Known issues in Splunk UBA

This version of Splunk UBA has the following known issues and workarounds.

Date filed	Issue number	Description
2022-04-14	UBA-15608, UBA-14502	Exporting >4.3K Anomalies table results - crashes UBA UI (Permanent fix for UBA-14502)
2022-04-14	UBA-15607, UBA-14237	Unable to create Anomaly Table filter or AAR specifying filter for Specific Devices when specifying over 20 CIDR/s (Permanent fix for UBA-14237)
2022-02-14	UBA-15364	Spark HistoryServer running out of memory for large deployments with error: "java.lang.OutOfMemoryError: GC overhead limit exceeded" Workaround: Open the following file to edit on the Spark History Server: `/var/vcap/packages/spark/conf/spark-env.sh` You can check deployments.conf field spark.history to find out which node runs the Spark History Server. Update the following setting to 3G: `SPARK_DAEMON_MEMORY=3G` Afterwards, restart the spark services: /opt/caspida/bin/Caspida stop-spark && /opt/caspida/bin/Caspida start-spark
2022-01-31	UBA-15328	Running replication setup on 20 node clusters fails with "psql: could not connect to server: Connection refused" Workaround: Contact Support for the revised replication setup scripts.
2022-01-25	UBA-15321	Upgrade script for ubuntu systems need revised commands to install external packages correctly Workaround: If the upgrade to UBA 5.0.5 failed in a lockdown environment with no internet connection, perform the following steps on the failed UBA node: Edit the file: `/home/caspida/patch_uba_505/bin/utils/patch_uba.sh` Replace the line `ssh ${host} "${SUDOCMD} apt-get -y -f install ${ExtPkgsDir}/openjdk.deb && exit"` with `ssh ${host} "${SUDOCMD} dpkg --force-confold --force-all --refuse-downgrade -i ${ExtPkgsDir}/openjdk.deb && exit"` Replace the line `${SUDOCMD} apt-get -y -f install ${ExtPkgsDir}/ca-certificates.deb` with `${SUDOCMD} dpkg --force-confnew --refuse-downgrade -i ${ExtPkgsDir}/ca-certificates.deb` Save the file. Run the upgrade script again.
2022-01-21	UBA-15311	Upgrade Standby cluster fails "ERROR: cannot execute UPDATE in a read-only transaction." Workaround: If the upgrade fails with the following error: "ERROR: cannot execute UPDATE in a read-only transaction." Perform the following steps on the standby system: Run the following command to move database to read-write: psql -d caspidadb -c 'BEGIN; SET transaction read write; ALTER DATABASE caspidadb SET default_transaction_read_only = off; COMMIT' psql -d caspidadb -c 'DROP PUBLICATION IF EXISTS publication_caspida' psql -d caspidadb -c 'DROP SUBSCRIPTION IF EXISTS subscription_caspida' Run the `/opt/caspida/bin/CaspidaCleanup` command again. Run the following command to check the database version: psql -d caspidadb -c 'select * from dbifo' Set the version if it is not set correctly. Run the upgrade script again.
2022-01-17	UBA-15302	"Error from /uba/watchlistChanged" even when an entity is added successfully to the WatchList
2021-12-13	UBA-15192, UBA-15120	Customizations to Splunk_TA_nix/local/inputs.conf breaks patch_uba.sh Workaround: Any customizations to the Splunk_TA_nix/local/inputs.conf will need to be backed up temporarily prior to the upgrade, and then re-added after upgrade completes.
2021-11-18	UBA-15139	Postgresql-client-10 missing libpq5 (>=10.17) Workaround: Libpq5 is not required for the operation for UBA and no later version is available for Ubuntu 16. It can be suppressed by performing the following: Open and edit the file /var/lib/dpkg/status Scroll to the entry for postgresql-client-10 and look for the dependency list entry: Depends: libpq5 (>= 10.17), postgresql-client-common (>= 182~), sensible-utils, libc6 (>= 2.15), libedit2 (>= 2.11-20080614), zlib1g (>= 1:1.1.4) Remove the entry libpq5 (>= 10.17) Save and close the file
2021-10-14	UBA-14954, UBA-15198	Postgresql 10.17 missing libjson-perl Workaround: Prior to running the patch_uba.sh script. Customer environment on all nodes should have libjson-perl installed. Perform the following steps: Log in to the management node as the caspida user in your Splunk UBA deployment. Run the following commands: sudo dpkg --force-confold --force-all -i /home/caspida/uba-ext-pkgs-5.0.5/postgresql*.deb sudo service postgresql stop sudo service postgresql start /opt/caspida/bin/Caspida stop-all /opt/caspida/bin/Caspida start-all
2021-10-11	UBA-14927, UBA-15186	UBA 5.0.5 upgrade script fails to upgrade forwarder to 8.2.1 Workaround: Run the following command if you have Splunk forwarding disabled on a single node: /opt/splunk/bin/splunk version --accept-license --answer-yes --no-prompt --seed-passwd caspida123 You must use the caspida123 password if you want to set up Splunk forwarding at a later time. If you have Splunk forwarding enabled in a multi-node environment, perform the following tasks: Make sure that the ext-uba-pkg package from the management node is copied to /home/caspida in each node in your deployment and is untarred Log in to the management node as the caspida user. Run the following command once for each node in your deployment. Replace `$node` with the actual name of each node. ssh $node "tar -C /opt -xzf /home/caspida/uba-ext-pkgs-5.0.5/splunk-8.2.1-x86_64.tgz && /opt/splunk/bin/splunk version --accept-license --answer-yes --no-prompt --seed-passwd caspida123"
2021-09-29	UBA-14894	UBA EPS drops after Splunk 8.2.1/8.2.2 upgrade on search heads used by data sources
2021-09-28	UBA-14890	ClassCastException errors in the LateralMovementDetection Model
2021-08-30	UBA-14755	Replication.err logging multiple errors - Cannot delete snapshot s_new from path /user: the snapshot does not exist.
2020-06-29	UBA-14199, UBA-12111	Impala jdbc connections leak Workaround: Create a file containing the following script on node 1 in your Splunk UBA deployment (node 2 on a 20-node Splunk UBA deployment). For example, copy and paste the script to a new file in /etc/caspida/local/conf/impala_status_check.sh: #!/bin/bash log_file=$1 if test -f "$log_file"; then tail -n 100 $log_file > /tmp/tmp_log_file.log mv /tmp/tmp_log_file.log $log_file fi connection_count=$(netstat -an \| grep :21050 \| grep ESTABLISHED \| wc -l) now=$(date) if [ "$connection_count" -gt 500 ]; then echo "[$now] $connection_count impala connection(s), restarting impala" sudo service impala-server restart if [ $? -eq 0 ]; then echo "restart succeeded" else echo "restart failed. return code: $?" fi else echo "[$now] $connection_count impala connection(s), status is good" fi Make the script executable: chmod +x /etc/caspida/local/conf/impala_status_check.sh Add the following line to cron using `crontab -e`: 0 8 * * * /etc/caspida/local/conf/impala_status_check.sh >> /var/log/impala/impala_status.log 2>&1
2020-04-07	UBA-13804	Kubernetes certificates expire after one year Workaround: Run the following commands on the Splunk UBA master node: /opt/caspida/bin/Caspida remove-containerization /opt/caspida/bin/Caspida setup-containerization /opt/caspida/bin/Caspida stop-all /opt/caspida/bin/Caspida start-all
2019-08-29	UBA-13020	Anomalies migrated from test-mode to active-mode won't be pushed to ES
2019-08-06	UBA-12910	Splunk Direct - Cloud Storage does not expose src_ip field Workaround: When ingesting Office 365 Sharepoint/OneDrive logs through Splunk Direct - Cloud Storage, add an additional field mapping for `src_ip` in the final SPL to be mapped from ClientIP (`\| eval src_ip=ClientIP`). Make sure to add `src_ip` in the final list of fields selected using the fields command. For example: \| fields app,change_type,dest_user,file_hash,file_size,object,object_path,object_type,parent_category,parent_hash,sourcetype,src_user,tag,src_ip

Release Notes

Related Answers

Known issues in Splunk UBA

Comments