Upgrade a single node AMI or OVA installation of Splunk UBA
Before upgrading Splunk UBA on a single server, be sure you have verified the Upgrade Splunk UBA prerequisites.
Single server upgrade steps
Ensure that Splunk UBA is running before you upgrade, then perform the following tasks to upgrade Splunk UBA on a single server.
- Obtain the Splunk UBA Software Update and download the file to the
/home/caspida
directory. Select version 5.0.3 from the drop-down list. The downloadable archive file is namedsplunk-uba-software-upgrade-package_503.tgz
. - Extract the archive with the following command:
tar -xfz /home/caspida/splunk-uba-software-upgrade-package_503.tgz -C /home/caspida
The following files are extracted:
splunk-uba-software-update-000027-503.tgz
splunk-uba-software-update-000027-503.tgz.md5sum
uba-ext-pkgs-5.0.3.tgz
uba-ext-pkgs-5.0.3.tgz.md5sum
- Extract the software update package in the
/home/caspida
directory:tar -xfz /home/caspida/splunk-uba-software-update-000027-503.tgz -C /home/caspida
- Apply the patch with the following command:
The command installs the new Splunk UBA software including the updated OpenJDK and Docker image, restarts Splunk UBA, and then restarts the data sources.
/home/caspida/patch_uba_503/bin/utils/patch_uba.sh -p /home/caspida/patch_uba_503 -e /home/caspida/uba-ext-pkgs-5.0.3.tgz
Apply security patches on Ubuntu
If you are upgrading an Ubuntu system, perform the following tasks to apply the latest security patches:
Applying the security patches on Ubuntu can take up to one hour. This is recommended when upgrading Splunk UBA but is not a required step.
- Log in to the Splunk UBA server as the caspida user.
- Run the following command to stop Splunk UBA and all services:
/opt/caspida/bin/Caspida stop-all
- Run the following commands to install latest unattended-upgrades package:
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 6A030B21BA07F4FB sudo apt update sudo apt install unattended-upgrades
If you see the following prompt, select keep the local version currently installed:
What do you want to do about modified configuration file 50unattended-upgrades?
- Run the following command:
sudo apt autoremove
- Edit the
/etc/apt/apt.conf.d/50unattended-upgrades
file and un-comment the following line:"${distro_id}:${distro_codename}-security";
Leave all other lines commented out. - Run the following command:
sudo unattended-upgrade -d
- Edit the
/etc/init.d/zookeeper-server
file and changesu
torunuser
in all of the following lines:su -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} start" su -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} stop" su -s /bin/bash zookeeper -c "zookeeper-server-initialize $*"
- Reboot the system:
sudo reboot
- Run the following command to start Splunk UBA and all services:
/opt/caspida/bin/Caspida start-all
Next Steps
Upgrade Splunk UBA prerequisites | Upgrade a single node RHEL, CentOS, or Oracle Linux installation of Splunk UBA |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.3
Feedback submitted, thanks!