Splunk® User Behavior Analytics

Administer Splunk User Behavior Analytics

Change the IP address of your Docker containers

By default, Docker containers in Splunk UBA use IP addresses in the 172.x.x.x range. If this conflicts with other network IP address ranges in your environment, perform the tasks below to customize your Docker IP ranges. In this example, we will change the default 172.x.x.x addresses to 192.168.0.1/24. Be sure to replace the example values with the actual values appropriate for your environment.

  1. Login to the Splunk UBA management server as the Caspida user.
  2. Stop all Splunk UBA services:
    /opt/caspida/bin/Caspida stop-all
  3. Run the following command on all nodes in the cluster:
    sudo service docker stop
  4. Add the following property and value to /etc/caspida/local/conf/uba-site.properties:
    system.docker.networkcidr=192.168.0.1/24
  5. Run the following command:
    /opt/caspida/bin/Caspida replace-properties
  6. In distributed deployments, synchronize the cluster:
    /opt/caspida/bin/Caspida sync-cluster
  7. Restart all nodes in your cluster to ensure that the new IP range is in use.
  8. Start all Splunk UBA services:
    /opt/caspida/bin/Caspida start-all
  9. Run the ifconfig docker0 command to verify that the correct address range is being used. For example:
    caspida@uba-001:~$ ifconfig docker0
    docker0 Link encap:Ethernet HWaddr 02:42:7a:6a:d9:1d 
            inet addr:192.168.0.1 Bcast:0.0.0.0 Mask:255.255.255.0
            inet6 addr: fe80::42:7aff:fe6a:d91d/64 Scope:Link
            UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
            RX packets:561746 errors:0 dropped:0 overruns:0 frame:0
            TX packets:643592 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:0 
            RX bytes:32419199 (32.4 MB) TX bytes:6988449688 (6.9 GB)
    
Last modified on 07 January, 2020
Change the IP address of your Splunk UBA nodes   Send Splunk UBA data to Splunk Enterprise Security

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters