Splunk® User Behavior Analytics

Administer Splunk User Behavior Analytics

Change the IP address or hostname of your Splunk UBA nodes

Changes in your environment may necessitate changing the IP address or hostname of your Splunk UBA nodes.


You can change the IP address or hostname of your Splunk UBA nodes with the following procedure:

  1. Use SSH to log in to the management node of your Splunk UBA deployment as the caspida user.
  2. Run the following command to stop all Splunk UBA services.
    /opt/caspida/bin/Caspida stop-all
  3. Perform the following tasks on all Splunk UBA nodes:
    1. If your system is not setup with a DNS service, edit the /etc/hosts file and add the new IP addresses or hostnames. See Configure local DNS using the /etc/hosts file in Install and Upgrade Splunk User Behavior Analytics.

      In an AWS environment the IP addresses must be the private IPs.

    2. If you are updating hostnames, use the hostnamectl command to update and then reboot.
      sudo hostnamectl set-hostname <hostname-shortname>
      sudo reboot
    3. Verify that nslookup is able to resolve the IP addresses and hostnames correctly.
      nslookup <ip-address>
      nslookup <hostname-shortname>
      nslookup <hostname-fqdn>
      
    4. Verify that SSH to each of the new IP addresses or hostnames is keyless and does not require a password.
  4. On the Splunk UBA management node, run the following command to change your IP addresses:
    /opt/caspida/bin/utils/change-uba-network-address.sh <from-ip-or-hostname> <to-ip-or-hostname>
    

    If you are changing multiple hosts, use one command for each host. The -i flag with the previous IP address is required if changing hostnames.

    For multi-node clusters, only change one hostname or IP address at a time before running the change-uba-network-address.sh script, otherwise the script is unable to find the other hosts with their new hostnames or IP addresses.

    For example:

    /opt/caspida/bin/utils/change-uba-network-address.sh -i <from-ip> <from-ip-or-hostname-1> <to-ip-or-hostname-1>
    /opt/caspida/bin/utils/change-uba-network-address.sh -i <from-ip> <from-ip-or-hostname-2> <to-ip-or-hostname-2>
    /opt/caspida/bin/utils/change-uba-network-address.sh -i <from-ip> <from-ip-or-hostname-3> <to-ip-or-hostname-3>
    

    The command looks for the existing <from-ip-or-hostname> in the /opt/caspida/conf/deployment/caspida-deployment.conf file and updates the IP address or hostname in all configuration files on all nodes. This means that you only need to run the script on the Splunk UBA management node.

    In some cases, you may have configured your Splunk UBA nodes using hostnames such as uba1, uba2 or uba3. If the IP address of uba1 is 10.10.1.2, and you want to change it to 10.10.10.2, use the -s option in the command which causes it to skip checking for the IP address in the caspida-deployment.conf file, since it will not be found. For example:

    /opt/caspida/bin/utils/change-uba-network-address.sh -s 10.10.1.2 10.10.10.2
    

    In an AWS environment with a public IP address, use the -p option to change the public IP address in the uba-site.properties file. For example, to change the existing public IP address to 30.31.32.33, and also change the IP address 10.10.1.2 to 10.10.10.2, use the following command:

    /opt/caspida/bin/utils/change-uba-network-address.sh -p 30.31.32.33 -s 10.10.1.2 10.10.10.2
    

    You will be prompted to take additional action when the command is finished running. Follow the instructions provided by the script to finish updating the IP address of your Splunk UBA nodes.

    • If the command is able to determine that the <from-ip-or-hostname> is a single node or a container host:
      successfully changed 10.140.195.143 to 10.140.195.12
        1. if 10.140.195.143 was running UBA UI: run /opt/caspida/bin/CaspidaCert.sh  to recreate SSL certificates for the web server
        2. run /opt/caspida/bin/Caspida remove-containerization; /opt/caspida/bin/Caspida setup-containerization
        3. run /opt/caspida/bin/Caspida start-all to start up UBA
      
    • If the command is not able to determine that the <from-ip-or-hostname> is a container host:
      successfully changed 10.140.195.143 to 10.140.195.12
        1. if 10.140.195.143 was running UBA UI: run /opt/caspida/bin/CaspidaCert.sh  to recreate SSL certificates for the web server
        2. unable to determine if 10.140.195.143 was running containers. if 10.140.195.143 is one of sp43centos0,sp43centos1,sp43centos2, run /opt/caspida/bin/Caspida remove-containerization; /opt/caspida/bin/Caspida setup-containerization
        3. run /opt/caspida/bin/Caspida start-all to start up UBA
      
Last modified on 15 March, 2023
Change the password for a data source   Change the IP address of your Docker containers

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters