Send Splunk UBA logs to a custom index on the Splunk platform
You can specify a custom index to use instead of potentially overloading the default
_internal index. Once the Splunk UBA logs are ingested by the Splunk platform, they can be used by the Splunk UBA Monitoring App.
Send Splunk UBA logs to a custom index for new Splunk UBA installations
Perform the following tasks to send Splunk UBA logs to a custom index on the Splunk platform:
- Begin by Contacting Splunk Support to request the Splunk license for ingesting Splunk UBA logs. See Obtain a Splunk license for ingesting Splunk UBA logs in Install and Configure Splunk User Behavior Analytics.
- Perform the following tasks on the Splunk UBA master node:
- Add the
splunk.forwarder.server.index.nameproperty to the
/etc/caspida/local/conf/uba-site.propertiesfile and set it to the name of The Splunk UBA index. For example:
splunk.forwarder.server.index.name=ubaindexIf you specify an index name that does not already exist, create a new event index. See Create custom indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
- Synchronize the cluster in distributed deployments. Run the following command:
/opt/caspida/bin/Caspida sync-cluster /etc/caspida/local/conf
- Run the following command to switch the index for all forwarders from the default
_internalindex to the new index, such as
ubaindexin our example:
- Add the
- On the Splunk search head with the Splunk UBA Monitoring App installed, modify the search macro
uba_indexto point to the new index.
- From Splunk web, select Settings > Advanced search.
- Click Add new in the Search Macros field.
- Select Splunk_UBA_Monitor as the Destination App.
uba_indexas the Name of the macro.
- Specify the name of the new index in the Definition field. For example:
If you want to keep the data in the existing
_internalindex along with the new index, use the following syntax:
(index IN (_internal, ubaindex))
- Click Save.
Perform additional setup on the Splunk platform when upgrading the Splunk UBA Monitoring App
If you are upgrading the Splunk UBA Monitoring App on the Splunk platform to the latest version, you will see a window indicating additional setup is required to complete the upgrade. Perform the following tasks:
- Click Set up now to set up the new version of the Splunk UBA Monitoring App.
- Update the macro for the Splunk UBA index. The default is
(index=_internal). To add a custom index called
ubaindex, change the macro to the following:
(index=_internal OR index=ubaindex)Keep
_internalso that all existing data prior to the upgrade is preserved for continuity.
- Click Save.
Enable Splunk UBA to forward data to the Splunk platform
Send all logs to the Splunk platform
This documentation applies to the following versions of Splunk® User Behavior Analytics Monitoring App: 1.1.1, 1.1.2, 1.1.3
Feedback submitted, thanks!