Upgrade a single node AMI or OVA installation of Splunk UBA
Before upgrading Splunk UBA on a single server, be sure you have verified the Upgrade Splunk UBA prerequisites.
Single server upgrade steps
Ensure that Splunk UBA is running before you upgrade, then perform the following tasks to upgrade Splunk UBA on a single server.
- Run the following command to install or upgrade libjson-perl:
sudo apt-get install libjson-perl
- Obtain the Splunk UBA Software Update and download the file to the
/home/caspida
directory. Select version 5.0.5 from the drop-down list. The downloadable archive file is namedsplunk-uba-software-upgrade-package_505.tgz
. - Extract the archive with the following command:
tar xfz /home/caspida/splunk-uba-software-upgrade-package_505.tgz -C /home/caspida
The following files are extracted:
splunk-uba-software-update-000059-505.tgz
splunk-uba-software-update-000059-505.tgz.md5sum
uba-ext-pkgs-5.0.5.tgz
uba-ext-pkgs-5.0.5.tgz.md5sum
- Extract the software update package in the
/home/caspida
directory:tar xfz /home/caspida/splunk-uba-software-update-000059-505.tgz -C /home/caspida
- Apply the patch with the following command:
The command installs the new Splunk UBA software, restarts Splunk UBA, and then restarts the data sources.
/home/caspida/patch_uba_505/bin/utils/patch_uba.sh -p /home/caspida/patch_uba_505 -e /home/caspida/uba-ext-pkgs-5.0.5.tgz
Apply security patches on Ubuntu
The Splunk UBA AMI and OVA images use Ubuntu as the operating system. Perform the following tasks to apply the latest security patches to your Ubuntu operating system:
Applying the security patches can take up to one hour.
- Log in to the Splunk UBA server as the caspida user.
- Run the following command to stop Splunk UBA and all services:
/opt/caspida/bin/Caspida stop-all
- Run the following command to add the public keys required by apt:
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
- Run the following commands to install latest unattended-upgrades package:
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 6A030B21BA07F4FB sudo apt update sudo apt install unattended-upgrades
If you see the following prompt, select keep the local version currently installed:
What do you want to do about modified configuration file 50unattended-upgrades?
- Run the following command:
sudo apt autoremove
- Edit the
/etc/apt/apt.conf.d/50unattended-upgrades
file and un-comment the following line:Skip this step if you have previously applied security patches to your Ubuntu environment following these instructions.
"${distro_id}:${distro_codename}-security";
Leave all other lines commented out. - Run the following command:
sudo unattended-upgrade -d
- Edit the
/etc/init.d/zookeeper-server
file and changesu
torunuser
in all of the following lines:Skip this step if you have previously applied security patches to your Ubuntu environment following these instructions.
Before:
su -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} start" su -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} stop" su -s /bin/bash zookeeper -c "zookeeper-server-initialize $*"
After:
runuser -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} start" runuser -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} stop" runuser -s /bin/bash zookeeper -c "zookeeper-server-initialize $*"
- Reboot the system:
sudo reboot
- Run the following command to start Splunk UBA and all services:
/opt/caspida/bin/Caspida start-all
Next Steps
Upgrade Splunk UBA prerequisites | Upgrade a single node RHEL, CentOS, or Oracle Linux installation of Splunk UBA |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.5
Feedback submitted, thanks!