Requirements to set up warm standby for Splunk UBA
Verify that the following requirements are met in preparation for configuring warm standby for Splunk UBA:
- The standby Splunk UBA system must be configured separately from the primary system and must meet all of the same system requirements. Verify that the standby system meets all of the requirements in the table:
Standby System Requirement Description Same number of nodes. The standby system must have the same number of nodes as the primary system. See Plan and scale your Splunk UBA deployment in Install and Upgrade Splunk User Behavior Analytics. Same hardware requirements. All nodes in the standby system must meet the minimum hardware requirements for all Splunk UBA servers, including allocating enough space on the management node if you are configuring incremental backups. See Hardware requirements in Install and Upgrade Splunk User Behavior Analytics. Same SSH keys. The standby system must use the same SSH keys as the primary system. Copy the SSH keys from the existing primary Splunk UBA system to all servers in the standby system. See Install Splunk User Behavior Analytics in Install and Upgrade Splunk User Behavior Analytics and follow the instructions for your deployment and operating system. Set up passwordless SSH. Each node in the standby and primary systems must have passwordless SSH capability to any other node in either system. See Install Splunk User Behavior Analytics in Install and Upgrade Splunk User Behavior Analytics and follow the instructions for your deployment and operating system. Set up separate certificates. The standby system must have its own certificates that are setup separately from the primary system. - See Request and add a new certificate to Splunk UBA to access the Splunk UBA web interface in Install and Upgrade Splunk User Behavior Analytics.
- If you send anomalies and threats from Splunk UBA to Splunk Enterprise Security (ES) using an output connector, see Configure the Splunk platform to receive data from Splunk UBA's output connector in Send and Receive Data from the Splunk Platform to set up the Splunk ES certificate in Splunk UBA.
Configuration of the /etc/hosts file. The /etc/hosts
file on each node in both the standby and primary systems must have the hostnames of all other nodes in both the standby and primary systems. See Configure host name lookups and DNS in Install and Upgrade Splunk User Behavior Analytics. - The standby system must have the same ports open as the primary system. See Network requirements in Install Splunk User Behavior Analytics. The following ports must be open behind the firewall in both the primary and standby systems:
- Port 8020 on the management node (node 1) in all deployment sizes.
- Port 5432 on the database node in all deployment sizes. For deployments of 1 - 10 nodes, this is node 1. In 20 node deployments, this is node 2.
- Port 22 on all nodes in all deployment sizes must be open for scp and SSH to work.
- Port 50010 must be open on all the data nodes. This table identifies the data nodes per deployment:
Deployment size Data nodes 1 node Node 1 3 nodes Node 3 5 nodes Nodes 4 and 5 7 nodes Nodes 4, 5, 6, and 7 10 nodes Nodes 6, 7, 8, 9, and 10 20 nodes Nodes 11, 12, 13, 14, 15, 16, 17, 18, 19, and 20
- The Splunk Enterprise deployment where Splunk UBA pulls data from must also be highly available. This is required for Splunk UBA to re-ingest data from Splunk Enterprise. || See Use clusters for high availability and ease of management in the Splunk Enterprise Distributed Deployment Manual.
- The raw events on Splunk Enterprise must be available for Splunk UBA to consume. If the Splunk Enterprise deployment is unable to retain raw events for Splunk UBA to re-ingest, the replay cannot be fully performed.
- If the primary and standby Splunk UBA systems are deployed across multiple sites, the standby Splunk UBA system must have its own Splunk Enterprise deployment equivalent to the primary system in order to provide equivalent ingestion throughput.
- Splunk UBA warm standby requires Python 3.
Configure warm standby in Splunk UBA | Set up the standby Splunk UBA system |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.4, 5.0.4.1
Feedback submitted, thanks!