Splunk® User Behavior Analytics

Administer Splunk User Behavior Analytics

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Requirements to set up warm standby for Splunk UBA

Verify that the following requirements are met in preparation for configuring warm standby for Splunk UBA:

  • The standby Splunk UBA system must be configured separately from the primary system and must meet all of the same system requirements. Verify that the standby system meets all of the requirements in the table:
    Standby System Requirement Description
    Same number of nodes. The standby system must have the same number of nodes as the primary system. See Scaling your Splunk UBA deployment in the Plan and Scale your Splunk UBA Deployment manual.
    Same hardware requirements. All nodes in the standby system must meet the minimum hardware requirements for all Splunk UBA servers, including allocating enough space on the management node if you are configuring incremental backups. See Hardware requirements in the Install and Upgrade Splunk User Behavior Analytics manual.
    Same SSH keys. The standby system must use the same SSH keys as the primary system. Copy the SSH keys from the existing primary Splunk UBA system to all servers in the standby system. See Install Splunk User Behavior Analytics in the Install and Upgrade Splunk User Behavior Analytics manual and follow the instructions for your deployment and operating system.
    Same operating system and UBA version. The standby system must reflect and mimic both the operating system and UBA version as the primary system. Across the entire cluster, if applicable.
    Set up passwordless SSH. Each node in the standby and primary systems must have passwordless SSH capability to any other node in either system. See Install Splunk User Behavior Analytics in the Install and Upgrade Splunk User Behavior Analytics manual and follow the instructions for your deployment and operating system.
    Set up separate certificates. The standby system must have its own certificates that are setup separately from the primary system.
    Configuration of the /etc/hosts file. The /etc/hosts file on each node in both the standby and primary systems must have the hostnames of all other nodes in both the standby and primary systems. See Configure host name lookups and DNS in the Install and Upgrade Splunk User Behavior Analytics manual.
  • The standby system must have the same ports open as the primary system. See Network requirements in the Install Splunk User Behavior Analytics manual. The following ports must be open behind the firewall between both the primary and standby cluster:
    • Port 8020 on the management node (node 1) in all deployment sizes.
    • Port 5432 on the database node in all deployment sizes. For deployments of 1 - 10 nodes, this is node 1. In 20 node deployments, this is node 2.
    • Port 22 on all nodes in all deployment sizes must be open for scp and SSH to work.
    • Port 9866 must be open on all the data nodes. This table identifies the data nodes per deployment:
      Deployment size Data nodes
      1 node Node 1
      3 nodes Node 3
      5 nodes Nodes 4 and 5
      7 nodes Nodes 4, 5, 6, and 7
      10 nodes Nodes 6, 7, 8, 9, and 10
      20 nodes Nodes 11, 12, 13, 14, 15, 16, 17, 18, 19, and 20
  • The Splunk Enterprise deployment where Splunk UBA pulls data from must also be highly available. This is required for Splunk UBA to re-ingest data from Splunk Enterprise. See Use clusters for high availability and ease of management in the Splunk Enterprise Distributed Deployment Manual.
  • The raw events on Splunk Enterprise must be available for Splunk UBA to consume. If the Splunk Enterprise deployment is unable to retain raw events for Splunk UBA to re-ingest, the replay cannot be fully performed.
  • If the primary and standby Splunk UBA systems are deployed across multiple sites, the standby Splunk UBA system must have its own Splunk Enterprise deployment equivalent to the primary system in order to provide equivalent ingestion throughput.
  • Splunk UBA warm standby requires Python 3.
Last modified on 23 January, 2023
PREVIOUS
Configure warm standby in Splunk UBA
  NEXT
Set up the standby Splunk UBA system

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters