Send Splunk UBA audit events to Splunk ES
Send audit events from Splunk UBA to Splunk ES so that you can maintain a history of specific actions taken by analysts and hunters in Splunk UBA. For example, if there is a need to re-examine a closed threat, you can use the audit history to determine the analyst who closed the threat.
Perform the following tasks to send audit events to the Splunk platform to be added to the
- Add or set the uba.sys.audit.push.splunk.enabled property in Splunk UBA.
- Set up a search head or forwarder to receive data from Splunk UBA.
- Configure the Splunk platform to receive data from the Splunk UBA output connector.
Add or set the uba.sys.audit.push.splunk.enabled property in Splunk UBA
Perform the following steps in Splunk UBA to enable audit logs to be sent to the Splunk platform:
- Set the
uba.sys.audit.push.splunk.enabledproperty in the
- Run the following command to synchronize the cluster:
/opt/caspida/bin/Caspida sync-cluster /etc/caspida/local/conf
- Run the following commands to restart Caspida services:
/opt/caspida/bin/Caspida stop /opt/caspida/bin/Caspida start
Set up a search head or forwarder to receive data from Splunk UBA
You can choose to set up either a search head or a forwarder to receive data sent from Splunk UBA.
- In Splunk UBA release 4.3.0 and lower, you can send data only to a Splunk search head.
- In Splunk UBA release 4.3.1 and higher, you can send data to a Splunk search head or forwarder.
Perform the following steps to set up a search head to receive data from Splunk UBA:
- In Splunk Web, select Settings > Data Inputs.
- In the TCP row, click Add New.
- Enter 10008 in the Port field. This is the port configured to work with Splunk UBA.
Perform the following steps to set up a forwarder to receive data from Splunk UBA:
- Deploy the Splunk Add-on for Splunk UBA to the forwarder. See Deploy the Splunk Add-on for Splunk UBA.
- Configure the TCP input on the Splunk forwarder. See Get data from TCP and UDP ports in the Splunk Enterprise Getting Data In manual for information on how to configure a Splunk forwarder to receive a syslog input.
Configure the Splunk platform to receive data from the Splunk UBA output connector
The connection between Splunk UBA and the Splunk platform uses TCP-SSL by default. Set up the Splunk platform to accept the encrypted connection so that the Splunk platform can receive data from the Splunk UBA output connector.
Splunk Cloud Platform customers must work with Splunk Cloud Platform Support to set up this connection.
The following procedure uses the Splunk default certificates and the global
[SSL] stanza in the inputs.conf file. For better security, consider using your own certificates, or commercially signed certificates from a trusted certificate authority.
- See About securing Splunk Enterprise with SSL in the Splunk Enterprise Securing the Splunk Platform manual.
- See TCP: in the Splunk Enterprise Admin Manual for more information about configuring tcp-ssl using inputs.conf.
Steps on the Splunk Enterprise search head
Perform the following steps on the Splunk Enterprise search head. In a search head clustering environment, perform the changes on the search head that will receive UBA threats and anomalies:
- Create a
$SPLUNK_HOME/etc/apps/Splunk_TA_ueba. For example:
cd /opt/splunk/etc/apps/Splunk_TA_ueba mkdir local cd local
- Create a file called inputs.conf and add the following stanza:
[tcp-ssl:10008] listenOnIPv6 = no index = ueba sourcetype = ueba serverCert = $SPLUNK_HOME/etc/auth/server.pem sslPassword = password
- Restart Splunk Enterprise.
- In Splunk Web, select System > Server controls.
- Click Restart Splunk.
- Verify that SSL is enabled for port 10008 in
$SPLUNK_HOME/var/log/splunk/splunkd.log. For example:
11-07-2019 15:07:42.661 -0800 INFO TcpInputProc - Creating raw Acceptor for IPv4 port 10008 with SSL
- Copy the root CA certificate from
/opt/splunk/etc/auth/cacert.pemon the Splunk Enterprise instance to
/home/caspidaon the Splunk UBA management server.
If you use your own third party certificate, copy that certificate file to /home/caspida on the Splunk UBA management server . Do not copy the root CA certificate from /opt/splunk/etc/auth/cacert.pem on the Splunk Enterprise instance.
Steps on the Splunk UBA management server
Perform the following steps on the Splunk UBA management server:
- Log in to the Splunk UBA management server as the caspida user.
- Ensure that
$JAVA_HOMEis set correctly on your system. Run the
CaspidaCommonEnv.shscript to set this environment variable:
- Import the rootCA certificate to the Java certificate store.
If you use your own third party certificate, replace
~/cacert.pemwith that third party certificate in the following commands.
On RHEL systems, use the following command:
sudo keytool -import -alias "splunk es" -keystore $JAVA_HOME/lib/security/cacerts -file ~/cacert.pem
On other Linux systems, use the following command:
sudo keytool -import -alias "splunk es" -keystore $JAVA_HOME/jre/lib/security/cacerts -file ~/cacert.pem
- When prompted, type the keystore password and trust the certificate. The default keystore password is
- From the command line of the Splunk UBA management server, view the
/etc/caspida/local/conf/uba-site.propertiesfile to confirm the following parameter is set to "true" as shown:
- Restart Splunk UBA. Run the following commands on the Splunk UBA management server:
/opt/caspida/bin/Caspida stop-all /opt/caspida/bin/Caspida start-all
Set up Splunk UBA to send user and device association data to Splunk Enterprise Security
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.1.0, 220.127.116.11, 5.2.0, 5.2.1, 5.3.0