
Remove Log4j from all Splunk UBA deployments
Splunk UBA includes Apache Spark containing Log4j libraries under the $SPLUNK_HOME/bin/jars/vendors/spark file path. Perform the following steps to remove Log4j from all Splunk UBA deployments:
- Log in to each Splunk UBA node as the caspida user.
- Run the following command to remove files under the Apache Spark directory on Splunk home( directory /opt/splunk):
sudo rm -rf /opt/splunk/bin/jars/vendors/spark/*
- After you have removed /opt/splunk/bin/jars/vendors/spark/* from all Splunk UBA nodes, log in to the Splunk UBA management node as the caspida user and run the following commands to restart Splunk UBA:
/opt/caspida/bin/Caspida stop-all /opt/caspida/bin/Caspida start-all
Remove Log4j from your AMI and OVA Splunk UBA deployment
Splunk UBA includes Apache Storm and Apache Flume containing Log4j libraries. In Splunk UBA 5.x releases, you can remove Apache Storm and Apache Flume to also remove Log4j in your AMI and OVA deployment to protect yourself from the recent Log4j exploit.
Perform the following steps to remove Apache Storm and Apache Flume and their corresponding Log4j libraries:
- Log in to each Splunk UBA node as the caspida user.
- Run the following command to remove the Apache Storm directory and corresponding files:
sudo rm -rf /usr/share/apache-storm*
- (Optional) If you are not using the legacy Netcat or syslog data sources, run the following commands to remove flume-ng:
sudo rm -rf /opt/caspida/web/caspida-ui/plugins/syslog sudo rm -rf /opt/caspida/web/caspida-ui/plugins/netcat sudo rm -rf /usr/lib/flume-ng
- After you have removed /usr/share/apache-storm* and /usr/lib/flume-ng from all Splunk UBA nodes, log in to the Splunk UBA management node as the caspida user.
- On the Splunk UBA management node only, run the following commands to restart Splunk UBA:
/opt/caspida/bin/Caspida stop-all /opt/caspida/bin/Caspida start-all
PREVIOUS Fixed Issues in Splunk UBA |
NEXT Getting help with Splunk UBA |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1
Feedback submitted, thanks!