Splunk platform to be added to the _audit index:

  1. Add or set the uba.sys.audit.push.splunk.enabled property in Splunk UBA.
  2. Set up a search head or forwarder to receive data from Splunk UBA.
  3. Configure the Splunk platform to receive data from the Splunk UBA output connector.

Add or set the uba.sys.audit.push.splunk.enabled property in Splunk UBA

Perform the following steps in Splunk UBA to enable audit logs to be sent to the Splunk platform:

  1. Set the uba.sys.audit.push.splunk.enabled property in the /etc/caspida/local/conf/uba-site.properties file to true:
    uba.sys.audit.push.splunk.enabled=true
  2. Run the following command to synchronize the cluster:
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
  3. Run the following commands to restart Caspida services:
    /opt/caspida/bin/Caspida stop
    /opt/caspida/bin/Caspida start
    

Set up a search head or forwarder to receive data from Splunk UBA

You can choose to set up either a search head or a forwarder to receive data sent from Splunk UBA.

  • In Splunk UBA release 4.3.0 and lower, you can send data only to a Splunk search head.
  • In Splunk UBA release 4.3.1 and higher, you can send data to a Splunk search head or forwarder.

Perform the following steps to set up a search head to receive data from Splunk UBA:

  1. In Splunk Web, select Settings > Data Inputs.
  2. In the TCP row, click Add New.
  3. Enter 10008 in the Port field. This is the port configured to work with Splunk UBA.

Perform the following steps to set up a forwarder to receive data from Splunk UBA:

  1. Deploy the Splunk Add-on for Splunk UBA to the forwarder. See Deploy the Splunk Add-on for Splunk UBA.
  2. Configure the TCP input on the Splunk forwarder. See Get data from TCP and UDP ports in the Splunk Enterprise Getting Data In manual for information on how to configure a Splunk forwarder to receive a syslog input.

Configure the Splunk platform to receive data from the Splunk UBA output connector

The connection between Splunk UBA and the Splunk platform uses TCP-SSL by default. Set up the Splunk platform to accept the encrypted connection so that the Splunk platform can receive data from the Splunk UBA output connector.

Splunk Cloud Platform customers must work with Splunk Cloud Platform Support to set up this connection.

The following procedure uses the Splunk default certificates and the global [SSL] stanza in the inputs.conf file. For better security, consider using your own certificates, or commercially signed certificates from a trusted certificate authority.

Steps on the Splunk Enterprise search head

Perform the following steps on the Splunk Enterprise search head. In a search head clustering environment, perform the changes on the search head that will receive UBA threats and anomalies:

  1. Create a local folder under $SPLUNK_HOME/etc/apps/Splunk_TA_ueba. For example:
    cd /opt/splunk/etc/apps/Splunk_TA_ueba
    mkdir local
    cd local
    
  2. Create a file called inputs.conf and add the following stanza:
    [tcp-ssl:10008]
    listenOnIPv6 = no
    index = ueba
    sourcetype = ueba
    serverCert = $SPLUNK_HOME/etc/auth/server.pem
    sslPassword = password
    

  3. Restart Splunk Enterprise.
    1. In Splunk Web, select System > Server controls.
    2. Click Restart Splunk.
  4. Verify that SSL is enabled for port 10008 in $SPLUNK_HOME/var/log/splunk/splunkd.log, as shown in the following examples:
    11-07-2019 15:07:42.661 -0800 INFO  TcpInputProc - Creating raw Acceptor for IPv4 port 10008 with SSL

    OR

    02-28-2024 22:34:37.330 +0000 INFO  TcpInputConfig [3996510 TcpListener] - IPv4 port 10008 is reserved for raw input (SSL)
  5. Copy the root CA certificate from /opt/splunk/etc/auth/cacert.pem on the Splunk Enterprise instance to /home/caspida on the Splunk UBA management server.

    If you use your own third-party certificate, copy that certificate file to /home/caspida on the Splunk UBA management server. Do not copy the root CA certificate from /opt/splunk/etc/auth/cacert.pem on the Splunk Enterprise instance.

Steps on the Splunk UBA management server

Perform the following steps on the Splunk UBA management server:

  1. Log in to the Splunk UBA management server as the caspida user.
  2. Ensure that $JAVA_HOME is set correctly on your system. Run the CaspidaCommonEnv.sh script to set this environment variable:
    . /opt/caspida/bin/CaspidaCommonEnv.sh
  3. Import the rootCA certificate to the Java certificate store.

    If you use your own third party certificate, replace ~/cacert.pem with that third party certificate in the following commands.

    On RHEL systems, use the following command:

    sudo keytool -import -alias "splunk es" -keystore $JAVA_HOME/lib/security/cacerts -file ~/cacert.pem

    On other Linux systems, use the following command:

    sudo keytool -import -alias "splunk es" -keystore $JAVA_HOME/jre/lib/security/cacerts -file ~/cacert.pem
  4. When prompted, type the keystore password and trust the certificate. The default keystore password is changeit.
  5. From the command line of the Splunk UBA management server, view the /etc/caspida/local/conf/uba-site.properties file to confirm the following parameter is set to "true" as shown:
    connectors.output.splunkes.ssl=true
  6. Restart Splunk UBA. Run the following commands on the Splunk UBA management server:
    /opt/caspida/bin/Caspida stop-all
    /opt/caspida/bin/Caspida start-all
    
Last modified on 26 March, 2024
PREVIOUS
Set up Splunk UBA to send user and device association data to Splunk Enterprise Security
 

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters