Recover Splunk UBA after an outage
You can recover Splunk UBA after a planned or unplanned outage. Complete the steps described in the following scenarios:
- Shut down Splunk UBA for a planned outage
- Restart Splunk UBA after an outage
- Restart Splunk UBA and restart all services
- Restart Splunk UBA Services
Shut down Splunk UBA for a planned outage
Perform the following steps to shut down Splunk UBA for a planned outage:
- In Splunk UBA, select Manage > Data Sources.
- Stop each running data source.
- From the command line, use SSH to log in to the Splunk UBA management node as the caspida user.
- Stop all services.
/opt/caspida/bin/Caspida stop-all
- Once step 4 completes successfully, SSH into each UBA node (if running a distributed UBA environment) then perform the following command to shutdown.
sudo shutdown –h now
Restart Splunk UBA after an outage
After a planned or unplanned outage, perform these steps to restart all Splunk UBA services:
- From the command line, use SSH to log in to the Splunk UBA management node as the caspida user.
- Escalate caspida privileges to sudo.
sudo su - caspida
- If running a distributed UBA environment, ensure each UBA node is accessible by SSH before continuing.
- Start all services.
/opt/caspida/bin/Caspida start-all
- Log in to the Splunk UBA web interface.
- Select Manage > Data Sources.
- Start each data source.
Restart Splunk UBA and restart all services
Perform the following tasks to shut down Splunk UBA services, restart the server, and restart all Splunk UBA services:
- In Splunk UBA menu bar, select Manage > Data Sources.
- Stop each running data source.
- From the command line, use SSH to log in to the Splunk UBA management server as the caspida user.
- Stop all services.
/opt/caspida/bin/Caspida stop-all
- Once step 4 completes successfully, SSH into each UBA node (if running a distributed UBA environment) then perform the following command to restart.
- Restart Splunk UBA.
sudo shutdown –r now
- Verify that each Splunk UBA node (if applicable) is back online with either SSH or ping.
ping <UBA-hostname>
- From the command line, use SSH to log in to the Splunk UBA management server as the caspida user.
- Escalate caspida privileges to sudo.
sudo su - caspida
- If running a distributed UBA environment, ensure each UBA node is accessible by SSH before continuing.
- Start all services.
/opt/caspida/bin/Caspida start-all
- Log in to the Splunk UBA web interface.
- Select Manage > Data Sources.
- Start each data source.
Restart Splunk UBA Services
Perform the following tasks to restart Splunk UBA services:
Restarting the Splunk UBA server does not restart the Splunk UBA services.
- In Splunk UBA, select Manage > Data Sources.
- Stop each running data source.
- From the command line, use SSH to log in to the Splunk UBA management server as the caspida user.
- Stop all services.
/opt/caspida/bin/Caspida stop-all
- After stop-all has completed, restart all services.
/opt/caspida/bin/Caspida start-all
- Log in to the Splunk UBA web interface.
- Select Manage > Data Sources.
- Start each data source.
Clean up the standby system if you accidentally started Splunk UBA services | Monitor your Splunk UBA deployment directly from Splunk Enterprise |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1
Feedback submitted, thanks!