Upgrade a Splunk UBA deployment that is using warm standby
Perform the following tasks to upgrade a Splunk UBA deployment that is using warm standby. The instructions apply to both single-node and multi-node deployments.
Prerequisite
Open the hadoop data node port across your primary and standby clusters. See, Requirements to set up warm standby for Splunk UBA in the Administer Splunk User Behavior Analytics manual.
Upgrade steps
Perform the following tasks to complete the upgrade:
- Manually synchronize the primary and standby systems. See Synchronize the primary and standby systems on-demand in the Administer Splunk User Behavioral Analytics manual.
- Verify that both systems are synchronized. See Verify that the primary and standby systems are synchronized in the Administer Splunk User Behavioral Analytics manual.
- Turn off replication before upgrading the primary system.
- Upgrade the primary system. See Upgrade Splunk UBA prerequisites and select the upgrade instructions for your operating system.
- Upgrade the standby system. See Upgrade Splunk UBA prerequisites and select the upgrade instructions for your operating system.
- Perform the following steps to setup replication again.
- Run the following command on the management node in the primary system:
/opt/caspida/bin/replication/setup standby -m primary -r
When prompted with "subscription_caspida exists on standby node, which may cause warm standby setup issues on standby node. Would you like to delete it?", choose "Yy" for yes or "Nn" for no.
- Choose "Yy" for yes to register replication slots again.
- Run the following command on the management node in the standby system:
/opt/caspida/bin/replication/setup standby -m standby -r
- Run the curl command on the management node in the primary system to initiate a full sync:
curl -X POST -k -H "Authorization: Bearer $(grep '^\s*jobmanager.restServer.auth.user.token=' /opt/caspida/conf/uba-default.properties | cut -d'=' -f2)" https://localhost:9002/jobs/trigger?name=ReplicationCoordinator
- You can verify your setup by viewing the table in the Postgres database that tracks the status of the sync between the primary and standby systems, run the following command on the node(system) which has postgres installed.
psql -d caspidadb -c 'select * from replication'
- Run the following command on the management node in the primary system:
- Verify that both systems are synchronized. See Verify that the primary and standby systems are synchronized in the Administer Splunk User Behavioral Analytics manual.
- On the primary system, check the health monitor and verify that the data sources are working properly. See Monitor the health of your Splunk UBA deployment in the Administer Splunk User Behavioral Analytics manual, or Examine Splunk UBA system health with the Splunk UBA Monitoring app in the Splunk UBA Monitoring App manual if you are using the Splunk UBA Monitoring app.
Upgrade a distributed OEL installation of Splunk UBA | Verify a successful upgrade of Splunk UBA |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.4.0, 5.4.1
Feedback submitted, thanks!