Upgrade a single node AMI or OVA installation of Splunk UBA
Perform the following steps to upgrade a single node AMI or OVA installation of Splunk UBA.
Prerequisites
Complete the following steps to ensure your system is correctly set up for upgrading Splunk UBA:
- Review the new features in this version of Splunk UBA for any changes that might need to be addressed before upgrading. See What's new in the Release Notes manual.
- Confirm you meet the Upgrade Splunk UBA prerequisites.
- Make sure the correct hadoop ports are open. See, Inbound networking port requirements.
- Ensure you Verify Postgres Collate and Ctype values.
- If you have enabled the integration that sends UBA audit data to Splunk Enterprise Security (ES), preserve the associated certificate before upgrading.
Use the following command to export the certificate:For more info on sending audit data to ES see, Send Splunk UBA audit events to Splunk ES in the Send and Receive Data from the Splunk Platform manual.. /opt/caspida/bin/CaspidaCommonEnv.sh sudo keytool -exportcert -alias "splunk es" -keystore $JAVA_HOME/lib/security/cacerts -rfc -file ~/splunk-es_cacert.pem
- If you have enabled validation of the SSL certificate from Splunk ES, export the SSL certificate used for validating datasources from the Splunk Enterprise platform:
. /opt/caspida/bin/CaspidaCommonEnv.sh sudo keytool -exportcert -alias "SplunkESRootCA" -keystore $JAVA_HOME/lib/security/cacerts -rfc -file ~/SplunkESRootCA.pem
- If you have enabled the integration that sends UBA events to Splunk ES, add
connection_host = ip
to the HTTP Event Collector (HEC)inputs.conf
on the ES search head.
For example:
This ensures that the host field remains the sender's (UBA) IP address instead of the default HEC host and port./opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf
- Customers with existing UBA-ES integrations must comment out or remove the previously configured
[tcp-ssl:10008]
stanza from theSplunk_TA_ueba
inputs.conf on the Splunk ES search head to avoid having an unused listener.
Single server upgrade steps
The Splunk UBA AMI and OVA images use Ubuntu as the operating system. Ensure that Splunk UBA is running before you upgrade then perform the following tasks to upgrade Splunk UBA on a single server with Ubuntu operating system.
- Stop all the caspida services.
/opt/caspida/bin/Caspida stop-all
- Archive the previous UBA release. Replace
<old-uba-version>
with your version of UBA:sudo mkdir -p /var/vcap/release_archives sudo mv /opt/caspida /var/vcap/release_archives/caspida-<old-uba-version> sudo mkdir -p /opt/caspida && sudo chown caspida:caspida /opt/caspida sudo chown caspida:caspida /var/vcap/release_archives sudo chown caspida:caspida /var/vcap/release_archives/caspida-<old-uba-version>
- Download the latest UBA branch build
splunk-uba-software-upgrade-package_541.tgz
and untar the UBA bits to/home/caspida
directory:$ tar xvzf /home/caspida/splunk-uba-software-upgrade-package_541.tgz Splunk-UBA-Platform-5.4.1-20240821-19277151.tgz Splunk-UBA-Platform-5.4.1-20240821-19277151.tgz.md5sum uba-ext-pkgs-5.4.1.tgz uba-ext-pkgs-5.4.1.tgz.md5sum
- Untar the UBA 5.4.1 Platform build inside the /opt/caspida/ folder:
tar xvzf /home/caspida/Splunk-UBA-Platform-5.4.1-20240821-19277151.tgz -C /opt/caspida
- Set or update the following environment variable for PostgreSQL in the /etc/default/locale file:
Change theLANG
value toen_US.UTF-8
- Run the following command to source
/etc/default/locale
:
source /etc/default/locale
- (Optional) Follow the steps to turn on FIPS compliance. See Turn on FIPS compliance.
- Run the UBA upgrade script, using the path to your archived UBA from step 2. Migrate your configurations in a tmux shell just in case your SSH connection breaks.
The
path-to-prev-uba-archive
might be/var/vcap/release_archives/caspida-
depending on your archived UBA version number.$ tmux $ /opt/caspida/upgrade/utils/upgrade_uba.sh -p <path-to-prev-uba-archive> -e /home/caspida/uba-ext-pkgs-5.4.1.tgz
The command installs the new Splunk UBA software, restarts Splunk UBA, and then restarts the data sources.
If you have previously imported an output connector certificate, re-import the certificate. See, Configure the Splunk platform to receive data from the Splunk UBA output connector in the Send and Receive Data from the Splunk Platform manual.
Turn on FIPS compliance
Turning on FIPS compliance is an optional step when installing or upgrading Splunk UBA.
Federal Information Processing Standard (FIPS) compliance is available with Splunk UBA version 5.4.0 and higher. Complete the following steps to turn on FIPS on each Splunk UBA node before running the upgrade script.
For developing and running workloads with FIPS on the enterprise, the validated packages are available with Ubuntu Pro or an Ubuntu Advantage subscription. See https://ubuntu.com/public-cloud and https://ubuntu.com/advantage .
Perform the following steps on each node:
- Update the package information:
sudo apt update
- Install
ubuntu-advantage-tools
in your Ubuntu system:sudo apt install ubuntu-advantage-tools
- Sign up for Ubuntu Pro using the following website: https://ubuntu.com/advantage
- Once logged in, go to the Ubuntu Pro Dashboard and copy the token.
- Replace the copied token with
<Token>
and run the following command:sudo ua attach <TOKEN>
- Turn on FIPS using the
fips-updates
stream on Ubuntu LTS.:sudo ua enable fips-updates
- After successfully turning on FIPS, reboot the system:
sudo reboot
- Check the status to confirm FIPS is turned on:
sudo ua status
- You can also verify the status using the following command:
You see a 1 if FIPS is turned on, otherwise 0.
cat /proc/sys/crypto/fips_enabled
To learn more about FIPS in Ubuntu systems, see https://ubuntu.com/blog/running-fips-140-workloads-on-ubuntu.
Apply security patches on Ubuntu
The Splunk UBA AMI and OVA images use Ubuntu as the operating system. Perform the following tasks to apply the latest security patches to your Ubuntu operating system:
Applying the security patches can take up to one hour.
- Log in to the Splunk UBA server as the caspida user.
- Run the following command to stop Splunk UBA and all services:
/opt/caspida/bin/Caspida stop-all
- Run the following commands to install the latest unattended-upgrades package:
sudo apt update sudo apt install unattended-upgrades
If you see the following prompt, select keep the local version currently installed:
What do you want to do about modified configuration file 50unattended-upgrades?
- Run the following command:
sudo apt autoremove
- Edit the
/etc/apt/apt.conf.d/50unattended-upgrades
file and un-comment the following line:Skip this step if you have previously applied security patches to your Ubuntu environment following these instructions.
"${distro_id}:${distro_codename}-security";
Leave all other lines commented out. - Run the following command:
sudo unattended-upgrade -d
- Edit the
/etc/init.d/zookeeper-server
file and changesu
torunuser
in all of the following lines:Skip this step if you have previously applied security patches to your Ubuntu environment following these instructions.
Before:
su -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} start" su -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} stop" su -s /bin/bash zookeeper -c "zookeeper-server-initialize $*"
After:
runuser -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} start" runuser -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} stop" runuser -s /bin/bash zookeeper -c "zookeeper-server-initialize $*"
- Reboot the system:
sudo reboot
- Run the following command to start Splunk UBA and all services:
/opt/caspida/bin/Caspida start-all
Re-import the certificate used for sending UBA audit events to Splunk ES
If you have enabled the integration that sends UBA audit data to Splunk Enterprise Security (ES), and you preserved the associated certificate in the Before you begin step, you can now re-import that certificate. Use the following command to re-import the certificate:
. /opt/caspida/bin/CaspidaCommonEnv.sh sudo keytool -import -alias "splunk es" -keystore $JAVA_HOME/jre/lib/security/cacerts -rfc -file ~/splunk-es_cacert.pem
Re-import the SSL certificate used for validating datasources from the Splunk Enterprise platform
If you have enabled the integration that sends UBA audit data to Splunk Enterprise Security (ES), use the following command to re-import the SSL certificate:
. /opt/caspida/bin/CaspidaCommonEnv.sh sudo keytool -import -alias "SplunkESRootCA" -keystore $JAVA_HOME/jre/lib/security/cacerts -file ~/SplunkESRootCA.pem
For more information on SSL certificate validation, see Configure flag to enable or disable Splunk SSL certificate validation.
Next steps
You can Verify a successful upgrade of Splunk UBA.
By default, the caspida user is given ALL access in /etc/sudoers
during Splunk UBA installation and upgrade. If you want to restrict sudo
access for the caspida user after Splunk UBA is upgraded, see Restrict sudo access for the caspida account.
Upgrade Splunk UBA prerequisites | Upgrade a single node RHEL installation of Splunk UBA |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.4.1
Feedback submitted, thanks!