Send all logs to Splunk Enterprise
Splunk UBA sends ERROR and WARN level events to Splunk Enterprise. You can include INFO level events if your environment is able to handle the additional load on the indexers.
Before including INFO level events, carefully consider the following:
- The Splunk UBA Monitoring App searches events in the
_internal
index. The inclusion of INFO level events can significantly affect search performance when using the app. - The high number of events may flood the
_internal
index, causing other events within the same index to be evicted depending on the retention policy.
In Splunk UBA release 5.0 and later, you can obtain a new Splunk license for ingesting logs from Splunk UBA so that the _internal
index is not overloaded. See Obtain a Splunk license for ingesting Splunk UBA logs in Install and Upgrade Splunk User Behavior Analytics.
Perform the following steps to send all logs including INFO level events to Splunk Enterprise:
- On the Splunk UBA master node, open the
/opt/splunk/etc/apps/Splunk_UBA_Monitor/default/transforms.conf
file. - In the following statement:
REGEX = ^[^,\n]*(,|.)\d\d\d( |;)(WARN|ERROR|- error)
remove the filters for the WARN and ERROR events, so that all events are included as follows:
REGEX = ^[^,\n]*(,|.)\d\d\d( |;)
- In distributed Splunk UBA environments, run the following command to synchronize all nodes in the Splunk UBA cluster:
/opt/caspida/bin/Caspida sync-cluster /opt/splunk/etc/apps/Splunk_UBA_Monitor/default
- On the Splunk UBA master node, run the following commands to restart Splunk Enterprise on all nodes:
/opt/caspida/bin/Caspida stop-splunk /opt/caspida/bin/Caspida start-splunk
PREVIOUS Enable Splunk UBA to forward data to Splunk Enterprise |
NEXT Examine Splunk UBA system health with the Splunk UBA Monitoring App |
This documentation applies to the following versions of Splunk® User Behavior Analytics Monitoring App: 1.0.0, 1.1
Feedback submitted, thanks!