Send Splunk UBA logs to a custom index on the Splunk platform
You can specify a custom index to use instead of potentially overloading the default _internal
index. Once the Splunk UBA logs are ingested by the Splunk platform, they can be used by the Splunk UBA Monitoring App.
Send Splunk UBA logs to a custom index for new Splunk UBA installations
Perform the following tasks to send Splunk UBA logs to a custom index on the Splunk platform:
- Begin by Contacting Splunk Support to request the Splunk license for ingesting Splunk UBA logs. See Obtain a Splunk license for ingesting Splunk UBA logs in Install and Configure Splunk User Behavior Analytics.
- Perform the following tasks on the Splunk UBA master node:
- Add the
splunk.forwarder.server.index.name
property to the/etc/caspida/local/conf/uba-site.properties
file and set it to the name of The Splunk UBA index. For example:splunk.forwarder.server.index.name=ubaindex
If you specify an index name that does not already exist, create a new event index. See Create custom indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual. - Synchronize the cluster in distributed deployments. Run the following command:
/opt/caspida/bin/Caspida sync-cluster /etc/caspida/local/conf
- Run the following command to switch the index for all forwarders from the default
_internal
index to the new index, such asubaindex
in our example:/opt/caspida/bin/Caspida switch-splunk-index
- Add the
- On the Splunk search head with the Splunk UBA Monitoring App installed, modify the search macro
uba_index
to point to the new index.- From Splunk web, select Settings > Advanced search.
- Click Add new in the Search Macros field.
- Select Splunk_UBA_Monitor as the Destination App.
- Specify
uba_index
as the Name of the macro. - Specify the name of the new index in the Definition field. For example:
(index=ubaindex)
If you want to keep the data in the existing
_internal
index along with the new index, use the following syntax:(index IN (_internal, ubaindex))
- Click Save.
Perform additional setup on the Splunk platform when upgrading the Splunk UBA Monitoring App
If you are upgrading the Splunk UBA Monitoring App on the Splunk platform to the latest version, you will see a window indicating additional setup is required to complete the upgrade. Perform the following tasks:
- Click Set up now to set up the new version of the Splunk UBA Monitoring App.
- Update the macro for the Splunk UBA index. The default is
(index=_internal)
. To add a custom index calledubaindex
, change the macro to the following:(index=_internal OR index=ubaindex)
Keep_internal
so that all existing data prior to the upgrade is preserved for continuity. - Click Save.
Enable Splunk UBA to forward data to the Splunk platform | Send all logs to the Splunk platform |
This documentation applies to the following versions of Splunk® User Behavior Analytics Monitoring App: 1.1.1, 1.1.2, 1.1.3, 1.1.4
Feedback submitted, thanks!