Splunk® User Behavior Analytics

Install and Upgrade Splunk User Behavior Analytics

This documentation does not apply to the most recent version of Splunk® User Behavior Analytics. For documentation on the most recent version, go to the latest release.

Upgrade Splunk UBA prerequisites

You can upgrade to Splunk UBA 5.3.0 from Splunk UBA version 5.1.0, or higher. See How to install or upgrade to this release of Splunk UBA for upgrade path information.

  • If you are running a version lower than 5.1.0, you must first upgrade to version 5.1.0 to upgrade to version 5.3.0.
  • If you are running a version lower than 5.0.5, you must first upgrade to version 5.0.5, then upgrade to version 5.1.0, and then upgrade to version 5.3.0.

Before you upgrade, perform the following tasks:

Hadoop ports changed for Splunk UBA version 5.1.0 and higher. See Networking requirements to verify Hadoop port information before upgrading.

  1. In RHEL Linux environments:
    1. Ensure that Splunk UBA has access to RHEL repositories.
    2. When installed on RHEL 8.x operating systems, Splunk UBA uses a 2048 bit RSA encryption key. The Splunk platform that communicates with Splunk UBA must also use a 2048 bit encryption key. See Red Hat Enterprise Linux 8.x cryptographic policies.
  2. Review the Known issues for this release in the Release Notes manual.
  3. The software update contains two archive files approximately 864M and 4.5G. The total extract size is 7.2G. Verify that you have enough free space in /home/caspida to store the extracted installer files.
  4. Backup your system. See Prepare to backup Splunk UBA in Administer Splunk User Behavior Analytics.
  5. Make sure your system is running normally by using the uba_health_check.sh shell script.
    /opt/caspida/bin/utils/uba_health_check.sh
    See Check system status before and after installation for more information about the script.
  6. If your caspida account user has restricted sudo access, follow the steps in Enable all sudo access for the caspida account to temporarily provide sudo access privileges.
    1. After the upgrade is complete, follow the steps in Restrict sudo access for the caspida account to re-secure your caspida user.


Verify Postgres Collate and Ctype values

Perform the following steps to verify the values of Collate and Ctype:

Run these commands on the Postgres node. For a 20-node deployment, that is node 2. For non-20-node deployments, that is node 1.

  1. Check the Collate and Ctype values in a database. Confirm the values are en_us.UTF-8.
    Run the following command:
    psql -d caspidadb -c "\l"
  2. If the values are correct, you are done.
    The following image shows an example of correct Collate and Ctype values: This image shows the results from running the command in this step. A series of columns and rows is displayed including columns for Collate and Ctype. The value under both these columns is en_US.UTF-8.
  3. If the values are incorrect, run the following command to update them:
    psql -d caspidadb -c "UPDATE pg_database SET datcollate = 'en_US.UTF-8', datctype = 'en_US.UTF-8'"
    
  4. Run the following command to verify the update:
    psql -d caspidadb -c "\l"

Validate the UMASK value

Ensure the UMASK value of the root user is set to 0002 or 0022, or grant read permissions for newly created files and directories to the caspida user.

Complete the following steps to validate the UMASK value:

  1. Check the UMASK value of the root user by running the following command. The value must be 0002 or 0022:
    umask
  2. Verify the UMASK value in the /etc/login.defs file:
    grep -i "^UMASK" /etc/login.defs

    The umask value specified in /etc/login.defs applies as the default for all users.

  3. Validate the permissions for new files and directories:
    1. As the caspida user, create a new file or directory using sudo to observe the permissions:
      sudo touch testfile.txt 
      sudo mkdir testdirectory
      
    2. Next, check the permissions of the created files and directories. The read permission for caspida(other) users is required:
      ls -l testfile.txt 
      ls -ld testdirectory
      

To set the required umask value, edit the /etc/login.defs file and set the UMASK value to 022.

If the caspida user does not have read permissions, update the UMASK value accordingly. Failure to provide the required permission to the caspida user will result in a UBA installation or upgrade failure.

Instructions to upgrade your Splunk UBA deployment

After satisfying the prerequisite requirements, go to one of the following:

Upgrade multiple Splunk UBA clusters that are using warm standby

If you have two Splunk UBA clusters running in a warm standby configuration, perform the following tasks to upgrade both clusters. Links to documentation in the Administer Splunk User Behavior Analytics manual are provided. In this example, the original primary system is called System A and the standby system is called System B.

  1. Verify that both the System A and System B are configured for warm standby and are running as expected. See Verify that the primary and standby systems are synchronized .
  2. Manually trigger a sync between System A and System B. See Synchronize the primary and standby systems on-demand.
  3. Perform a failover from System A to System B. See Failover to a standby Splunk UBA system.
  4. Switch the roles of both systems to reflect the failover. See Change the role of both systems to switch the primary and standby systems.
  5. Failover from System B back to System A. See Failover to a standby Splunk UBA system.
  6. Switch the roles of both system again to reflect the second failover operation. See Change the role of both systems to switch the primary and standby systems.
  7. Run the uba_health_check.sh script. See Check system status before and after installation in the Install and Upgrade Splunk User Behavior Analytics manual.
  8. Use the health monitor to verify that both Splunk UBA systems are up and running.
  9. Upgrade the primary system (System A) to this release. Follow the upgrade instructions for your operating system.
  10. Upgrade the standby system (System B) to this release. Follow the upgrade instructions for your operating system.
  11. Check /var/log/caspida/UpgradeStatus-<release>.properties on both systems to verify that the upgrade succeeded. See Verify a successful upgrade of Splunk UBA in the Install and Upgrade Splunk User Behavior Analytics manual.
Last modified on 01 May, 2024
Secure the default account after installing Splunk UBA   Upgrade a single node AMI or OVA installation of Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.3.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters