Splunk® User Behavior Analytics

Release Notes

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of UBA. Click here for the latest version.
Acrobat logo Download topic as PDF

Known Issues in Splunk UBA

This version of Splunk UBA has the following known issues and workarounds.


Date filed Issue number Description
2021-11-18 UBA-15139 Postgresql-client-10 missing libpq5 (>=10.17)

Workaround:
Libpq5 is not required for the operation for UBA and no later version is available for Ubuntu 16. It can be suppressed by performing the following:
  1. Open and edit the file /var/lib/dpkg/status
  2. Scroll to the entry for postgresql-client-10 and look for the dependency list entry:
    Depends: libpq5 (>= 10.17), postgresql-client-common (>= 182~), sensible-utils, libc6 (>= 2.15), libedit2 (>= 2.11-20080614), zlib1g (>= 1:1.1.4)
    
  3. Remove the entry libpq5 (>= 10.17)
  4. Save and close the file

2021-11-09 UBA-15120, UBA-15192 Customizations to Splunk_TA_nix/local/inputs.conf breaks patch_uba.sh

Workaround:
Any customizations to the Splunk_TA_nix/local/inputs.conf will need to be backed up temporarily prior to the upgrade, and then re-added after upgrade completes.
2021-10-14 UBA-14954, UBA-15198 Postgresql 10.17 missing libjson-perl

Workaround:
Prior to running the patch_uba.sh script. Customer environment on all nodes should have libjson-perl installed. Perform the following steps:
  1. Log in to the management node as the caspida user in your Splunk UBA deployment.
  2. Run the following commands:
    sudo dpkg --force-confold --force-all -i /home/caspida/uba-ext-pkgs-5.0.5/postgresql*.deb
    sudo service postgresql stop
    sudo service postgresql start
    /opt/caspida/bin/Caspida stop-all
    /opt/caspida/bin/Caspida start-all
    

2021-10-11 UBA-14927, UBA-15186 UBA 5.0.5 upgrade script fails to upgrade forwarder to 8.2.1

Workaround:
Run the following command if you have Splunk forwarding disabled on a single node:
/opt/splunk/bin/splunk version --accept-license --answer-yes --no-prompt --seed-passwd caspida123

You must use the caspida123 password if you want to set up Splunk forwarding at a later time.

If you have Splunk forwarding enabled in a multi-node environment, perform the following tasks:

  1. Make sure that the ext-uba-pkg package from the management node is copied to /home/caspida in each node in your deployment and is untarred
  2. Log in to the management node as the caspida user.
  3. Run the following command once for each node in your deployment. Replace $node with the actual name of each node.
    ssh $node "tar -C /opt -xzf /home/caspida/uba-ext-pkgs-5.0.5/splunk-8.2.1-x86_64.tgz && /opt/splunk/bin/splunk version --accept-license --answer-yes --no-prompt --seed-passwd caspida123"
    

2021-09-29 UBA-14894 UBA EPS drops after Splunk 8.2.1/8.2.2 upgrade on search heads used by data sources
2021-09-28 UBA-14890 ClassCastException errors in the LateralMovementDetection Model
2021-08-30 UBA-14755 Replication.err logging multiple errors - Cannot delete snapshot s_new from path /user: the snapshot does not exist.
2021-04-21 UBA-14502 Exporting >4.3K Anomalies table results - crashes UBA UI
2020-09-04 UBA-14237 Unable to create Anomaly Table filter or AAR specifying filter for Specific Devices when specifying over 20 CIDR/s

Workaround:
Limit filter lists to 20 items.
2020-06-29 UBA-14199, UBA-12111 Impala jdbc connections leak

Workaround:
  1. Create a file containing the following script on node 1 in your Splunk UBA deployment (node 2 on a 20-node Splunk UBA deployment). For example, copy and paste the script to a new file in /etc/caspida/local/conf/impala_status_check.sh:
    #!/bin/bash
    log_file=$1
    if test -f "$log_file"; then
       tail -n 100 $log_file > /tmp/tmp_log_file.log
       mv /tmp/tmp_log_file.log $log_file
    fi
    connection_count=$(netstat -an | grep :21050 | grep ESTABLISHED | wc -l)
    now=$(date)
    if [ "$connection_count" -gt 500 ]; then
       echo "[$now] $connection_count impala connection(s), restarting impala"
       sudo service impala-server restart
       if [ $? -eq 0 ]; then
          echo "restart succeeded"
        else
          echo "restart failed. return code: $?"
       fi
    else
       echo "[$now] $connection_count impala connection(s), status is good"
    fi
    
  2. Make the script executable:
    chmod +x /etc/caspida/local/conf/impala_status_check.sh
    
  3. Add the following line to cron using crontab -e:
    0 8 * * * /etc/caspida/local/conf/impala_status_check.sh /var/log/impala/impala_status.log >> /var/log/impala/impala_status.log 2>&1
    

2020-04-07 UBA-13804 Kubernetes certificates expire after one year

Workaround:
Run the following commands on the Splunk UBA master node:
/opt/caspida/bin/Caspida remove-containerization
/opt/caspida/bin/Caspida setup-containerization
/opt/caspida/bin/Caspida stop-all
/opt/caspida/bin/Caspida start-all
2019-08-29 UBA-13020 Anomalies migrated from test-mode to active-mode won't be pushed to ES
2019-08-06 UBA-12910 Splunk Direct - Cloud Storage does not expose src_ip field

Workaround:
When ingesting Office 365 Sharepoint/OneDrive logs through Splunk Direct - Cloud Storage, add an additional field mapping for src_ip in the final SPL to be mapped from ClientIP (| eval src_ip=ClientIP). Make sure to add src_ip in the final list of fields selected using the fields command. For example:
| fields app,change_type,dest_user,file_hash,file_size,object,object_path,object_type,parent_category,parent_hash,sourcetype,src_user,tag,src_ip
Last modified on 25 January, 2022
PREVIOUS
Welcome to Splunk UBA 5.0.5
  NEXT
Fixed Issues in Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.5


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters