Upgrade Splunk UBA prerequisites

Upgrading to Splunk UBA 5.1.0.1 requires Splunk UBA 5.1.0. See How to install or upgrade to this release of Splunk UBA for upgrade path information.

• If you are running a version lower than 5.0.5, you must first upgrade to version 5.0.5 to upgrade to version 5.1.0 and then to version 5.1.0.1.
• If you are running a version lower than 5.0.0, you must first upgrade to version 5.0.0, then upgrade to version 5.0.5, then upgrade to version 5.1.0, and then upgrade to version 5.1.0.1.

Before you upgrade, perform the following tasks:

Hadoop ports changed for Splunk UBA version 5.1.0 and higher. See Networkiing requirements to verify Hadoop port information before upgrading.

1. In RHEL Linux environments:
   1. Ensure that Splunk UBA has access to RHEL repositories.
   2. When installed on RHEL 8.x operating systems, Splunk UBA uses a 2048 bit RSA encryption key. The Splunk platform that communicates with Splunk UBA must also use a 2048 bit encryption key. See Red Hat Enterprise Linux 8.x cryptographic policies.
2. Review the Known issues for this release in the Release Notes manual.
3. The software update contains one archive file approximately 11MB in size. The total extracted size is approximately 70MB. Verify that you have enough free space in /home/caspida to store the extracted installer files.
4. Backup your system. See Prepare to backup Splunk UBA in Administer Splunk User Behavior Analytics.
5. Make sure your system is running normally by using the uba_health_check.sh shell script.

   /opt/caspida/bin/utils/uba_health_check.sh

   See Check system status before and after installation for more information about the script.

Instructions to upgrade your Splunk UBA deployment

After satisfying the prerequisite requirements, go to one of the following:

• Upgrade a single node AMI or OVA installation of Splunk UBA
• Upgrade a single node RHEL installation of Splunk UBA
• Upgrade a single node OEL installation of Splunk UBA
• Upgrade a distributed AMI or OVA installation of Splunk UBA
• Upgrade a distributed RHEL installation of Splunk UBA
• Upgrade a distributed OEL installation of Splunk UBA

Upgrade multiple Splunk UBA clusters that are using warm standby

If you have two Splunk UBA clusters running in a warm standby configuration, perform the following tasks to upgrade both clusters. Links to documentation in the Administer Splunk User Behavior Analytics manual are provided. In this example, the original primary system is called System A and the standby system is called System B.

1. Verify that both the System A and System B are configured for warm standby and are running as expected. See Verify that the primary and standby systems are synchronized .
2. Manually trigger a sync between System A and System B. See Synchronize the primary and standby systems on-demand.
3. Perform a failover from System A to System B. See Failover to a standby Splunk UBA system.
4. Switch the roles of both systems to reflect the failover. See Change the role of both systems to switch the primary and standby systems.
5. Failover from System B back to System A. See Failover to a standby Splunk UBA system.
6. Switch the roles of both system again to reflect the second failover operation. See Change the role of both systems to switch the primary and standby systems.
7. Run the uba_health_check.sh script. See Check system status before and after installation in the Install and Upgrade Splunk User Behavior Analytics manual.
8. Use the health monitor to verify that both Splunk UBA systems are up and running.
9. Upgrade the primary system (System A) to this release. Follow the upgrade instructions for your operating system.
10. Upgrade the standby system (System B) to this release. Follow the upgrade instructions for your operating system.
11. Check /var/log/caspida/UpgradeStatus-<release>.properties on both systems to verify that the upgrade succeeded. See Verify a successful upgrade of Splunk UBA in the Install and Upgrade Splunk User Behavior Analytics manual.