Remove Log4j from all Splunk UBA deployments
This process does not remove Log4j-1.x files due to dependencies from core components including Spark, Hadoop, and Kafka. A resolution is expected in version 5.1.0 of Splunk UBA with upgrades to these core components.
Splunk UBA includes Apache Spark containing Log4j-2.x libraries under the $SPLUNK_HOME/bin/jars/vendors/spark file path. Perform the following steps to remove Log4j-2.x from all Splunk UBA deployments:
- Log in to each Splunk UBA node as the caspida user.
- Run the following command to remove files under the Apache Spark directory on Splunk home (directory /opt/splunk):
sudo rm -rf /opt/splunk/bin/jars/vendors/spark/*
- After you have removed /opt/splunk/bin/jars/vendors/spark/* from all Splunk UBA nodes, log in to the Splunk UBA management node as the caspida user and run the following commands to restart Splunk UBA:
/opt/caspida/bin/Caspida stop-all /opt/caspida/bin/Caspida start-all
Remove Log4j from your AMI and OVA Splunk UBA deployment
Splunk UBA includes Apache Storm and Apache Flume containing Log4j-2.x libraries. In Splunk UBA 5.x releases, you can remove Apache Storm and Apache Flume to also remove Log4j-2.x in your AMI and OVA deployment to protect yourself from the recent Log4j exploit.
Perform the following steps to remove Apache Storm and Apache Flume and their corresponding Log4j-2.x libraries:
- Log in to each Splunk UBA node as the caspida user.
- Run the following command to remove the Apache Storm directory and corresponding files:
sudo rm -rf /usr/share/apache-storm*
- (Optional) If you are not using the legacy Netcat or syslog data sources, run the following commands to remove flume-ng:
sudo rm -rf /opt/caspida/web/caspida-ui/plugins/syslog sudo rm -rf /opt/caspida/web/caspida-ui/plugins/netcat sudo rm -rf /usr/lib/flume-ng
- After you have removed /usr/share/apache-storm* and /usr/lib/flume-ng from all Splunk UBA nodes, log in to the Splunk UBA management node as the caspida user.
- On the Splunk UBA management node only, run the following commands to restart Splunk UBA:
/opt/caspida/bin/Caspida stop-all /opt/caspida/bin/Caspida start-all
Fixed Issues in Splunk UBA | Getting help with Splunk UBA |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1
Feedback submitted, thanks!