Upgrade a distributed AMI or OVA installation of Splunk UBA
Before upgrading Splunk UBA in a distributed deployment, be sure you have verified the Upgrade Splunk UBA prerequisites. Make sure that the prerequisites are verified on each server in the distributed deployment.
Distributed environment upgrade steps
Install Splunk UBA 5.0.3 on the master node only. The upgrade script will update all relevant files on the other Splunk UBA nodes. Ensure that Splunk UBA is running before you upgrade.
To obtain and install Splunk UBA 5.0.3, perform the following tasks on the master node:
- Obtain the Splunk UBA Software Update and download the file to the
/home/caspida
directory. Select version 5.0.3 from the drop-down list. The downloadable archive file is namedsplunk-uba-software-upgrade-package_503.tgz
. - Extract the archive with the following command:
tar -xfz /home/caspida/ splunk-uba-software-upgrade-package_503.tgz -C /home/caspida
The following files are extracted:
splunk-uba-software-update-000027-503.tgz
splunk-uba-software-update-000027-503.tgz.md5sum
uba-ext-pkgs-5.0.3.tgz
uba-ext-pkgs-5.0.3.tgz.md5sum
- Extract the software update package in the
/home/caspida
directory:tar -xfz /home/caspida/splunk-uba-software-update-000027-503.tgz -C /home/caspida
- Apply the patch with the following command:
The command installs the new Splunk UBA software including the updated OpenJDK and Docker image, restarts Splunk UBA, and then restarts the data sources.
/home/caspida/patch_uba_503/bin/utils/patch_uba.sh -p /home/caspida/patch_uba_503 -e /home/caspida/uba-ext-pkgs-5.0.3.tgz
Apply security patches on Ubuntu
If you are upgrading an Ubuntu system, perform the following tasks to apply the latest security patches:
Applying the security patches on Ubuntu can take up to one hour. This is recommended when upgrading Splunk UBA but is not a required step.
- Log in to the Splunk UBA master node as the caspida user.
- On the master node, run the following command to stop Splunk UBA and all services:
/opt/caspida/bin/Caspida stop-all
- On each Splunk UBA node, perform the following tasks:
- Log in as the caspida user.
- Run the following commands to install latest unattended-upgrades package:
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 6A030B21BA07F4FB sudo apt update sudo apt install unattended-upgrades
If you see the following prompt, select keep the local version currently installed:
What do you want to do about modified configuration file 50unattended-upgrades?
- Run the following command:
sudo apt autoremove
- Edit the
/etc/apt/apt.conf.d/50unattended-upgrades
file and un-comment the following line:"${distro_id}:${distro_codename}-security";
Leave all other lines commented out. - Run the following command:
sudo unattended-upgrade -d
- Edit the
/etc/init.d/zookeeper-server
file. Changesu
torunuser
in all of the following lines:su -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} start" su -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} stop" su -s /bin/bash zookeeper -c "zookeeper-server-initialize $*"
- Reboot the system:
sudo reboot
- On the master node, run the following command to start Splunk UBA and all services:
/opt/caspida/bin/Caspida start-all
Next steps
Upgrade a single node RHEL, CentOS, or Oracle Linux installation of Splunk UBA | Upgrade a distributed RHEL, CentOS, or Oracle Linux installation of Splunk UBA |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.3
Feedback submitted, thanks!