Send all logs to the Splunk platform
Splunk UBA sends ERROR and WARN level events to the Splunk platform. You can include INFO level events if your environment is able to handle the additional load on the indexers.
Before including INFO level events, carefully consider the following:
- The Splunk UBA Monitoring App searches events in the
_internalindex. The inclusion of INFO level events can significantly affect search performance when using the app.
- The high number of events may flood the
_internalindex, causing other events within the same index to be evicted depending on the retention policy.
In Splunk UBA version 5.0 and higher, you can obtain a new Splunk license for ingesting logs from Splunk UBA so that the
_internal index is not overloaded. See Obtain a Splunk license for ingesting Splunk UBA logs in the Install and Upgrade Splunk User Behavior Analytics manual.
Perform the following steps in Splunk UBA to send all logs including INFO level events to the Splunk platform:
- On the Splunk UBA master node, open the
- In the following statement:
REGEX = ^[^,\n]*(,|.)\d\d\d( |;)(WARN|ERROR|- error)
remove the filters for the WARN and ERROR events, so that all events are included as follows:
REGEX = ^[^,\n]*(,|.)\d\d\d( |;)
- In distributed Splunk UBA environments, run the following command to synchronize all nodes in the Splunk UBA cluster:
/opt/caspida/bin/Caspida sync-cluster /opt/splunk/etc/apps/Splunk_UBA_Monitor/default
- On the Splunk UBA master node, run the following commands to restart Splunk on all nodes:
/opt/caspida/bin/Caspida stop-splunk /opt/caspida/bin/Caspida start-splunk
Send Splunk UBA logs to a custom index on the Splunk platform
Examine Splunk UBA system health with the Splunk UBA Monitoring App
This documentation applies to the following versions of Splunk® User Behavior Analytics Monitoring App: 1.1.1, 1.1.2, 1.1.3