Remove Log4j from all Splunk UBA deployments

Splunk UBA includes Apache Spark containing Log4j libraries under the $SPLUNK_HOME/bin/jars/vendors/spark file path. Perform the following steps to remove Log4j from all Splunk UBA deployments:

1. Log in to each Splunk UBA node as the caspida user.
2. Run the following command to remove files under the Apache Spark directory on Splunk home( directory /opt/splunk):

   sudo rm -rf /opt/splunk/bin/jars/vendors/spark/*

3. After you have removed /opt/splunk/bin/jars/vendors/spark/* from all Splunk UBA nodes, log in to the Splunk UBA management node as the caspida user and run the following commands to restart Splunk UBA:

   /opt/caspida/bin/Caspida stop-all
   /opt/caspida/bin/Caspida start-all
   

Remove Log4j from your AMI and OVA Splunk UBA deployment

Splunk UBA includes Apache Storm and Apache Flume containing Log4j libraries. In Splunk UBA 5.x releases, you can remove Apache Storm and Apache Flume to also remove Log4j in your AMI and OVA deployment to protect yourself from the recent Log4j exploit.

Perform the following steps to remove Apache Storm and Apache Flume and their corresponding Log4j libraries:

1. Log in to each Splunk UBA node as the caspida user.
2. Run the following command to remove the Apache Storm directory and corresponding files:

   sudo rm -rf /usr/share/apache-storm*

3. (Optional) If you are not using the legacy Netcat or syslog data sources, run the following commands to remove flume-ng:

   sudo rm -rf /opt/caspida/web/caspida-ui/plugins/syslog
   sudo rm -rf /opt/caspida/web/caspida-ui/plugins/netcat
   sudo rm -rf /usr/lib/flume-ng
   

4. After you have removed /usr/share/apache-storm* and /usr/lib/flume-ng from all Splunk UBA nodes, log in to the Splunk UBA management node as the caspida user.
5. On the Splunk UBA management node only, run the following commands to restart Splunk UBA:

   /opt/caspida/bin/Caspida stop-all
   /opt/caspida/bin/Caspida start-all