Send all logs to the Splunk platform
Splunk UBA sends ERROR and WARN level events to the Splunk platform. You can include INFO level events if your environment is able to handle the additional load on the indexers.
Before including INFO level events, carefully consider the following:
- The Splunk UBA Monitoring App searches events in the
_internal
index. The inclusion of INFO level events can significantly affect search performance when using the app. - The high number of events may flood the
_internal
index, causing other events within the same index to be evicted depending on the retention policy.
In Splunk UBA version 5.0 and higher, you can obtain a new Splunk license for ingesting logs from Splunk UBA so that the _internal
index is not overloaded. See Obtain a Splunk license for ingesting Splunk UBA logs in the Install and Upgrade Splunk User Behavior Analytics manual.
Perform the following steps in Splunk UBA to send all logs including INFO level events to the Splunk platform:
- On the Splunk UBA master node, open the
/opt/splunk/etc/apps/Splunk_UBA_Monitor/local/transforms.conf
file. - You must create this file if it does not already exist. Then open the file.
- Add the following to that .conf file:
[uba_setparsing] REGEX = ^[^,\n]*(?:,|.)\d\d\d(?: |;)
- In distributed Splunk UBA environments, run the following command to synchronize all nodes in the Splunk UBA cluster:
/opt/caspida/bin/Caspida sync-cluster /opt/splunk/etc/apps/Splunk_UBA_Monitor/default
- On the Splunk UBA master node, run the following commands to restart Splunk on all nodes:
/opt/caspida/bin/Caspida stop-splunk /opt/caspida/bin/Caspida start-splunk
Send Splunk UBA logs to a custom index on the Splunk platform | Examine Splunk UBA system health with the Splunk UBA Monitoring App |
This documentation applies to the following versions of Splunk® User Behavior Analytics Monitoring App: 1.1.3
Feedback submitted, thanks!