Splunk® User Behavior Analytics

Release Notes

This documentation does not apply to the most recent version of Splunk® User Behavior Analytics. For documentation on the most recent version, go to the latest release.

Remove Log4j from all Splunk UBA deployments

This process does not remove Log4j-1.x files due to dependencies from core components including Spark, Hadoop, and Kafka. A resolution is expected in version 5.1.0 of Splunk UBA with upgrades to these core components.

Splunk UBA includes Apache Spark containing Log4j-2.x libraries under the $SPLUNK_HOME/bin/jars/vendors/spark file path. Perform the following steps to remove Log4j-2.x from all Splunk UBA deployments:

  1. Log in to each Splunk UBA node as the caspida user.
  2. Run the following command to remove files under the Apache Spark directory on Splunk home (directory /opt/splunk):
    sudo rm -rf /opt/splunk/bin/jars/vendors/spark/*
  3. After you have removed /opt/splunk/bin/jars/vendors/spark/* from all Splunk UBA nodes, log in to the Splunk UBA management node as the caspida user and run the following commands to restart Splunk UBA:
    /opt/caspida/bin/Caspida stop-all
    /opt/caspida/bin/Caspida start-all
    

Remove Log4j from your AMI and OVA Splunk UBA deployment

Splunk UBA includes Apache Storm and Apache Flume containing Log4j-2.x libraries. In Splunk UBA 5.x releases, you can remove Apache Storm and Apache Flume to also remove Log4j-2.x in your AMI and OVA deployment to protect yourself from the recent Log4j exploit.

Perform the following steps to remove Apache Storm and Apache Flume and their corresponding Log4j-2.x libraries:

  1. Log in to each Splunk UBA node as the caspida user.
  2. Run the following command to remove the Apache Storm directory and corresponding files:
    sudo rm -rf /usr/share/apache-storm*
  3. (Optional) If you are not using the legacy Netcat or syslog data sources, run the following commands to remove flume-ng:
    sudo rm -rf /opt/caspida/web/caspida-ui/plugins/syslog
    sudo rm -rf /opt/caspida/web/caspida-ui/plugins/netcat
    sudo rm -rf /usr/lib/flume-ng
    
  4. After you have removed /usr/share/apache-storm* and /usr/lib/flume-ng from all Splunk UBA nodes, log in to the Splunk UBA management node as the caspida user.
  5. On the Splunk UBA management node only, run the following commands to restart Splunk UBA:
    /opt/caspida/bin/Caspida stop-all
    /opt/caspida/bin/Caspida start-all
    
Last modified on 11 May, 2023
Fixed Issues in Splunk UBA   Getting help with Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters