Splunk® User Behavior Analytics

Administer Splunk User Behavior Analytics

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Change the role of both systems to switch the primary and standby systems

Perform the following tasks if you want to switch the roles of both systems. For example, is System A is currently acting as the standby system and System B is the primary, switch the roles of both systems so that System A becomes the primary system and System B is the standby system.

  1. On System A, run the following commands:
    /opt/caspida/bin/CaspidaCleanup
    /opt/caspida/bin/Caspida stop 
    
  2. On both System A and System B, set the following properties in /etc/caspida/local/conf/uba-site.properties:
    1. Enable replication:
      replication.enabled=true
    2. Switch the active and standby systems:
      replication.primary.host=<management node of System A>
      replication.standby.host=<management node of System B>
      
    3. In System A, enable the replication system job by adding the ReplicationCoordinator property into /etc/caspida/local/conf/caspida-jobs.json file on the management node. The ReplicationCoordinator must be set to true. Below is a sample of the file before adding the property:
      /**
       * Copyright 2014 - Splunk Inc., All rights reserved.
       * This is Caspida proprietary and confidential material and its use
       * is subject to license terms.
       */
      {
        "systemJobs": [
          {
            // "name" : "ThreatComputation",
            // "cronExpr"   : "0 0 0/1 * * ?",
            // "jobArguments" : { "env:CASPIDA_JVM_OPTS" :  "-Xmx4096M" }
          }
        ]
      } 
      

      After adding the property, the file should look like this:

      /**
       * Copyright 2014 - Splunk Inc., All rights reserved.
       * This is Caspida proprietary and confidential material and its use
       * is subject to license terms.
       */
      {
        "systemJobs": [
          {
            // "name" : "ThreatComputation",
            // "cronExpr"   : "0 0 0/1 * * ?",
            // "jobArguments" : { "env:CASPIDA_JVM_OPTS" :  "-Xmx4096M" }
          },
          {
            "name"         : "ReplicationCoordinator",
            "enabled"      : true
          }
        ]
      } 
      
    4. Run the following command to synchronize the cluster:
      /opt/caspida/bin/Caspida sync-cluster /etc/caspida/local/conf/
  3. On the management node of System A, run the following command:
    /opt/caspida/bin/replication/setup -d standby -m primary

    If System A has been registered before, run the command again with the reset option:

    /opt/caspida/bin/replication/setup -d standby -m primary -r

    If you see ERROR: cannot execute ALTER SUBSCRIPTION in a read-only transaction when you run this command, it means subscription_caspida is present on the standby system. Perform the following steps:

    1. Run the following command to verify that subscription_caspida is on the standby system:
      psql -d caspidadb -c "select * from pg_subscription where subname='subscription_caspida' 
    2. If subscription_caspida is in the table, run the following command to turn off read-only mode on the standby system:
      psql -d caspidadb -c 'BEGIN; SET transaction read write; ALTER DATABASE caspidadb SET default_transaction_read_only = off; COMMIT'
    3. Run the following command again and follow the prompts to delete subscription_caspida from the standby system:
      /opt/caspida/bin/replication/setup -d standby -m primary -r
  4. On the management node of System B, run the following command:
    /opt/caspida/bin/replication/setup -d standby -m standby -r
  5. On the management node of System A, run the following command:
    /opt/caspida/bin/Caspida start
  6. On System A, verify that the initial sync between the systems has started. See How Splunk UBA synchronizes the primary and standby systems for instructions.
Last modified on 17 September, 2021
PREVIOUS
Failover to a standby Splunk UBA system
  NEXT
Stop the primary system from synchronizing with the standby system

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters