Splunk® User Behavior Analytics Monitoring App

Splunk UBA Monitoring App

Enable Splunk UBA to forward data to the Splunk platform

After installing the Splunk UBA Monitoring App on the search head, configure Splunk UBA to forward data to the Splunk platform. By default, data is forwarded to the _internal index on the Splunk platform, but you can also create your own index. See Send Splunk UBA logs to a custom index on the Splunk platform.

  1. If you are sending Splunk UBA logs to Splunk Cloud Platform, see Set up Splunk UBA to forward data to Splunk Cloud Platform.
  2. If you are sending Splunk UBA logs to Splunk Enterprise, see Set up Splunk UBA to forward data to Splunk Enterprise.

Before you continue, make sure Splunk UBA is fully and properly installed or upgraded.

Set up Splunk UBA to forward data to Splunk Cloud Platform

To enable Splunk UBA to send data to Splunk Cloud Platform, begin by downloading the universal forwarder credentials file. This file contains a custom certificate for your Splunk Cloud Platform deployment.

  1. Download the forwarder credentials:
    1. In your Splunk Cloud Platform deployment, navigate to the Splunk Cloud Platform home page.
    2. Click Universal Forwarder.
    3. On the Splunk Cloud Platform home page, click Download Universal Forwarder Credentials to download the splunkclouduf.spl file.
    4. When prompted, click Save File.
    5. Click OK. The splunkclouduf.spl file downloads to the Downloads directory. If you download to a different location, make note of that location.
  2. Install the forwarder credentials on the forwarder in your Splunk UBA instance. In distributed Splunk UBA deployments, there is a forwarder on each Splunk UBA node.
    1. Log in to the Splunk UBA management node as the caspida user.
    2. Move the splunkclouduf.spl file to the $SPLUNK_HOME/etc/apps/ directory.
    3. Open a shell or command prompt.
    4. Unpack the credentials package with the following command:
      tar xvf splunkclouduf.spl
    5. In distributed deployments, run the following command the synchronize the cluster and push the unpacked credentials to all Splunk UBA nodes. Replace <unpacked_credentials_package_name> with the actual folder name in your environment.
      /opt/caspida/bin/Caspida sync-cluster $SPLUNK_HOME/etc/apps/<unpacked_credentials_package_name>
  3. (Optional) If you do not have an existing $SPLUNK_HOME/etc/system/local/outputs.conf file, perform the following tasks, then skip to Step 5. If the $SPLUNK_HOME/etc/system/local/outputs.conf file already exists in your system, go to Step 4.
    1. On the Splunk UBA master node, open the $SPLUNK_HOME/etc/apps/<unpacked_credentials_package_name>/default/outputs.conf file, and copy the value of the defaultGroup property in the [tcpout] stanza.
    2. On each Splunk UBA node, append this value to the existing defaultGroup property in the $SPLUNK_HOME/etc/system/local/outputs.conf file. Use a comma to separate multiple values.
    3. Restart Splunk on the Splunk UBA management node:
      /opt/caspida/bin/Caspida stop-splunk
      /opt/caspida/bin/Caspida start-splunk
      
  4. (Optional) If you have an existing $SPLUNK_HOME/etc/system/local/outputs.conf file, perform the following steps to enable Splunk UBA on all instances and bypass the license acceptance:
    1. Add the following property and value to the /etc/caspida/local/conf/uba-site.properties file:
      splunk.forwarder.enabled=true
    2. In distributed deployments, synchronize the cluster to push configuration changes to all nodes:
      /opt/caspida/bin/Caspida sync-cluster /etc/caspida/local/conf
    3. Run the following commands to restart Caspida:
      /opt/caspida/bin/Caspida stop 
      /opt/caspida/bin/Caspida start 
      
  5. Verify if the logs are forwarded to the Splunk Cloud Platform instance. Run a search on the Splunk Cloud Platform instance to see if there are logs coming from the Splunk UBA host. For example, to check if there are logs coming from the Splunk UBA host named ubahost to the default _internal index:

    index="_internal" host="ubahost"

Set up Splunk UBA to forward data to Splunk Enterprise

Perform the following steps to enable Splunk UBA to forward data to Splunk Enterprise. All steps are performed on the Splunk UBA management node only. You don't need to set up a forwarder separately in this procedure because the setup-splunk-forwarder command does that for you.

  1. If Splunk UBA is running, use the following command to stop Splunk UBA:
    /opt/caspida/bin/Caspida stop
  2. Add the following properties to /etc/caspida/local/conf/uba-site.properties:
    splunk.forwarder.enabled=true
    splunk.forwarder.server.indexers=<splunk-host-to-forward-to>
    

    If the port number is not the default port of 9997, specify the port number with the name of the host as follows:

    splunk.forwarder.server.indexers=host1:9998

    Use commas to separate multiple hosts. For example, to configure the forwarder to load balance across a three-node Splunk indexer cluster, specify the following:

    splunk.forwarder.server.indexers=host1:9998,host2:9998,host3:9998
  3. In distributed deployments, synchronize the cluster to push configuration changes to all nodes:
    /opt/caspida/bin/Caspida sync-cluster /etc/caspida/local/conf
  4. Start Splunk UBA.
    /opt/caspida/bin/Caspida start
  5. Start the Splunk forwarder.
    /opt/caspida/bin/Caspida setup-splunk-forwarder

Use SSL to forward data from Splunk UBA to Splunk Enterprise

The setup-splunk-forwarder command sets up the /opt/splunk/etc/system/local/outputs.conf file to send data to the indexer. If you want to use SSL to send data from Splunk UBA to Splunk Enterprise, you must manually edit this file to add SSL and the default certificate.

  1. Make sure you are logged in to the Splunk UBA management node as the caspida user.
  2. Edit the /opt/splunk/etc/system/local/outputs.conf file and add the following properties to the [tcpout] stanza. In this example, the default certificate is /opt/splunk/etc/auth/server.pem. If you are using a custom certificate, replace this value with the location and file name of your own certificate.
    clientCert = $SPLUNK_HOME/etc/auth/server.pem
    sslPassword = <encrypted_password>
    sslVerifyServerCert = false
    
  3. Restart Splunk:
    /opt/caspida/bin/Caspida stop-splunk
    /opt/caspida/bin/Caspida start-splunk
    
Last modified on 07 April, 2022
Install the Splunk UBA Monitoring App   Send Splunk UBA logs to a custom index on the Splunk platform

This documentation applies to the following versions of Splunk® User Behavior Analytics Monitoring App: 1.1.1, 1.1.2, 1.1.3, 1.1.4


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters