Splunk® User Behavior Analytics

Install and Upgrade Splunk User Behavior Analytics

This documentation does not apply to the most recent version of Splunk® User Behavior Analytics. For documentation on the most recent version, go to the latest release.

Install Splunk UBA on a single Amazon Web Services instance

Follow these instructions to install Splunk UBA 5.4.0 for the first time using the AMI image on a single Amazon Web Services (AWS) instance.

If you already have Splunk UBA, do not follow the instructions on this page. Instead, follow the appropriate upgrade instructions to obtain your desired release. See, How to install or upgrade to this release of Splunk UBA

Prerequisites for installing Splunk UBA on a single AWS instance

Verify that the following requirements are met:

  • Contact your Splunk sales representative and provide them with your AWS account information, name, and email address to obtain the Splunk UBA Amazon Machine Image (AMI). Entitlement will be verified by the account team and the AMI will be shared to the AWS account provided.
  • A valid key pair to access your AWS instance.
  • A security group with inbound firewall rules that allow access to ports 22 and 443 from trusted external addresses.

Turn on FIPS compliance

Turning on FIPS compliance is an optional step when installing or upgrading Splunk UBA.

Federal Information Processing Standard (FIPS) compliance is available with Splunk UBA version 5.4.0 and higher.

For developing and running workloads with FIPS on the enterprise, the validated packages are available with Ubuntu Pro or an Ubuntu Advantage subscription. See https://ubuntu.com/public-cloud and https://ubuntu.com/advantage.

Perform the following steps on each node:

  1. Update the package information:
    sudo apt update
  2. Install ubuntu-advantage-tools in your ubuntu system:
    sudo apt install ubuntu-advantage-tools
  3. Sign up for Ubuntu Pro using the following website: https://ubuntu.com/advantage
  4. Once logged in, go to the Ubuntu Pro Dashboard and copy the token.
  5. Replace the copied token with <Token> and run the following command:
    sudo ua attach <TOKEN>
  6. Turn on FIPS using the fips-updates stream on Ubuntu LTS.:
    sudo ua enable fips-updates
  7. After successfully turning on FIPS, reboot the system:
    sudo reboot
  8. Check the status to confirm FIPS is turned on:
    sudo ua status
  9. You can also verify the status using the following command:

    You see a 1 if FIPS is turned on, otherwise 0.

    cat /proc/sys/crypto/fips_enabled

To learn more about FIPS in Ubuntu systems, see https://ubuntu.com/blog/running-fips-140-workloads-on-ubuntu.

Steps for installing Splunk UBA on a single AWS instance

Perform the following steps to install Splunk UBA on a single AWS instance. You can also view How do I launch an EC2 instance from a custom Amazon Machine Image (AMI)? in the AWS documentation for additional information.

  1. Login to your AWS account.
  2. In the AWS console, open the Splunk UBA AMI.
  3. Set up an AWS instance. The following server instance types are supported:
    • m4.4xlarge
    • m5.4xlarge, m5a.4xlarge, m5.8xlarge
    • m6a.4xlarge, m6i.4xlarge
  4. Click Edit storage and add two new 1TB volumes.
  5. Open the instance and download the key pair to your local machine. You need this key pair later in the procedure to login to Splunk UBA as ubuntu using passwordless SSH.
  6. Save the public IP address of the UBA instance somewhere. You need this IP address to finish setting up Splunk UBA.
  7. From the command line, load the key pair, set up the caspida user, and log in to the AWS instance.
    ssh -i <keypair>.pem ubuntu@<public IP of your UBA instance>
    su - caspida
    

    Specify caspida123 as the existing default password. You will be prompted to provide the default password a second time, and then change the existing password. For example:

    ubuntu:~$ su - caspida
    Password:
    You are required to change your password immediately (root enforced)
    Changing password for caspida.
    (current) UNIX password:
    Enter new UNIX password:
    Retype new UNIX password:
    caspida:~$
    
  8. If you are not changing the hostname of your system, skip this step. If you have a need to change the host name, update the /etc/hosts file with the new host name and IP address so that they can be resolved by DNS.
  9. Verify that the system date, time and time zone are correct using the timedatectl command, as shown below. The time zone in Splunk UBA should match the time zone configured in Splunk Enterprise.
    caspida@ubahost$ timedatectl status
          Local time: Mon 2019-04-08 14:30:02 UTC
      Universal time: Mon 2019-04-08 14:30:02 UTC
            RTC time: Mon 2019-04-08 14:30:01
           Time zone: UTC (UTC, +0000)
         NTP enabled: yes
    NTP synchronized: yes
     RTC in local TZ: no
          DST active: n/a
    

    Use the timedatectl command to change the time zone. For example, to change the time zone to UTC:

    timedatectl set-timezone UTC
    Refer to the documentation for your specific operating system to configure NTP synchronization. Use the ntpq -p command to verify that NTP is pointing to the desired server.
  10. Find the two additional 1TB disks using the sudo fdisk -l command. An example disk is /dev/xvdb.
  11. Format and mount the additional 1TB disks.
    1. The Caspida add-disk command can take time to complete. To avoid timeout issues you can run tmux.
    2. Add the 1TB disk for Splunk UBA metadata storage. Use the /opt/caspida/bin/Caspida add-disk <device> command.
      Examples:
      i) If your disk name is /dev/xvdb use the following command: /opt/caspida/bin/Caspida add-disk /dev/xvdb
      ii) If your disk name is /dev/nvme1n1 use the following command: /opt/caspida/bin/Caspida add-disk /dev/nvme1n1

      The disk is mounted as /var/vcap by default.

    3. Add the 1TB disk for Spark. The disk should be mounted as /var/vcap2. Use the /opt/caspida/bin/Caspida add-disk <device> <mount> command.
      Examples:
      i) If your disk name is /dev/xvdc use the following command: /opt/caspida/bin/Caspida add-disk /dev/xvdc /var/vcap2
      ii) If your disk name is /dev/nvme2n1 use the following command: /opt/caspida/bin/Caspida add-disk /dev/nvme2n1 /var/vcap2
  12. Verify that IPv6 drivers are available. To do this, check that /proc/sys/net/ipv6/ exists.
    For example:
    caspida@ubahost$ ls -l /proc/sys/net/ipv6/
    total 0
    -rw-r--r-- 1 root root 0 Mar 12 16:52 anycast_src_echo_reply
    -rw-r--r-- 1 root root 0 Mar 12 16:52 auto_flowlabels
    -rw-r--r-- 1 root root 0 Mar 12 16:52 bindv6only
    dr-xr-xr-x 1 root root 0 Mar 12 16:52 conf
    -rw-r--r-- 1 root root 0 Mar 12 16:52 flowlabel_consistency
    -rw-r--r-- 1 root root 0 Mar 12 16:52 flowlabel_state_ranges
    -rw-r--r-- 1 root root 0 Mar 12 16:52 fwmark_reflect
    dr-xr-xr-x 1 root root 0 Mar 12 16:52 icmp
    -rw-r--r-- 1 root root 0 Mar 12 16:52 idgen_delay
    -rw-r--r-- 1 root root 0 Mar 12 16:52 idgen_retries
    -rw-r--r-- 1 root root 0 Mar 12 16:52 ip6frag_high_thresh
    -rw-r--r-- 1 root root 0 Mar 12 16:52 ip6frag_low_thresh
    -rw-r--r-- 1 root root 0 Mar 12 16:52 ip6frag_secret_interval
    -rw-r--r-- 1 root root 0 Mar 12 16:52 ip6frag_time
    -rw-r--r-- 1 root root 0 Mar 12 16:52 ip_nonlocal_bind
    -rw-r--r-- 1 root root 0 Mar 12 16:52 mld_max_msf
    -rw-r--r-- 1 root root 0 Mar 12 16:52 mld_qrv
    dr-xr-xr-x 1 root root 0 Mar 12 16:52 neigh
    dr-xr-xr-x 1 root root 0 Mar 12 16:52 route
    -rw-r--r-- 1 root root 0 Mar 12 16:52 xfrm6_gc_thresh
    

    If the IPv6 drivers exist, skip to the next step.
    If IPv6 drivers do not exist on your system, check if /etc/default/grub contains ipv6.disable=1. IPv6 drivers will not be available on a system if ipv6.disable=1 exists in /etc/default/grub. If ipv6.disable=1 is not present in /etc/default/grub and IPv6 drivers do not exist, consult with your system or network administrators. You will not be able to continue with the installation.
    If /etc/default/grub contains ipv6.disable=1, perform the following tasks as root:

    1. Remove ipv6.disable=1 from /etc/default/grub.
    2. Recreate the grub config:
      grub2-mkconfig -o /boot/grub2/grub.cfg
    3. Reboot the machines. After the system comes up, make sure /proc/sys/net/ipv6 exists.

    To disable IPv6 functionality for security, networking or performance reasons, create the /etc/sysctl.d/splunkuba-ipv6.conf file as root. This file should contain the following content:

    net.ipv6.conf.all.disable_ipv6 = 1
    net.ipv6.conf.default.disable_ipv6 = 1
    net.ipv6.conf.lo.disable_ipv6 = 1
    
    This procedure keeps the IPv6 drivers but disables the IPv6 addressing.
  13. Generate SSH keys using the ssh-keygen -t rsa command. Press enter for all the prompts and accept all default values. For example:
    [caspida@ubahost]$ ssh-keygen -t rsa
    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/caspida/.ssh/id_rsa):
    Created directory '/home/caspida/.ssh'.
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /home/caspida/.ssh/id_rsa.
    Your public key has been saved in /home/caspida/.ssh/id_rsa.pub.
    The key fingerprint is:
    SHA256:Ohe1oSpUtNT8siJzvn2lFLrHmVH7JGKke+c/5NRFb/g caspida@ubahost
    
  14. Add the SSH keys to the server and adjust the permissions to allow the server to access them.
    cat /home/caspida/.ssh/id_rsa.pub >> /home/caspida/.ssh/authorized_keys
    chmod 600 /home/caspida/.ssh/authorized_keys
    
  15. SSH using the syntax below to accept keys and verify the connection is passwordless.
    ssh <host name>
    ssh localhost
  16. Check the system status with the uba_pre_check.sh shell script. Run the following command on a single-node deployment and be sure to replace <node1> with the actual host name of your system.
    /opt/caspida/bin/utils/uba_pre_check.sh <node1>
    See Check system status before and after installation for more information about the script.
  17. Run the following command to source the /etc/locale.conf file:
    source /etc/locale.conf
  18. Run the Splunk UBA setup script.
    tmux
    /opt/caspida/bin/Caspida setup
    1. Accept the license agreement and confirm removal of existing metadata.
    2. Type the host name of the Splunk UBA server installation. For example, type uba01_prod.
    3. Confirm that you want to continue setting up Splunk UBA.
  19. Verify the host name of all the nodes using the following command:
    hostname
  20. Make sure you have a consistent setup. If using fully qualified domain names (FQDN) then all nodes should output FQDN in the host name command. If the short name is used, then all nodes should output the short name in the host name command.
    1. If FQDN is used then in the pre_check script provide the FQDN of all the nodes, for example:
      /opt/caspida/bin/utils/uba_pre_check.sh <NODE1_FQDN> <NODE2_FQDN> <NODE3_FQDN>
    2. When prompted for a list of host names in the setup script, if the output of the host name command is FQDN, then provide a CSV list of FQDN host names, for example:
      <NODE1_FQDN>,<NODE2_FQDN>,<NODE3_FQDN>

    If you plan on connecting to Splunk Cloud to run queries for datasources, use fully qualified domain names (FQDN), not short names, for your Splunk UBA host names.

  21. After setup completes:
    1. Open a web browser and log in to the public IP address of the AWS instance to confirm a successful installation. The default username is admin and password is changeme. See Secure the default account after installing Splunk UBA for information about the default accounts provided with Splunk UBA and how to secure them.
    2. See Verify successful installation for more information about verifying a successful installation.
Last modified on 29 August, 2024
Install Splunk User Behavior Analytics   Install Splunk UBA on a single Linux server

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters