Upgrade a distributed RHEL installation of Splunk UBA
Perform the following steps to upgrade a distributed RHEL installation of Splunk UBA.
Prerequisites
Complete the following steps to ensure your system is correctly set up for upgrading Splunk UBA:
- Confirm you meet the Upgrade Splunk UBA prerequisites. Make sure that the prerequisites are verified on each server in the distributed deployment.
- Make sure the correct hadoop ports are open. See, Inbound networking port requirements.
- If you have enabled the integration that sends UBA audit data to Splunk Enterprise Security (ES), preserve the associated certificate before upgrading.
Use the following command to export the certificate:For more info on sending audit data to ES see, Send Splunk UBA audit events to Splunk ES in the Send and Receive Data from the Splunk Platform manual.. /opt/caspida/bin/CaspidaCommonEnv.sh sudo keytool -exportcert -alias "splunk es" -keystore $JAVA_HOME/lib/security/cacerts -rfc -file ~/splunk-es_cacert.pem
- If you have enabled validation of the SSL certificate from Splunk ES, export the SSL certificate used for validating datasources from the Splunk Enterprise platform:
. /opt/caspida/bin/CaspidaCommonEnv.sh sudo keytool -exportcert -alias "SplunkESRootCA" -keystore $JAVA_HOME/lib/security/cacerts -rfc -file ~/SplunkESRootCA.pem
- For 1, 3, 5, 7, and 10 node deployments, run the following command from the Management node. For 20 and 20XL node deployments, run the following command from from the Management node and Node 2:
psql -d caspidadb -c "UPDATE rulepackages SET version = 0 WHERE namespace LIKE 'secteam.%';"
Download the Splunk UBA upgrade software
Perform the following steps to find and download the Splunk UBA upgrade software:
- Obtain the Splunk UBA Software Update and download the file to the
/home/caspida
directory on the management node. Select version 5.3.0 from the drop-down list. The downloadable archive file is namedsplunk-uba-software-upgrade-package_530.tgz
. - Extract the archive with the following command:
tar xfz /home/caspida/splunk-uba-software-upgrade-package_530.tgz -C /home/caspida
The following files are extracted:
Splunk-UBA-Platform-5.3.0-20230810-11068359.tgz
Splunk-UBA-Platform-5.3.0-20230810-11068359.tgz.md5sum
uba-ext-pkgs-5.3.0.tgz
uba-ext-pkgs-5.3.0.tgz.md5sum
Stop all UBA services and archive
Switch to caspida user and perform the following steps to archive the older version of UBA.
- On the management node, stop all the caspida services:
/opt/caspida/bin/Caspida stop-all
- On each node, archive the older version of UBA. REPLACE
<old-uba-version>
with your UBA version:sudo mkdir -p /var/vcap/release_archives sudo mv /opt/caspida /var/vcap/release_archives/caspida-<old-uba-version> sudo mkdir -p /opt/caspida && sudo chown caspida:caspida /opt/caspida sudo chown caspida:caspida /var/vcap/release_archives sudo chown caspida:caspida /var/vcap/release_archives/caspida-<old-uba-version>
Upgrade from RHEL 8.4 or 8.5 to RHEL 8.8
- On each node, perform the OS upgrade steps as root user:
subscription-manager release --set=8.8 yum update reboot
- Verify the OS version is upgraded to the desired version:
cat /etc/os-release
You can upgrade UBA from version 5.2.0 to 5.3.0 on RHEL 8.6 without an operating system (OS) upgrade. If you prefer not to update the OS, proceed with the UBA upgrade using the steps outlined in the Perform UBA upgrade section.
Upgrade from RHEL 8.6 to RHEL 8.8
- If you are upgrading UBA from version 5.2.0, remove the
rootcerts
package before upgrading to RHEL 8.8. Otherwise, go to step 2.sudo rpm -e --nodeps rootcerts-1:20201201.00-2.mga8.noarch
- On each node, perform the OS upgrade steps as root user:
subscription-manager release --set=8.8 yum update reboot
- Verify the OS version is upgraded to the desired version:
cat /etc/os-release
System OS upgrade complete. The system is now at OS version 8.8.
Perform UBA upgrade
When upgrading the RHEL version from 8.x to 8.8 in a multi-node system, perform all the previous steps in this topic, in all the respective nodes, before completing the steps listed here.
Upgrade Splunk UBA 5.3.0 on the management node only. The upgrade script will update all relevant files on the other Splunk UBA nodes.
Perform the following tasks to upgrade Splunk UBA in a distributed environment.
- Untar the UBA 5.3.0 Platform build inside the /opt/caspida/ folder:
tar xvzf /home/caspida/Splunk-UBA-Platform-5.3.0-20230810-11068359.tgz -C /opt/caspida
- Run the UBA upgrade script, using the path to your archived UBA from the Stop all UBA services and archive
step:
The
path-to-prev-uba-archive
might be/var/vcap/release_archives/caspida-
depending on your archived UBA version number./opt/caspida/upgrade/utils/upgrade_uba.sh -p /var/vcap/release_archives/caspida-<old-uba-version> -e /home/caspida/uba-ext-pkgs-5.3.0.tgz
The command installs the new Splunk UBA software, restarts Splunk UBA, and then restarts the data sources.
If you have previously imported an output connector certificate, re-import the certificate. See, Configure the Splunk platform to receive data from the Splunk UBA output connector in the Send and Receive Data from the Splunk Platform manual.
Re-import the certificate used for sending UBA audit events to Splunk ES
If you have enabled the integration that sends UBA audit data to Splunk Enterprise Security (ES), and you preserved the associated certificate in the Before you begin step, you can now re-import that certificate. Use the following command to re-import the certificate:
. /opt/caspida/bin/CaspidaCommonEnv.sh sudo keytool -import -alias "splunk es" -keystore $JAVA_HOME/lib/security/cacerts -file ~/splunk-es_cacert.pem
Re-import the SSL certificate used for validating datasources from the Splunk Enterprise platform
If you have enabled the integration that sends UBA audit data to Splunk Enterprise Security (ES), use the following command to re-import the SSL certificate:
. /opt/caspida/bin/CaspidaCommonEnv.sh sudo keytool -import -alias "SplunkESRootCA" -keystore $JAVA_HOME/lib/security/cacerts -file ~/SplunkESRootCA.pem
For more information on SSL certificate validation, see Configure flag to enable or disable Splunk SSL certificate validation.
Apply security patches on your Linux operating system on all nodes in the distributed deployment
Perform the following tasks to apply the latest Linux operating system security patches:
- Log in to the Splunk UBA management node as the caspida user.
- On the management node, run the following command to stop Splunk UBA and all services:
/opt/caspida/bin/Caspida stop-all
- On all nodes, run the following commands to check for any available security updates:
sudo yum updateinfo list security all sudo yum updateinfo list sec
- On all nodes, run the following command to update all packages with the available security updates:
sudo yum update --security -y sudo yum --security update-minimal
- On all nodes, reboot the system:
sudo reboot
- On the management node, run the following command to start Splunk UBA and all services:
/opt/caspida/bin/Caspida start-all
Next steps
You can Verify a successful upgrade of Splunk UBA.
By default, the caspida user is given ALL access in /etc/sudoers
during Splunk UBA installation and upgrade. If you want to restrict sudo
access for the caspida user after Splunk UBA is upgraded, see Restrict sudo access for the caspida account.
Upgrade a distributed AMI or OVA installation of Splunk UBA | Upgrade a distributed OEL installation of Splunk UBA |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.3.0
Feedback submitted, thanks!