Splunk® User Behavior Analytics

Install and Upgrade Splunk User Behavior Analytics

Upgrade a single node RHEL installation of Splunk UBA

Perform the following steps to upgrade a single node RHEL installation of Splunk UBA.

Prerequisites

Complete the following steps to ensure your system is correctly set up for upgrading Splunk UBA:

  1. Review the new features in this version of Splunk UBA for any changes that might need to be addressed before upgrading. See What's new in the Release Notes manual.
  2. Confirm you meet the Upgrade Splunk UBA prerequisites. Make sure that the prerequisites are verified on each server in the distributed deployment.
  3. Make sure the correct hadoop ports are open. See, Inbound networking port requirements.
  4. If you have enabled the integration that sends UBA audit data to Splunk Enterprise Security (ES), preserve the associated certificate before upgrading.
    Use the following command to export the certificate:
    . /opt/caspida/bin/CaspidaCommonEnv.sh
    sudo keytool -exportcert -alias "splunk es" -keystore $JAVA_HOME/lib/security/cacerts -rfc -file ~/splunk-es_cacert.pem
    For more information on sending audit data to ES see, Send Splunk UBA audit events to Splunk ES in the Send and Receive Data from the Splunk Platform manual.
  5. If you have enabled validation of the SSL certificate from Splunk ES, export the SSL certificate used for validating datasources from the Splunk Enterprise platform:
    . /opt/caspida/bin/CaspidaCommonEnv.sh
    sudo keytool -exportcert -alias "SplunkESRootCA" -keystore $JAVA_HOME/lib/security/cacerts -rfc -file ~/SplunkESRootCA.pem
  6. If you have enabled the integration that sends UBA events to Splunk ES, add connection_host = ip to the HTTP Event Collector (HEC) inputs.conf on the ES search head.
    For example:
     /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf
    This ensures that the host field remains the sender's (UBA) IP address instead of the default HEC host and port.
  7. Customers with existing UBA-ES integrations must comment out or remove the previously configured [tcp-ssl:10008] stanza from the Splunk_TA_ueba inputs.conf on the Splunk ES search head to avoid having an unused listener.

Download the Splunk UBA upgrade software

Perform the following steps to find and download the Splunk UBA upgrade software:

  1. Obtain the Splunk UBA Software Update and download the file to the /home/caspida directory. Select version 5.4.1 from the drop-down list. The downloadable archive file is named tar xfz /home/caspida/splunk-uba-software-upgrade-package_541.tgz -C /home/caspida.
  2. Extract the archive with the following command:
    tar xfz /home/caspida/splunk-uba-software-upgrade-package_541.tgz -C /home/caspida

    The following files are extracted:

    • Splunk-UBA-Platform-5.4.1-20240821-19277151.tgz
    • Splunk-UBA-Platform-5.4.1-20240821-19277151.tgz.md5sum
    • uba-ext-pkgs-5.4.1.tgz
    • uba-ext-pkgs-5.4.1.tgz.md5sum


Stop all UBA services and archive

Switch to caspida user and perform the following steps to archive the older version of UBA.

  1. On the management node, stop all the caspida services:
    /opt/caspida/bin/Caspida stop-all
  2. On each node, archive the older version of UBA. REPLACE <old-uba-version> with your UBA version:
    sudo mkdir -p /var/vcap/release_archives
    sudo mv /opt/caspida /var/vcap/release_archives/caspida-<old-uba-version>
    sudo mkdir -p /opt/caspida && sudo chown caspida:caspida /opt/caspida
    sudo chown caspida:caspida /var/vcap/release_archives
    sudo chown caspida:caspida /var/vcap/release_archives/caspida-<old-uba-version>


Upgrade from RHEL 8.6 to RHEL 8.8

You can upgrade to UBA version 5.4.1 on RHEL 8.6 or 8.8 without an operating system (OS) upgrade. If you prefer not to update the OS, proceed with the UBA upgrade using the steps outlined in the Perform UBA upgrade section.

  1. Remove the rootcerts package before upgrading to RHEL 8.8:
    sudo rpm -e --nodeps rootcerts-1:20201201.00-2.mga8.noarch
  2. On each node, perform the OS upgrade steps as root user:
    subscription-manager release --set=8.8
    yum update
    reboot
    
  3. Verify the OS version is upgraded to the desired version:
    cat /etc/os-release

    System OS upgrade complete. The system is now at OS version 8.8.

Upgrade from RHEL 8.6 or 8.8 to RHEL 8.10

  1. If you are upgrading RHEL from 8.6, remove the rootcerts package before upgrading to RHEL 8.10. Otherwise, go to step 2.
    sudo rpm -e --nodeps rootcerts-1:20201201.00-2.mga8.noarch
  2. On each node, perform the OS upgrade steps as root user:
    subscription-manager release --set=8.10
    yum update
    reboot
  3. Verify the OS version is upgraded to the desired version:
    cat /etc/os-release

    System OS upgrade complete. The system is now at OS version 8.10.

Perform UBA upgrade

Perform the following tasks to upgrade Splunk UBA on a single server as the caspida user.

  1. Download and untar the UBA 5.4.1 Platform build inside the /opt/caspida/ folder:
    tar xvzf /home/caspida/Splunk-UBA-Platform-5.4.1-20240821-19277151.tgz -C /opt/caspida
  2. (Optional) Follow the steps to turn on FIPS compliance. See Turn on FIPS compliance.

  3. Run the UBA upgrade script, using the path to your archived UBA from the Stop all UBA services and archive step:

    The path-to-prev-uba-archive might be /var/vcap/release_archives/caspida- depending on your archived UBA version number.

    /opt/caspida/upgrade/utils/upgrade_uba.sh -p /var/vcap/release_archives/caspida-<old-uba-version> -e /home/caspida/uba-ext-pkgs-5.4.1.tgz
    The command installs the new Splunk UBA software, restarts Splunk UBA, and then restarts the data sources.

If you have previously imported an output connector certificate, re-import the certificate. See, Configure the Splunk platform to receive data from the Splunk UBA output connector in the Send and Receive Data from the Splunk Platform manual.

Turn on FIPS compliance

Turning on FIPS compliance is an optional step when installing or upgrading Splunk UBA.

Federal Information Processing Standard (FIPS) compliance is available with Splunk UBA version 5.4.0 and higher. Complete the following steps to turn on FIPS on each Splunk UBA node before running the upgrade script in the Perform UBA upgrade section.

Make sure that the operating system is on the target version before turning on FIPS.

  1. Run the following command to check the current status of FIPS:
    sudo fips-mode-setup --check
  2. On each node, run the following command to turn on FIPS:
    sudo fips-mode-setup --enable
  3. After successfully turning on FIPS, reboot the system:
    sudo reboot
  4. Confirm FIPS is turned on:
    sudo fips-mode-setup --check
  5. You can also verify the status using the following command.

    You see a 1 if FIPS is turned on, otherwise 0.

    cat /proc/sys/crypto/fips_enabled

Re-import the certificate used for sending UBA audit events to Splunk ES

If you have enabled the integration that sends UBA audit data to Splunk Enterprise Security (ES), and you preserved the associated certificate in the Before you begin step, you can now re-import that certificate. Use the following command to re-import the certificate:

. /opt/caspida/bin/CaspidaCommonEnv.sh
sudo keytool -import -alias "splunk es" -keystore $JAVA_HOME/lib/security/cacerts -file ~/splunk-es_cacert.pem

Apply security patches on your Linux operating system

Perform the following tasks to apply the latest Linux operating system security patches:

  1. Log in to the Splunk UBA server as the caspida user.
  2. Run the following command to stop Splunk UBA and all services:
    /opt/caspida/bin/Caspida stop-all
  3. Run the following commands to check for any available security updates:
    sudo yum updateinfo list security all
    sudo yum updateinfo list sec
    
  4. Run the following command to update all packages with the available security updates:
    sudo yum update --security -y
    sudo yum --security update-minimal
    
  5. Reboot the system:
    sudo reboot
  6. Run the following command to start Splunk UBA and all services:
    /opt/caspida/bin/Caspida start-all

Next steps

You can Verify a successful upgrade of Splunk UBA.

By default, the caspida user is given ALL access in /etc/sudoers during Splunk UBA installation and upgrade. If you want to restrict sudo access for the caspida user after Splunk UBA is upgraded, see Restrict sudo access for the caspida account.

Last modified on 30 August, 2024
Upgrade a single node AMI or OVA installation of Splunk UBA   Upgrade a single node OEL installation of Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.4.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters