Splunk® User Behavior Analytics

Install and Upgrade Splunk User Behavior Analytics

Check system status before and after installation

Before and after you install Splunk UBA, check the system status with the uba_pre_check.sh shell script. The uba_pre_check.sh script is stored in the /opt/caspida/bin/utils directory of Splunk UBA. Log in as the caspida user on the management server using SSH to run the script.

Output from the script is saved in a plain text file in the /var/log/caspida/check/ directory with a file name that includes the host name of the server and the time stamp.

As a general rule, issues identified by the script can be found in the exception summary section of the output file. Fix any issues in that section before proceeding with installation. If no issues are listed, none have been identified.

Run the script before setting up Splunk UBA

Before you setup Splunk UBA and run the Caspida setup command, use the script to verify that your system meets the system requirements for Splunk UBA. See System requirements for Splunk UBA.

To run the script in a single-node deployment, use the following command and replace node1 with the actual host name or IP address of your Splunk UBA node:

/opt/caspida/bin/utils/uba_pre_check.sh node1

To run the script in a distributed deployment, specify the host names or IP addresses of the nodes separated by spaces. For example, in a 3-node deployment:

/opt/caspida/bin/utils/uba_pre_check.sh node1 node2 node3

The script checks the status of the following characteristics:

  • The server meets the minimum server requirements.
  • A supported Linux distribution and version is installed on the server.
  • Required third-party software is installed.
  • Networking requirements are met.
  • Second disk is properly provisioned.

You might see errors related to file-based configurations. Those configurations happen after setup, so you can ignore those errors when running the script before setting up Splunk UBA.

Run the script before upgrading Splunk UBA

Before you upgrade Splunk UBA, run the script to make sure that your Splunk UBA system is running normally. Do not specify any Splunk UBA host names or IP addresses when running the script prior to an upgrade:

/opt/caspida/bin/utils/uba_pre_check.sh

Run the script before adding data sources

Before you add data sources to Splunk UBA, run the script again to verify that the software is working correctly and is properly configured. See Configure Splunk UBA for required and optional configurations.

The script checks the status of the following configurations:

  • Admin users are correctly identified and normalized.
  • Email is set up to send alerts, changes made for the geolocation on the UI, internal domains /etc/caspida/local/conf/uba-site.properties file.
  • Internal IPs are set up /etc/caspida/local/conf/etl/configuration/EntityValidations.json file.
  • Competitive domains are set up in the /etc/caspida/local/conf/competitorDomains.txt file.
  • Verify network access to Google Maps, VirusTotal, WHOIS, MaxMind external services.

Run the script after adding data sources

You can run the script after adding data to verify that the system is up and running. Additional exceptions noted by the script indicate custom configuration steps or other issues that need remediation.

Last modified on 09 June, 2023
System requirements for Splunk UBA   Install Splunk User Behavior Analytics

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters