Enable Splunk UBA to forward data to the Splunk platform
After installing the Splunk UBA Monitoring App on the search head, configure Splunk UBA to forward data to the Splunk platform. By default, data is forwarded to the _internal
index on the Splunk platform, but you can also create your own index. See Send Splunk UBA logs to a custom index on the Splunk platform.
- If you are sending Splunk UBA logs to Splunk Cloud Platform, see Set up Splunk UBA to forward data to Splunk Cloud Platform.
- If you are sending Splunk UBA logs to Splunk Enterprise, see Set up Splunk UBA to forward data to Splunk Enterprise.
Before you continue, make sure Splunk UBA is fully and properly installed or upgraded.
- For installation instructions, see Install Splunk User Behavior Analytics in the Install and Upgrade Splunk User Behavior Analytics manual.
- For upgrade instructions, see Upgrade Splunk UBA prerequisites and overview in the Install and Upgrade Splunk User Behavior Analytics manual.
Set up Splunk UBA to forward data to Splunk Cloud Platform
To enable Splunk UBA to send data to Splunk Cloud Platform, begin by downloading the universal forwarder credentials file. This file contains a custom certificate for your Splunk Cloud Platform deployment.
- Download the forwarder credentials:
- In your Splunk Cloud Platform deployment, navigate to the Splunk Cloud Platform home page.
- Click Universal Forwarder.
- On the Splunk Cloud Platform home page, click Download Universal Forwarder Credentials to download the
splunkclouduf.spl
file. - When prompted, click Save File.
- Click OK. The
splunkclouduf.spl
file downloads to theDownloads
directory. If you download to a different location, make note of that location.
- Install the forwarder credentials on the forwarder in your Splunk UBA instance. In distributed Splunk UBA deployments, there is a forwarder on each Splunk UBA node.
- Log in to the Splunk UBA management node as the caspida user.
- Move the
splunkclouduf.spl
file to the$SPLUNK_HOME/etc/apps/
directory. - Open a shell or command prompt.
- Unpack the credentials package with the following command:
tar xvf splunkclouduf.spl
- In distributed deployments, run the following command the synchronize the cluster and push the unpacked credentials to all Splunk UBA nodes. Replace
<unpacked_credentials_package_name>
with the actual folder name in your environment./opt/caspida/bin/Caspida sync-cluster $SPLUNK_HOME/etc/apps/<unpacked_credentials_package_name>
- (Optional) If you do not have an existing $SPLUNK_HOME/etc/system/local/outputs.conf file, perform the following tasks, then skip to Step 5. If the $SPLUNK_HOME/etc/system/local/outputs.conf file already exists in your system, go to Step 4.
- On the Splunk UBA master node, open the
$SPLUNK_HOME/etc/apps/<unpacked_credentials_package_name>/default/outputs.conf
file, and copy the value of thedefaultGroup
property in the[tcpout]
stanza. - On each Splunk UBA node, append this value to the existing
defaultGroup
property in the$SPLUNK_HOME/etc/system/local/outputs.conf
file. Use a comma to separate multiple values. - Restart Splunk on the Splunk UBA management node:
/opt/caspida/bin/Caspida stop-splunk /opt/caspida/bin/Caspida start-splunk
- On the Splunk UBA master node, open the
- (Optional) If you have an existing $SPLUNK_HOME/etc/system/local/outputs.conf file, perform the following steps to enable Splunk UBA on all instances and bypass the license acceptance:
- Add the following property and value to the
/etc/caspida/local/conf/uba-site.properties
file:splunk.forwarder.enabled=true
- In distributed deployments, synchronize the cluster to push configuration changes to all nodes:
/opt/caspida/bin/Caspida sync-cluster /etc/caspida/local/conf
- Run the following commands to restart Caspida:
/opt/caspida/bin/Caspida stop /opt/caspida/bin/Caspida start
- Add the following property and value to the
- Verify if the logs are forwarded to the Splunk Cloud Platform instance. Run a search on the Splunk Cloud Platform instance to see if there are logs coming from the Splunk UBA host. For example, to check if there are logs coming from the Splunk UBA host named ubahost to the default _internal index:
index="_internal" host="ubahost"
Set up Splunk UBA to forward data to Splunk Enterprise
Perform the following steps to enable Splunk UBA to forward data to Splunk Enterprise. All steps are performed on the Splunk UBA management node only. You don't need to set up a forwarder separately in this procedure because the setup-splunk-forwarder command does that for you.
- If Splunk UBA is running, use the following command to stop Splunk UBA:
/opt/caspida/bin/Caspida stop
- Add the following properties to
/etc/caspida/local/conf/uba-site.properties
:splunk.forwarder.enabled=true splunk.forwarder.server.indexers=<splunk-host-to-forward-to>
If the port number is not the default port of 9997, specify the port number with the name of the host as follows:
splunk.forwarder.server.indexers=host1:9998
Use commas to separate multiple hosts. For example, to configure the forwarder to load balance across a three-node Splunk indexer cluster, specify the following:
splunk.forwarder.server.indexers=host1:9998,host2:9998,host3:9998
- In distributed deployments, synchronize the cluster to push configuration changes to all nodes:
/opt/caspida/bin/Caspida sync-cluster /etc/caspida/local/conf
- Start Splunk UBA.
/opt/caspida/bin/Caspida start
- Start the Splunk forwarder.
/opt/caspida/bin/Caspida setup-splunk-forwarder
Use SSL to forward data from Splunk UBA to Splunk Enterprise
The setup-splunk-forwarder command sets up the /opt/splunk/etc/system/local/outputs.conf
file to send data to the indexer. If you want to use SSL to send data from Splunk UBA to Splunk Enterprise, you must manually edit this file to add SSL and the default certificate.
- Make sure you are logged in to the Splunk UBA management node as the caspida user.
- Edit the
/opt/splunk/etc/system/local/outputs.conf
file and add the following properties to the [tcpout] stanza. In this example, the default certificate is/opt/splunk/etc/auth/server.pem
. If you are using a custom certificate, replace this value with the location and file name of your own certificate.clientCert = $SPLUNK_HOME/etc/auth/server.pem sslPassword = <encrypted_password> sslVerifyServerCert = false
- Restart Splunk:
/opt/caspida/bin/Caspida stop-splunk /opt/caspida/bin/Caspida start-splunk
Install the Splunk UBA Monitoring App | Send Splunk UBA logs to a custom index on the Splunk platform |
This documentation applies to the following versions of Splunk® User Behavior Analytics Monitoring App: 1.1.1, 1.1.2, 1.1.3, 1.1.4
Feedback submitted, thanks!