Change the IP address of your Docker containers
By default, Docker containers in Splunk UBA use IP addresses in the 172.x.x.x
range. If this conflicts with other network IP address ranges in your environment, perform the tasks below to customize your Docker IP ranges. In this example, we will change the default 172.x.x.x
addresses to 192.168.0.1/24
. Be sure to replace the example values with the actual values appropriate for your environment.
- Login to the Splunk UBA management server as the
Caspida
user. - Stop all Splunk UBA services:
/opt/caspida/bin/Caspida stop-all
- Run the following command on all nodes in the cluster:
sudo service docker stop
- Add the following property and value to
/etc/caspida/local/conf/uba-site.properties
:system.docker.networkcidr=192.168.0.1/24
- Run the following command:
/opt/caspida/bin/Caspida replace-properties
- In distributed deployments, synchronize the cluster:
/opt/caspida/bin/Caspida sync-cluster
- Restart all nodes in your cluster to ensure that the new IP range is in use.
- Start all Splunk UBA services:
/opt/caspida/bin/Caspida start-all
- Run the
ifconfig docker0
command to verify that the correct address range is being used. For example:caspida@uba-001:~$ ifconfig docker0 docker0 Link encap:Ethernet HWaddr 02:42:7a:6a:d9:1d inet addr:192.168.0.1 Bcast:0.0.0.0 Mask:255.255.255.0 inet6 addr: fe80::42:7aff:fe6a:d91d/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:561746 errors:0 dropped:0 overruns:0 frame:0 TX packets:643592 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:32419199 (32.4 MB) TX bytes:6988449688 (6.9 GB)
Change the IP address or hostname of your Splunk UBA nodes | Send Splunk UBA data to Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1
Feedback submitted, thanks!