Splunk® User Behavior Analytics

Install and Upgrade Splunk User Behavior Analytics

This documentation does not apply to the most recent version of Splunk® User Behavior Analytics. For documentation on the most recent version, go to the latest release.

Install Splunk UBA on a single VMware virtual machine

Follow these instructions to install Splunk UBA 5.0.0 or 5.0.3 for the first time using the OVA image. If you already have Splunk UBA, do not follow the instructions on this page. Instead, follow the appropriate upgrade instructions to obtain your desired release. See How to install or upgrade to this release of Splunk UBA.

Perform the following steps to install Splunk UBA on a single VMware virtual machine.

  1. Download the Splunk UBA open virtual appliance (OVA) from Splunkbase. See Splunk UBA OVA Software.
  2. Deploy the Splunk UBA OVA on your virtual machine.
  3. Provision the virtual machine with three disks, one with 50GB of disk space and the other two with 1TB of disk space. Make sure that the 1TB disks are associated with the OVA.
  4. Log in to the virtual machine as the caspida user using SSH. Specify caspida123 as the existing default password. You will be prompted to provide the default password a second time, and then change the existing password. For example:
    ssh caspida@ubahost-001.example.com
    caspida@ubahost-001.example.com's password: 
    You are required to change your password immediately (root enforced)
    Changing password for caspida.
    (current) UNIX password:
    Enter new UNIX password:
    Retype new UNIX password:
    caspida$
    
    After changing the password you may be logged out. Log in to the virtual machine again using your new credentials.
  5. Verify that the system date, time and time zone are correct using the timedatectl command, as shown below. The time zone in Splunk UBA should match the time zone configured in Splunk Enterprise.
    caspida@ubahost-001$ timedatectl status
          Local time: Mon 2019-04-08 14:30:02 UTC
      Universal time: Mon 2019-04-08 14:30:02 UTC
            RTC time: Mon 2019-04-08 14:30:01
           Time zone: UTC (UTC, +0000)
         NTP enabled: yes
    NTP synchronized: yes
     RTC in local TZ: no
          DST active: n/a
    

    Use the timedatectl command to change the time zone. For example, to change the time zone to UTC:

    timedatectl set-timezone UTC
    Refer to the documentation for your specific operating system to configure NTP synchronization. Use the ntpq -p command to verify that NTP is pointing to the desired server.
  6. The Splunk UBA OVA files contain the default hostname variable set to caspida. This must be changed to reflect the actual host name of the server.
    1. Use sudo to edit the /etc/hostname file and change the host name caspida to the short host name value of the server. For example, if your server is server1.company.com, replace caspida with server1.
    2. Run the following command to have changes take effect without a restart:
      sudo hostname -F /etc/hostname

      If you get an error, run the command again to allow the changes to take effect.

    Test your changes using the hostname command and verifying the following:

  7. Find the two additional 1TB disks using the sudo fdisk -l command. An example disk is /dev/sdb.
  8. Format and mount the additional 1TB disks associated with the OVA.
    1. Add the additional 1TB disk for Splunk UBA metadata storage. For example, using /dev/sdb as the 1TB disk:
      /opt/caspida/bin/Caspida add-disk /dev/sdb 
      Verify that the disk is /var/vcap. Refer to your Linux documentation if you prefer to add a disk manually without using the add-disk command.
    2. Add the additional 1TB disk for Spark. The disk should be mounted as /var/vcap2. Use the /opt/caspida/bin/Caspida add-disk <device> <mount> command. For example:
      /opt/caspida/bin/Caspida add-disk /dev/sdc /var/vcap2
  9. Verify that IPv6 drivers are available. To do this, check that /proc/sys/net/ipv6/ exists. For example:
    caspida@ubahost-001$ ls -l /proc/sys/net/ipv6/
    total 0
    -rw-r--r-- 1 root root 0 Mar 12 16:52 anycast_src_echo_reply
    -rw-r--r-- 1 root root 0 Mar 12 16:52 auto_flowlabels
    -rw-r--r-- 1 root root 0 Mar 12 16:52 bindv6only
    dr-xr-xr-x 1 root root 0 Mar 12 16:52 conf
    -rw-r--r-- 1 root root 0 Mar 12 16:52 flowlabel_consistency
    -rw-r--r-- 1 root root 0 Mar 12 16:52 flowlabel_state_ranges
    -rw-r--r-- 1 root root 0 Mar 12 16:52 fwmark_reflect
    dr-xr-xr-x 1 root root 0 Mar 12 16:52 icmp
    -rw-r--r-- 1 root root 0 Mar 12 16:52 idgen_delay
    -rw-r--r-- 1 root root 0 Mar 12 16:52 idgen_retries
    -rw-r--r-- 1 root root 0 Mar 12 16:52 ip6frag_high_thresh
    -rw-r--r-- 1 root root 0 Mar 12 16:52 ip6frag_low_thresh
    -rw-r--r-- 1 root root 0 Mar 12 16:52 ip6frag_secret_interval
    -rw-r--r-- 1 root root 0 Mar 12 16:52 ip6frag_time
    -rw-r--r-- 1 root root 0 Mar 12 16:52 ip_nonlocal_bind
    -rw-r--r-- 1 root root 0 Mar 12 16:52 mld_max_msf
    -rw-r--r-- 1 root root 0 Mar 12 16:52 mld_qrv
    dr-xr-xr-x 1 root root 0 Mar 12 16:52 neigh
    dr-xr-xr-x 1 root root 0 Mar 12 16:52 route
    -rw-r--r-- 1 root root 0 Mar 12 16:52 xfrm6_gc_thresh
    
    • If the IPv6 drivers exist, skip to the next step.
    • If IPv6 drivers do not exist on your system, verify that /etc/default/grub contains ipv6.disable=1. In some cases, IPv6 drivers will not be on a system if ipv6.disable=1 exists in /etc/default/grub. If ipv6.disable=1 does not exist in /etc/default/grub and IPv6 drivers do not exist, consult with your system or network administrators. You are not able to continue with the installation.
    • If /etc/default/grub contains ipv6.disable=1, perform the following tasks as root:
      1. Remove ipv6.disable=1 from /etc/default/grub.
      2. Recreate the grub config:
        grub2-mkconfig -o /boot/grub2/grub.cfg
      3. Reboot the machines. After the system comes up, make sure /proc/sys/net/ipv6 exists.

    To disable IPv6 functionality for security, networking or performance reasons, create the /etc/sysctl.d/splunkuba-ipv6.conf file as root. This file should contain the following content:

    net.ipv6.conf.all.disable_ipv6 = 1
    net.ipv6.conf.default.disable_ipv6 = 1
    net.ipv6.conf.lo.disable_ipv6 = 1
    
    This procedure keeps the IPv6 drivers but disables the IPv6 addressing.
  10. Generate SSH keys using the ssh-keygen -t rsa command. Press enter for all the prompts and accept all default values. For example:
    [caspida@ubahost-001]$ ssh-keygen -t rsa
    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/caspida/.ssh/id_rsa):
    Created directory '/home/caspida/.ssh'.
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /home/caspida/.ssh/id_rsa.
    Your public key has been saved in /home/caspida/.ssh/id_rsa.pub.
    The key fingerprint is:
    SHA256:Ohe1oSpUtNT8siJzvn2lFLrHmVH7JGKke+c/5NRFb/g caspida@ubahost-001
    
  11. Copy the keys to the server. Enter the password for the caspida user when prompted for the password.
    ssh-copy-id <host name>
  12. Test the SSH connection is passwordless.
    ssh `hostname` <== Note the backquotes around hostname
    ssh localhost
  13. Run the following command to install or upgrade libjson-perl:
    sudo apt-get install libjson-perl
  14. Check the system status with the uba_pre_check.sh shell script. Run the following command on a single-node deployment and be sure to replace <node1> with the actual host name of your system.
    /opt/caspida/bin/utils/uba_pre_check.sh <node1>
    See Check system status before and after installation for more information about the script.
  15. Set up Splunk UBA.
    /opt/caspida/bin/Caspida setup
  16. When prompted, accept the license agreement and confirm removal of existing metadata.
  17. When prompted, type the host name, or the IP address of the Splunk UBA server installation.
  18. When prompted, confirm that you want to continue setting up Splunk UBA.
  19. After setup completes:
    1. Open a web browser and log in to the Splunk UBA server with the default admin credentials to confirm a successful installation. The default username is admin and password is changeme. See Secure the default account after installing Splunk UBA for information about the default accounts provided with Splunk UBA and how to secure them.
    2. See Verify successful installation for more information about verifying a successful installation.
Last modified on 16 March, 2023
Install Splunk User Behavior Analytics   Install Splunk UBA on a single Amazon Web Services instance

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters