Splunk® User Behavior Analytics

Administer Splunk User Behavior Analytics

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® User Behavior Analytics. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Requirements to set up warm standby for Splunk UBA

Verify that the following requirements are met in preparation for configuring warm standby for Splunk UBA:

  • The standby Splunk UBA system must be configured separately from the primary system and must meet all of the same system requirements. Verify that the standby system meets all of the requirements in the table:
    Standby System Requirement Description
    Same number of nodes. The standby system must have the same number of nodes as the primary system. See Plan and scale your Splunk UBA deployment in Install and Upgrade Splunk User Behavior Analytics.
    Same hardware requirements. All nodes in the standby system must meet the minimum hardware requirements for all Splunk UBA servers, including allocating enough space on the management node if you are configuring incremental backups. See Hardware requirements in Install and Upgrade Splunk User Behavior Analytics.
    Same SSH keys. The standby system must use the same SSH keys as the primary system. Copy the SSH keys from the existing primary Splunk UBA system to all servers in the standby system. See Install Splunk User Behavior Analytics in Install and Upgrade Splunk User Behavior Analytics and follow the instructions for your deployment and operating system.
    Set up passwordless SSH. Each node in the standby and primary systems must have passwordless SSH capability to any other node in either system. See Install Splunk User Behavior Analytics in Install and Upgrade Splunk User Behavior Analytics and follow the instructions for your deployment and operating system.
    Set up separate certificates. The standby system must have its own certificates that are setup separately from the primary system.
    Configuration of the /etc/hosts file. The /etc/hosts file on each node in both the standby and primary systems must have the hostnames of all other nodes in both the standby and primary systems. See Configure host name lookups and DNS in Install and Upgrade Splunk User Behavior Analytics.
  • The standby system must have the same ports open as the primary system. See Network requirements in Install Splunk User Behavior Analytics. The following ports must be open behind the firewall in both the primary and standby systems:
    • Port 8020 on the management node (node 1) in all deployment sizes.
    • Port 5432 on the database node in all deployment sizes. For deployments of 1 - 10 nodes, this is node 1. In 20 node deployments, this is node 2.
    • Port 22 on all nodes in all deployment sizes must be open for scp and SSH to work.
    • Port 50010 must be open on all the data nodes. This table identifies the data nodes per deployment:
      Deployment size Data nodes
      1 node Node 1
      3 nodes Node 3
      5 nodes Nodes 4 and 5
      7 nodes Nodes 4, 5, 6, and 7
      10 nodes Nodes 6, 7, 8, 9, and 10
      20 nodes Nodes 11, 12, 13, 14, 15, 16, 17, 18, 19, and 20
  • The Splunk Enterprise deployment where Splunk UBA pulls data from must also be highly available. This is required for Splunk UBA to re-ingest data from Splunk Enterprise. || See Use clusters for high availability and ease of management in the Splunk Enterprise Distributed Deployment Manual.
  • The raw events on Splunk Enterprise must be available for Splunk UBA to consume. If the Splunk Enterprise deployment is unable to retain raw events for Splunk UBA to re-ingest, the replay cannot be fully performed.
  • If the primary and standby Splunk UBA systems are deployed across multiple sites, the standby Splunk UBA system must have its own Splunk Enterprise deployment equivalent to the primary system in order to provide equivalent ingestion throughput.
  • Splunk UBA warm standby requires Python 3.
Last modified on 28 April, 2021
PREVIOUS
Configure warm standby in Splunk UBA
  NEXT
Set up the standby Splunk UBA system

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.4, 5.0.4.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters