Upgrade a single node OEL installation of Splunk UBA
Perform the following steps to upgrade a single node OEL installation of Splunk UBA.
OEL Leapp updated its base operating system to OEL version 8.10. OEL 8.10 has been tested for UBA 5.4.0 but does require an additional step at the "Perform UBA upgrade" stage. Alternately, you can refrain from upgrading until the release of UBA version 5.4.1.
OEL Leapp regularly updates its base operating system to the latest version of OEL 8.x. If you are a Splunk UBA customer using OEL, refrain from upgrading OEL until you verify the OEL version Leapp will upgrade your environment to is supported by the target UBA version. For information on the latest OEL version, see https://docs.oracle.com/en/operating-systems/oracle-linux/8 /.
Prerequisites
Complete the following steps to ensure your system is correctly set up for upgrading Splunk UBA:
- Review the new features in this version of Splunk UBA for any changes that might need to be addressed before upgrading. See What's new in the Release Notes manual.
- Confirm you meet the Upgrade Splunk UBA prerequisites. Make sure that the prerequisites are verified on each server in the distributed deployment.
- Make sure the correct hadoop ports are open. See, Inbound networking port requirements.
- If you have enabled the integration that sends UBA audit data to Splunk Enterprise Security (ES), preserve the associated certificate before upgrading.
Use the following command to export the certificate:For more information on sending audit data to ES see, Send Splunk UBA audit events to Splunk ES in the Send and Receive Data from the Splunk Platform manual.. /opt/caspida/bin/CaspidaCommonEnv.sh sudo keytool -exportcert -alias "splunk es" -keystore $JAVA_HOME/lib/security/cacerts -rfc -file ~/splunk-es_cacert.pem
- If you have enabled validation of the SSL certificate from Splunk ES, export the SSL certificate used for validating datasources from the Splunk Enterprise platform:
. /opt/caspida/bin/CaspidaCommonEnv.sh sudo keytool -exportcert -alias "SplunkESRootCA" -keystore $JAVA_HOME/lib/security/cacerts -rfc -file ~/SplunkESRootCA.pem
- If you have enabled the integration that sends UBA events to Splunk ES, add
connection_host = ip
to the HTTP Event Collector (HEC)inputs.conf
on the ES search head.
For example:
This ensures that the host field remains the sender's (UBA) IP address instead of the default HEC host and port./opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf
- Customers with existing UBA-ES integrations must comment out or remove the previously configured
[tcp-ssl:10008]
stanza from theSplunk_TA_ueba
inputs.conf on the Splunk ES search head to avoid having an unused listener.
Stop all UBA services and archive
Switch to the caspida user and perform the following steps to archive the older version of Splunk UBA:
- Stop all the caspida services:
/opt/caspida/bin/Caspida stop-all
- Archive the older version of UBA. REPLACE <old-uba-version> with your UBA version:
sudo mkdir -p /var/vcap/release_archives sudo mv /opt/caspida /var/vcap/release_archives/caspida-<old-uba-version> sudo mkdir -p /opt/caspida && sudo chown caspida:caspida /opt/caspida sudo chown caspida:caspida /var/vcap/release_archives sudo chown caspida:caspida /var/vcap/release_archives/caspida-<old-uba-version>
Upgrade your OEL operating system from 8.x to 8.10
Perform the following tasks on each Splunk UBA node to upgrade your OEL operating system to version 8.10:
- Log in to the server as the root user.
- Perform the initial check of the system.
- Set system locale to en_US.UTF-8 inside /etc/locale.conf file:
LANG="en_US.UTF-8" LC_CTYPE="en_US.UTF-8"
- Source the /etc/locale.conf file:
source /etc/locale.conf
- Set system locale to en_US.UTF-8 inside /etc/locale.conf file:
- Remove the
rootcerts
package before upgrading to OEL 8.10:sudo rpm -e --nodeps rootcerts-1:20201201.00-2.mga8.noarch
- Perform the upgrade:
sudo yum update -y
- Manually reboot the system
reboot
Perform UBA upgrade
Perform the following tasks to upgrade Splunk UBA on a single node.
- Switch to caspida user and perform the following steps to archive the older version of UBA.
- On the management node, download the latest UBA branch build
splunk-uba-software-upgrade-package_540.tgz
and untar the UBA bits to/home/caspida directory
:$ tar xvzf /home/caspida/splunk-uba-software-upgrade-package_540.tgz Splunk-UBA-Platform-5.4.0-20240424-16474780.tgz Splunk-UBA-Platform-5.4.0-20240424-16474780.tgz.md5sum uba-ext-pkgs-5.4.0.tgz uba-ext-pkgs-5.4.0.tgz.md5sum
- Download and untar the UBA 5.4.0 Platform build inside the /opt/caspida/ folder:
tar xvzf /home/caspida/Splunk-UBA-Platform-5.4.0-20240424-16474780.tgz -C /opt/caspida
- (Optional) Follow the steps to turn on FIPS compliance. See Turn on FIPS compliance.
- Run the following command to update the supported OEL version to include version 8.10 in
uba_upgrade_common.sh
:sed -i 's/export OEL_VERSION=("8.8" "8.9")/export OEL_VERSION=("8.8" "8.9" "8.10")/g' /opt/caspida/bin/uba_upgrade_common.sh
- Run the UBA upgrade script, using the path to your archived UBA from step 2 in the Stop all UBA services and archive section.
The
path-to-prev-uba-archive
might be/var/vcap/release_archives/caspida-
depending on your archived UBA version number./opt/caspida/upgrade/utils/upgrade_uba.sh -p /var/vcap/release_archives/caspida-<old-uba-version> -e /home/caspida/uba-ext-pkgs-5.4.0.tgz
The command installs the new Splunk UBA software, restarts Splunk UBA, and then restarts the data sources. - Ensure the proper configuration of the Splunk forwarder. Commands must be executed on the management node.
- Stop UBA's Splunk forwarder:
/opt/caspida/bin/Caspida stop-splunk
- Run the following command to update TCP connector properties names in
outputs.conf
to the correct format:sed -i \ -e 's/sslpassword/sslPassword/g' \ -e 's/autolbfrequency/autoLBFrequency/g' \ -e 's/autolbvolume/autoLBVolume/g' \ -e 's/forcetimebasedautolb/forceTimebasedAutoLB/g' \ -e 's/clientcert/clientCert/g' \ -e 's/sslrootcapath/sslRootCAPath/g' \ -e 's/sslcommonnametocheck/sslCommonNameToCheck/g' \ -e 's/sslverifyservercert/sslVerifyServerCert/g' \ -e 's/useclientsslcompression/useClientSSLCompression/g' \ /opt/splunk/etc/apps/Splunk_UBA_Monitor/default/outputs.conf
- Clean
fishbucket
to force re-indexing of thetelemetry.data.out
events file:[ -f /var/log/caspida/telemetry/events/telemetry.data.out ] && /opt/splunk/bin/splunk cmd btprobe -d /opt/splunk/var/lib/splunk/fishbucket/splunk_private_db --file /var/log/caspida/telemetry/events/telemetry.data.out --reset
- Start UBA's Splunk forwarder:
/opt/caspida/bin/Caspida start-splunk
- Stop UBA's Splunk forwarder:
If you have previously imported an output connector certificate, re-import the certificate. See, Configure the Splunk platform to receive data from the Splunk UBA output connector in the Send and Receive Data from the Splunk Platform manual.
Turn on FIPS compliance
Turning on FIPS compliance is an optional step when installing or upgrading Splunk UBA.
Federal Information Processing Standard (FIPS) compliance is available with Splunk UBA version 5.4.0 and higher. Complete the following steps to turn on FIPS on each Splunk UBA node before running the upgrade script in the Perform UBA upgrade section.
Make sure that the operating system is on the target version before turning on FIPS.
- Run the following command to check the current status of FIPS:
sudo fips-mode-setup --check
- On each node, run the following command to turn on FIPS:
sudo fips-mode-setup --enable
- After successfully turning on FIPS, reboot the system:
sudo reboot
- Confirm FIPS is turned on:
sudo fips-mode-setup --check
- You can also verify the status using the following command.
You see a 1 if FIPS is turned on, otherwise 0.
cat /proc/sys/crypto/fips_enabled
Re-import the certificate used for sending UBA audit events to Splunk ES
If you have enabled the integration that sends UBA audit data to Splunk Enterprise Security (ES), and you preserved the associated certificate in the Before you begin step, you can now re-import that certificate. Use the following command to re-import the certificate:
. /opt/caspida/bin/CaspidaCommonEnv.sh sudo keytool -import -alias "splunk es" -keystore $JAVA_HOME/lib/security/cacerts -file ~/splunk-es_cacert.pem
Re-import the SSL certificate used for validating datasources from the Splunk Enterprise platform
If you have enabled the integration that sends UBA audit data to Splunk Enterprise Security (ES), use the following command to re-import the SSL certificate:
. /opt/caspida/bin/CaspidaCommonEnv.sh sudo keytool -import -alias "SplunkESRootCA" -keystore $JAVA_HOME/lib/security/cacerts -file ~/SplunkESRootCA.pem
For more information on SSL certificate validation, see Configure flag to enable or disable Splunk SSL certificate validation.
Apply security patches on your Linux operating system
Perform the following tasks to apply the latest Linux operating system security patches:
- Log in to the Splunk UBA server as the caspida user.
- Run the following command to stop Splunk UBA and all services:
/opt/caspida/bin/Caspida stop-all
- Run the following commands to check for any available security updates:
sudo yum updateinfo list security all sudo yum updateinfo list sec
- Run the following command to resolve glibc package dependencies:
sudo yum update glibc-devel
- Run the following command to update all packages with the available security updates:
sudo yum update --security -y sudo yum --security update-minimal
- Reboot the system:
sudo reboot
- Run the following command to start Splunk UBA and all services:
/opt/caspida/bin/Caspida start-all
Next steps
You can Verify a successful upgrade of Splunk UBA.
By default, the caspida user is given ALL access in /etc/sudoers
during Splunk UBA installation and upgrade. If you want to restrict sudo
access for the caspida user after Splunk UBA is upgraded, see Restrict sudo access for the caspida account.
Upgrade a single node RHEL installation of Splunk UBA | Upgrade a distributed AMI or OVA installation of Splunk UBA |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.4.0
Feedback submitted, thanks!