Change the IP address or hostname of your Splunk UBA nodes
Changes in your environment may necessitate changing the IP address or hostname of your Splunk UBA nodes.
You can change the IP address or hostname of your Splunk UBA nodes with the following procedure:
- Use SSH to log in to the management node of your Splunk UBA deployment as the caspida user.
- Run the following command to stop all Splunk UBA services.
/opt/caspida/bin/Caspida stop-all
- Perform the following tasks on all Splunk UBA nodes:
- If your system is not setup with a DNS service, edit the
/etc/hosts
file and add the new IP addresses or hostnames. See Configure local DNS using the /etc/hosts file in Install and Upgrade Splunk User Behavior Analytics.In an AWS environment the IP addresses must be the private IPs.
- If you are updating hostnames, use the
hostnamectl
command to update and then reboot.sudo hostnamectl set-hostname <hostname-shortname> sudo reboot
- Verify that
nslookup
is able to resolve the IP addresses and hostnames correctly.nslookup <ip-address> nslookup <hostname-shortname> nslookup <hostname-fqdn>
- Verify that SSH to each of the new IP addresses or hostnames is keyless and does not require a password.
- On the Splunk UBA management node, run the following command to change your IP addresses:
/opt/caspida/bin/utils/change-uba-network-address.sh <from-ip-or-hostname> <to-ip-or-hostname>
If you are changing multiple hosts, use one command for each host. The
-i
flag with the previous IP address is required if changing hostnames.For multi-node clusters, only change one hostname or IP address at a time before running the
change-uba-network-address.sh
script, otherwise the script is unable to find the other hosts with their new hostnames or IP addresses.For example:
/opt/caspida/bin/utils/change-uba-network-address.sh -i <from-ip> <from-ip-or-hostname-1> <to-ip-or-hostname-1> /opt/caspida/bin/utils/change-uba-network-address.sh -i <from-ip> <from-ip-or-hostname-2> <to-ip-or-hostname-2> /opt/caspida/bin/utils/change-uba-network-address.sh -i <from-ip> <from-ip-or-hostname-3> <to-ip-or-hostname-3>
The command looks for the existing
<from-ip-or-hostname>
in the/opt/caspida/conf/deployment/caspida-deployment.conf
file and updates the IP address or hostname in all configuration files on all nodes. This means that you only need to run the script on the Splunk UBA management node.In some cases, you may have configured your Splunk UBA nodes using hostnames such as
uba1
,uba2
oruba3
. If the IP address ofuba1
is 10.10.1.2, and you want to change it to 10.10.10.2, use the-s
option in the command which causes it to skip checking for the IP address in thecaspida-deployment.conf
file, since it will not be found. For example:/opt/caspida/bin/utils/change-uba-network-address.sh -s 10.10.1.2 10.10.10.2
In an AWS environment with a public IP address, use the
-p
option to change the public IP address in theuba-site.properties
file. For example, to change the existing public IP address to 30.31.32.33, and also change the IP address 10.10.1.2 to 10.10.10.2, use the following command:/opt/caspida/bin/utils/change-uba-network-address.sh -p 30.31.32.33 -s 10.10.1.2 10.10.10.2
You will be prompted to take additional action when the command is finished running. Follow the instructions provided by the script to finish updating the IP address of your Splunk UBA nodes.
- If the command is able to determine that the
<from-ip-or-hostname>
is a single node or a container host:successfully changed 10.140.195.143 to 10.140.195.12 1. if 10.140.195.143 was running UBA UI: run /opt/caspida/bin/CaspidaCert.sh to recreate SSL certificates for the web server 2. run /opt/caspida/bin/Caspida remove-containerization; /opt/caspida/bin/Caspida setup-containerization 3. run /opt/caspida/bin/Caspida start-all to start up UBA
- If the command is not able to determine that the
<from-ip-or-hostname>
is a container host:successfully changed 10.140.195.143 to 10.140.195.12 1. if 10.140.195.143 was running UBA UI: run /opt/caspida/bin/CaspidaCert.sh to recreate SSL certificates for the web server 2. unable to determine if 10.140.195.143 was running containers. if 10.140.195.143 is one of sp43centos0,sp43centos1,sp43centos2, run /opt/caspida/bin/Caspida remove-containerization; /opt/caspida/bin/Caspida setup-containerization 3. run /opt/caspida/bin/Caspida start-all to start up UBA
Change the password for a data source | Change the IP address of your Docker containers |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1
Feedback submitted, thanks!