Upgrade a distributed AMI or OVA installation of Splunk UBA
Before upgrading Splunk UBA in a distributed deployment, be sure you have verified the Upgrade Splunk UBA prerequisites. Make sure that the prerequisites are verified on each server in the distributed deployment.
Distributed environment upgrade steps
Install Splunk UBA 5.0.4 on the master node only. The upgrade script will update all relevant files on the other Splunk UBA nodes. Ensure that Splunk UBA is running before you upgrade.
To obtain and install Splunk UBA 5.0.4, perform the following tasks on the master node:
- Obtain the Splunk UBA Software Update and download the file to the
/home/caspida
directory. Select version 5.0.4 from the drop-down list. The downloadable archive file is namedsplunk-uba-software-upgrade-package_504.tgz
. - Extract the archive with the following command:
tar xfz /home/caspida/splunk-uba-software-upgrade-package_504.tgz -C /home/caspida
The following files are extracted into the
splunk-uba-software-update_504
directory:Splunk-UBA-5.0-Overlay-Packages-RHEL-7.8.tgz
Splunk-UBA-5.0-Overlay-Packages-RHEL-7.8.tgz.md5sum
splunk-uba-software-update-000002-504.tgz
splunk-uba-software-update-000002-504.tgz.md5sum
uba-ext-pkgs-5.0.4.tgz
uba-ext-pkgs-5.0.4.tgz.md5sum
- Extract the software update package in the
/home/caspida/splunk-uba-software-update_504
directory:tar xfz /home/caspida/splunk-uba-software-update_504/splunk-uba-software-update-000002-504.tgz -C /home/caspida
- Apply the patch with the following command:
The command installs the new Splunk UBA software, restarts Splunk UBA, and then restarts the data sources.
/home/caspida/patch_uba_504/bin/utils/patch_uba.sh -p /home/caspida/patch_uba_504 -e /home/caspida/splunk-uba-software-update_504/uba-ext-pkgs-5.0.4.tgz
- Run the following commands to synchronize the CaspidaSecurity.jar file to all nodes in your deployment.
/opt/caspida/bin/Caspida stop /opt/caspida/bin/Caspida sync-cluster /opt/caspida/bin/Caspida start
Apply security patches on Ubuntu
If you are upgrading an Ubuntu system, perform the following tasks to apply the latest security patches:
Applying the security patches can take up to one hour.
- Log in to the Splunk UBA master node as the caspida user.
- On the master node, run the following command to stop Splunk UBA and all services:
/opt/caspida/bin/Caspida stop-all
- On each Splunk UBA node, perform the following tasks:
- Log in as the caspida user.
- Run the following commands to install latest unattended-upgrades package:
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 6A030B21BA07F4FB sudo apt update sudo apt install unattended-upgrades
If you see the following prompt, select keep the local version currently installed:
What do you want to do about modified configuration file 50unattended-upgrades?
- Run the following command:
sudo apt autoremove
- Edit the
/etc/apt/apt.conf.d/50unattended-upgrades
file and un-comment the following line:Skip this step if you have previously applied security patches to your Ubuntu environment following these instructions.
"${distro_id}:${distro_codename}-security";
Leave all other lines commented out. - Run the following command:
sudo unattended-upgrade -d
- Edit the
/etc/init.d/zookeeper-server
file. Changesu
torunuser
in all of the following lines:Skip this step if you have previously applied security patches to your Ubuntu environment following these instructions.
su -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} start" su -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} stop" su -s /bin/bash zookeeper -c "zookeeper-server-initialize $*"
- Reboot the system:
sudo reboot
- On the master node, run the following command to start Splunk UBA and all services:
/opt/caspida/bin/Caspida start-all
Next steps
Upgrade a single node RHEL, CentOS, or Oracle Linux installation of Splunk UBA | Upgrade a distributed RHEL, CentOS, or Oracle Linux installation of Splunk UBA |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.4
Feedback submitted, thanks!