Splunk® Add-on for Splunk UBA

Splunk Add-on for Splunk UBA

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Add-on for Splunk UBA. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Send audit events to Splunk ES

Perform the following tasks to send audit events to the Splunk platform to be added to the _audit index.

  1. Add or set the uba.sys.audit.push.splunk.enabled property in Splunk UBA.
  2. Set up a search head or forwarder to receive data from Splunk UBA.
  3. Connect Splunk UBA to the Splunk platform using SSL.

Add or set the uba.sys.audit.push.splunk.enabled property in Splunk UBA

Perform the following tasks in Splunk UBA to begin enabling audit logs to be sent to the Splunk platform:

  1. Set the uba.sys.audit.push.splunk.enabled property in the /etc/caspida/local/conf/uba-site.properties file to true: 
    uba.sys.audit.push.splunk.enabled=true
  2. In distribIuted deployments, synchronize the cluster. Run the following command: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf

Set up a search head or forwarder to receive data from Splunk UBA

You can choose to set up either a search head or a forwarder to receive data sent from Splunk UBA.

  • In Splunk UBA release 4.3.0 and lower, you can send data only to a Splunk search head.
  • In Splunk UBA release 4.3.1 and higher, you can send data to a Splunk search head or forwarder.

Perform the following steps to set up a search head to receive data from Splunk UBA:

  1. In Splunk Web, select Settings > Data Inputs.
  2. In the TCP row, click Add New.
  3. Enter 10008 in the Port field. This is the port configured to work with Splunk UBA.

Perform the following steps to set up a forwarder to receive data from Splunk UBA:

  1. Deploy the Splunk Add-on for Splunk UBA to the forwarder. See Deploy the Splunk Add-on for Splunk UBA.
  2. Configure the TCP input on the Splunk forwarder. See Get data from TCP and UDP ports in the Splunk Enterprise Getting Data In manual for information on how to configure a Splunk forwarder to receive a syslog input.

Configure the Splunk platform to receive data from the Splunk UBA output connector

The connection between Splunk UBA and the Splunk platform uses TCP-SSL by default. Set up the Splunk platform to accept the encrypted connection so that the Splunk platform can receive data from the Splunk UBA output connector.

Splunk Cloud Platform customers must work with Splunk Cloud Platform Support to set up this connection.

The following procedure uses the Splunk default certificates and the global [SSL] stanza in the inputs.conf file. For better security, consider using your own certificates, or commercially signed certificates from a trusted certificate authority.

Perform the following steps on the Splunk Enterprise search head. In a search head clustering environment, perform the changes on the search head that will receive UBA threats and anomalies:

  1. Create a local folder under $SPLUNK_HOME/etc/apps/Splunk_TA_ueba. For example: 
    cd /opt/splunk/etc/apps/Splunk_TA_ueba
mkdir local
cd local
  2. Create a file called inputs.conf and add the following stanza. The sslPassword holds the password for the server certificate. The value for sslPassword must match what is in the sslConfig stanza in the /etc/system/default/server.conf file: 
    [tcp-ssl:10008]
listenOnIPv6 = no
index = ueba
sourcetype = ueba
serverCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password


  3. Restart Splunk Enterprise.
    1. In Splunk Web, select System > Server controls.
    2. Click Restart Splunk.
  4. Verify that SSL is enabled for port 10008 in $SPLUNK_HOME/var/log/splunk/splunkd.log. For example: 
    11-07-2019 15:07:42.661 -0800 INFO  TcpInputProc - Creating raw Acceptor for IPv4 port 10008 with SSL
  5. Copy the root CA certificate from /opt/splunk/etc/auth/cacert.pem on the Splunk Enterprise instance to /home/caspida on the Splunk UBA management server.

Perform the following tasks on the Splunk UBA management server:

  1. Log in to the Splunk UBA management server as the caspida user.
  2. Ensure that $JAVA_HOME is set correctly on your system. Run the CaspidaCommonEnv.sh script to set this environment variable: 
    . /opt/caspida/bin/CaspidaCommonEnv.sh
  3. Import the rootCA certificate to the Java certificate store.
    On RHEL or CentOS systems, use the following command: 
    sudo keytool -import -alias "splunk es" -keystore $JAVA_HOME/lib/security/cacerts -file ~/cacert.pem

    On other Linux systems, use the following command: 

    sudo keytool -import -alias "splunk es" -keystore $JAVA_HOME/jre/lib/security/cacerts -file ~/cacert.pem
  4. When prompted, type the keystore password and trust the certificate. The default keystore password is changeit.
  5. From the command line of the Splunk UBA management server, view the /etc/caspida/local/conf/uba-site.properties file to confirm the following parameter is set to "true" as shown:
    connectors.output.splunkes.ssl=true
  6. Restart Splunk UBA. Run the following commands on the Splunk UBA management server: 
    /opt/caspida/bin/Caspida stop-all
/opt/caspida/bin/Caspida start-all
Last modified on 22 February, 2023
PREVIOUS
Send Splunk ES correlation search results to Splunk UBA 		  NEXT
Investigate threats from Splunk UBA using Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Add-on for Splunk UBA: 3.0.0

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters