Check system status before and after installation
Before and after you install Splunk UBA, check the system status with the
uba_pre_check.sh shell script. The
uba_pre_check.sh script is stored in the
/opt/caspida/bin/utils directory of Splunk UBA. Log in as the
caspida user on the management server using SSH to run the script.
Output from the script is saved in a plain text file in the
/var/log/caspida/check/ directory with a file name that includes the host name of the server and the time stamp.
As a general rule, issues identified by the script can be found in the
exception summary section of the output file. Fix any issues in that section before proceeding with installation. If no issues are listed, none have been identified.
Run the script before setting up Splunk UBA
Before you setup Splunk UBA and run the
Caspida setup command, use the script to verify that your system meets the system requirements for Splunk UBA. See System requirements for Splunk UBA.
To run the script in a single-node deployment, use the following command and replace
node1 with the actual host name or IP address of your Splunk UBA node:
To run the script in a distributed deployment, specify the host names or IP addresses of the nodes separated by spaces. For example, in a 3-node deployment:
/opt/caspida/bin/utils/uba_pre_check.sh node1 node2 node3
The script checks the status of the following characteristics:
- The server meets the minimum server requirements.
- A supported Linux distribution and version is installed on the server.
- Required third-party software is installed.
- Networking requirements are met.
- Second disk is properly provisioned.
You might see errors related to file-based configurations. Those configurations happen after setup, so you can ignore those errors when running the script before setting up Splunk UBA.
Run the script before upgrading Splunk UBA
Before you upgrade Splunk UBA, run the script to make sure that your Splunk UBA system is running normally. Do not specify any Splunk UBA host names or IP addresses when running the script prior to an upgrade:
Run the script before adding data sources
Before you add data sources to Splunk UBA, run the script again to verify that the software is working correctly and is properly configured. See Configure Splunk UBA for required and optional configurations.
The script checks the status of the following configurations:
- Admin users are correctly identified and normalized.
- Email is set up to send alerts, changes made for the geolocation on the UI, internal domains
- Internal IPs are set up
- Competitive domains are set up in the
- Verify network access to Google Maps, VirusTotal, WHOIS, MaxMind external services.
Run the script after adding data sources
You can run the script after adding data to verify that the system is up and running. Additional exceptions noted by the script indicate custom configuration steps or other issues that need remediation.
System requirements for Splunk UBA
Install Splunk User Behavior Analytics
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 184.108.40.206, 5.0.5, 220.127.116.11, 5.1.0, 18.104.22.168, 5.2.0, 5.2.1, 5.3.0