Enable Splunk UBA to forward data to Splunk Enterprise
After installing the Splunk UBA Monitoring app on the Splunk Enterprise search head, configure Splunk UBA to forward data to the Splunk platform.
Before you continue, make sure Splunk UBA is fully and properly installed or upgraded.
- For installation instructions, see Install Splunk User Behavior Analytics in the Install and Upgrade Splunk User Behavior Analytics manual.
- For upgrade instructions, see Upgrade Splunk UBA prerequisites and overview in the Install and Upgrade Splunk User Behavior Analytics manual.
Perform the following steps to enable Splunk UBA to forward data to Splunk Enterprise. All steps are performed on the management node only:
- If Splunk UBA is running, use the following command to stop Splunk UBA:
/opt/caspida/bin/Caspida stop
- Add the following properties to
/etc/caspida/local/conf/uba-site.properties
:splunk.forwarder.enabled=true splunk.forwarder.server.indexers=<splunk-host-to-forward-to>
If the port number is not the default port of 9997, specify the port number with the name of the host as follows:
splunk.forwarder.server.indexers=host1:9998
Use commas to separate multiple hosts. For example, to configure the forwarder to load balance across a three-node Splunk indexer cluster, specify the following:
splunk.forwarder.server.indexers=host1:9998,host2:9998,host3:9998
- In distributed deployments, synchronize the cluster to push configuration changes to all nodes:
/opt/caspida/bin/Caspida sync-cluster /etc/caspida/local/conf
- Start Splunk UBA.
/opt/caspida/bin/Caspida start
- Start the Splunk forwarder.
/opt/caspida/bin/Caspida setup-splunk-forwarder
PREVIOUS Install the Splunk UBA Monitoring App |
NEXT Send all logs to Splunk Enterprise |
This documentation applies to the following versions of Splunk® User Behavior Analytics Monitoring App: 1.0.0, 1.1
Feedback submitted, thanks!