Splunk® User Behavior Analytics

Install and Upgrade Splunk User Behavior Analytics

Download manual as PDF

5.0.3 (latest release)
  1. Documentation
  2. Splunk® User Behavior Analytics
  3. Install and Upgrade Splunk User Behavior Analytics
  4. System requirements for Splunk UBA

Install and Upgrade Splunk User Behavior Analytics

Introduction

  • About Splunk User Behavior Analytics and release types
  • How to install or upgrade to this release of Splunk UBA
  • Splunk UBA installation checklist
  • Plan and scale your Splunk UBA deployment
  • System requirements for Splunk UBA
  • Check system status before and after installation

Install Splunk UBA

Upgrade Splunk UBA

Configure Splunk UBA

Troubleshoot Splunk UBA

Download topic as PDF 15 minutes to read

System requirements for Splunk UBA

Install Splunk UBA with assistance from Splunk Professional Services.

Hardware requirements

You can install Splunk UBA on a physical server, a virtual machine, or in the cloud.

Install Splunk UBA on its own hardware stack. Do not install Splunk UBA on the same machines as Splunk Enterprise.

Verify the following hardware requirements before installing Splunk UBA:

  • Disk space and memory requirements for installing Splunk UBA.
  • Disk space requirements for Splunk UBA warm standby.
  • Supported AWS server instance types.
  • Disk subsystem IOPS requirements.
  • Network interface requirements.
  • Requirements.

Disk space and memory requirements for installing Splunk UBA

The machine on which you install Splunk UBA must meet the following requirements:

  • 16 CPU cores
  • 64GB RAM
  • Disk 1 - 50GB disk space for the Splunk UBA installation
  • Disk 2 - 1TB additional disk space for metadata storage
  • Disk 3 - 1TB additional disk space for each node running Spark services. The following table summarizes the disk requirements per deployment. You can also view the /opt/caspida/conf/deployment/caspida-deployment.conf file to see where services are running in your Splunk UBA deployment.
    Splunk UBA Deployment Nodes Requiring 50GB Disk Space for SplunkUBA Nodes Requiring a 1TB Disk such as /var/vcap for Metadata Storage Nodes Requiring a 1TB Disk such as /var/vcap2 for Spark Services
    1 Node Node 1 Node 1 Node 1
    3 Nodes All Nodes All Nodes Nodes 1, 3
    5 Nodes All Nodes All Nodes Nodes 1, 4, 5
    7 Nodes All Nodes All Nodes Node 7
    10 Nodes All Nodes All Nodes Nodes 9, 10
    20 Nodes All Nodes All Nodes Nodes 17, 18, 19, 20
  • Add an additional disk to the Splunk UBA management node mounted as /var/vcap/ubabackup for Splunk UBA backups. The size of the additional disk must follow these guidelines:
    • The disk size must be at least half the size of your deployment in terabytes. For example, a 10-node system requires a 5TB disk.
    • If you are creating archives, allow for an additional 50 percent of the backup disk size. For example, a 10-node system requires a 5TB disk for backups, and an additional 2.5TB if for archives, so you would need a 7.5TB disk for archived backups.

    The table summarizes the minimum disk size requirements for Splunk UBA backups per deployment:

    Number of Splunk UBA Nodes Minimum Disk Size for Backup (without archives) Minimum Disk Size for Backup (with archives)
    1 Node 1TB 1.5TB
    3 Nodes 1TB 1.5TB
    5 Nodes 2TB 3TB
    7 Nodes 4TB 6TB
    10 Nodes 5TB 7.5TB
    20 Nodes 10TB 15TB
    If you have previous backups on the same disk, be sure to also take this into account when determining available disk space. See Prepare to backup Splunk UBA in Administer Splunk User Behavior Analytics.

Do not manually mount the disks before installing Splunk UBA. During the installation procedure, the add-disk command will properly mount the disks for you.

Disk space requirements for Splunk UBA warm standby

Configure warm standby in your deployment for high availability and disaster recovery. You can configure warm standby using either or both of the following methods:

  • Allocate additional servers for a warm standby solution, where you can manually failover Splunk UBA to a full backup system. The backup system must have the same number of nodes as the active system. See Configure warm standby in Splunk UBA in Administer Splunk User Behavior Analytics.
  • Allocate additional disk space on the master node of your Splunk UBA deployment for incremental online backups. You can restore Splunk UBA from these incremental backups. See Prepare to backup Splunk UBA for disk space requirements and Backup and restore Splunk UBA using automated incremental backups for instructions in Administer Splunk User Behavior Analytics.

Supported AWS server instance types

If you run Splunk UBA on an AWS instance:

  • AWS measures CPU power on Elastic Compute Cloud (EC2) instances in virtual CPUs (vCPUs), not real CPUs.
  • Each vCPU is a hyper thread of an Intel Xeon core on most AWS instance types. See Amazon EC2 Instance Types on the AWS website.
  • As a hyper thread of a core, a vCPU acts as a core, but the physical core must schedule its workload among other workloads of other vCPUs that the physical core handles.

Installation of Splunk UBA on Amazon Web Services (AWS) servers is supported on the following instance types:

  • m4.4xlarge
  • m5.4xlarge
  • m5a.4xlarge
  • m5.8xlarge

All Splunk UBA nodes in your AWS environment must use io1 volumes for storage.

Disk subsystem IOPS requirements

For all new Splunk UBA deployments, the disk subsystem for each Splunk UBA server must support an average Input/Output Operations per second (IOPS) of 1200 IOPS. Existing deployments on 800 IOPS servers can be upgraded without having to upgrade the disks.

IOPS are a measurement of how much data throughput a hard drive can sustain. Because a hard drive reads and writes at different speeds, there are IOPS numbers for disk reads and writes. The average IOPS is the average between those two figures. See Disk subsystem in the Capacity Planning Manual for Splunk Enterprise for more about IOPS.

Network interface requirements

Splunk UBA requires at least one 1Gb ethernet interface on each node.

It is recommended that each Splunk UBA node is configured with at least one control plane interface and one data place interface. Configure the control plane interfaces on one subnet, and the data plane interfaces on a separate subnet.

It is recommended that all interfaces on the data plane network be connected with at least one 10GbE or better ethernet interface. For larger clusters, use 25GbE, 40GbE or 50GbE network interfaces.

Directories created or modified on the disk

Splunk UBA creates or modifies the following directories on the disk during installation.

Directory Disk Description of Contents Updated During Upgrade? Recommended Space
/home/caspida Disk 1 Contains the Splunk UBA installation and upgrade .tgz files. Yes 20 GB
/opt/caspida Disk 1 Contains the Splunk UBA software. Yes 10 GB
/opt/splunk Disk 1 Contains the Splunk forwarder to send data to the Splunk platform. Yes 10 GB
/etc/caspida/local/conf Disk 1 Contains custom configuration files affecting your local environment. No 1 GB
/var/vcap Disk 2 Contains the following notable sub-directories:
  • /var/vcap/packages - Contains Spark and Spark configuration files.
  • /var/vcap/sys/run - Contains files used by some Splunk UBA processes during initial startup.
  • /var/vcap/sys/log - Contains Splunk UBA log files.
  • /var/vcap/sys/tmp - Contains temporary files for some Splunk UBA processes.
  • /var/vcap/store - Contains the metadata storage for Splunk UBA services such as Kafka, PostgreSQL, Hadoop, Influxdb, and Redis
 Yes 1 TB
/var/vcap2 Disk 3 Contains the runtime data for Spark services. Yes 1 TB

Operating system requirements

You must install Splunk UBA on a server that uses one of the following operating systems:

Operating System Kernel Version Tested
Red Hat Enterprise Linux (RHEL) 7.8 Basic Server Linux-3.10.0-1127.el7.x86_64-x86_64-with-redhat-7.8-Maipo
CentOS 7.8 Linux-3.10.0-1127.el7.x86_64-x86_64-with-centos-7.8.2003-Core
Oracle Enterprise Linux (OEL) 7.7 Linux-4.14.35-1902.300.11.el7uek.x86_64-x86_64-with-oracle-7.7
Red Hat Enterprise Linux (RHEL) 7.7 Basic Server Linux-3.10.0-1062.12.1.el7.x86_64-x86_64-with-redhat-7.7-Maipo
CentOS 7.7 Linux-3.10.0-1062.4.3.el7.x86_64-x86_64-with-centos-7.7.1908-Core
Ubuntu 16.04.3 LTS Linux-4.4.0-176-generic-x86_64-with-Ubuntu-16.04-xenial

Perform bare metal installations on OEL, RHEL, and CentOS systems. Obtain the software from Splunk UBA RHEL 7.x Software for Bare Metal Installation on Splunkbase.

New installations on Ubuntu systems must be performed using an OVA. Obtain the software from Splunk UBA OVA Software on Splunkbase.

Splunk UBA requires that the operating system and underlying component versions match exactly on all nodes in your deployment. Updating the operating system or any components in your deployment can break dependencies that will cause Splunk UBA to stop working and is not recommended. If you must update the operating system before the next release of Splunk UBA, do so in a test environment and verify that everything is working properly before applying the upgrade to your production environment.

Additional RHEL requirements

Make sure your RHEL server has access to the RHEL repositories, and the license includes the following subscription names:

  • Red Hat Enterprise Linux Server
  • Red Hat Enterprise Linux Server - Extended Update Support (EUS)

The RHEL EUS subscription enables you to remain with previous stable releases of RHEL for up to approximately 24 months.

Applying security patches to your operating system

Splunk UBA makes a best-effort attempt to maintain support for the latest operating system and kernel versions with each new platform release to keep up to date with the latest security advisories.

Always apply any security patches or updates that are part of the RHEL EUS subscription, but verify they do not break any dependencies for the packages listed below. Security patches or updates that are part of the RHEL EUS subscription are also valid for CentOS and Oracle Enterprise Linux operating systems.

  • influxdb
  • nodejs
  • nodejs-docs
  • java-1.8.0-openjdk
  • java-1.8.0-openjdk-devel
  • java-1.8.0-openjdk-headless
  • javapackages-tools
  • kubernetes-cni
  • kubelet
  • kubeadm
  • zookeeper
  • redis-server
  • redis-tools

Use the following command to apply all available security patches to your RHEL, CentOS or Oracle Enterprise Linux operating system: 

yum update --security -y

Use the following command to upgrade only those packages with security errata: 

yum update-minimal --security -y


Do not manually update any Splunk UBA OVA or Splunk UBA AMI environments. Splunk UBA includes critical security and system patches for the OVA and AMI images with each platform release.

User access requirements

If you are installing Splunk UBA using an OVA or AMI image, perform all tasks as the caspida user and use sudo for tasks requiring root-level privileges.

If you are installing Splunk UBA on a supported Linux platform, you must be able to do the following:

  • Be able to log in as root, or log in as a different user and use su or sudo to have root privileges. This is required for preparing the servers prior to installing the Splunk UBA software.
  • Create the caspida user with the appropriate privileges. The caspida user is required to install the Splunk UBA software.
  • All user and group authentication must be performed locally on each Splunk UBA host. Authenticating users and groups using a centralized controller or user and group management system is not supported.

Networking requirements

Perform the following tasks or verify specific information to meet the networking requirements for installing Splunk UBA:

  • Assign static IP addresses to Splunk UBA servers
  • Inbound networking port requirements
  • Splunk platform port requirements
  • Modify firewalls and proxies

Assign static IP addresses to Splunk UBA servers

Assign static IP addresses to Splunk UBA servers.

Inbound networking port requirements

Splunk UBA requires certain network ports to be open for other services to interact with Splunk UBA.

Service Port
SSH 22
HTTPS 443
Syslog or Netcat data sources 10000 and above. One port per data source connector.

Splunk UBA requires other network ports to be open to allow specific services to interact within a distributed Splunk UBA deployment.

Service Port
SSH 22
Redis 6379
PostgreSQL 5432
Zookeeper 2181, 2888, 3888
Apache Kafka 9092, 9901, 9093 (for Kafka ingestion), 32768 - 65535 (for JMX)
Job Manager 9002
Time Series Database 8086
Apache Impala 21050
Apache Spark 7077, 8080, 8081
Hadoop Namenode 8020
Hadoop Namenode WebUI 50070
Hadoop Yarn ResourceManager 8090
Hadoop Data Transfer Port 50010
Hadoop Datanodes 50020, 50075
Hadoop Secondary namenode 50090
Hive Metastore 9090, 9095
Kubernetes/etcd 2379, 2380, 5000, 6443, 10250, 10251, 10252, 10255, 30000 - 32767

For more details on services in Splunk UBA, see Monitoring the health of your Splunk UBA deployment in Administer Splunk User Behavior Analytics.

Splunk platform port requirements

The following ports must be open on the Splunk platform to interact with Splunk UBA:

Service Port
HTTPS 443
HTTP 80
To all Splunk UBA nodes, for REST services to work 8089
Port used to send alerts to Splunk ES User-defined (for example, 10008)

Modify firewalls and proxies

Modify firewalls and proxies to support the inbound and outbound port requirements defined in this document. This is required to that requests to internal services do not attempt to travel externally.

If you use an HTTP or HTTPS proxy, exclude localhost and the IP addresses and names of the Splunk UBA servers from the proxy. For example, in a 10-node cluster: 

export http_proxy='http://<proxy-server:port>'
export no_proxy="localhost,127.0.0.1,10.96.0.0/12,10.244.0.0/16,172.17.0.2,node0,10.10.10.1,node1,10.10.10.2,node2,10.10.10.3,node3,10.10.10.4,node4,10.10.10.5,node5,10.10.10.6,node6,10.10.10.7,node7,10.10.10.8,node8,10.10.10.9,node9,10.10.10.10"

The export no_proxy="localhost,127.0.0.1,10.96.0.0/12,10.244.0.0/16,172.17.0.2 portion of the setting is mandatory for all deployment types. If the proxy setting is added after the Splunk UBA cluster is started, stop and restart all Splunk UBA services for the changes to take effect. 

/opt/caspida/bin/Caspida stop-all
/opt/caspida/bin/Caspida start-all

The export no_proxy property is typically located in the same file as the export http_proxy or export https_proxy properties, such as /etc/environment.

Also verify that the nslookup localhost command returns a 127.x.x.x IP address. For example: 

$ nslookup localhost
Server:		10.160.20.4
Address:	10.160.20.4#53

Name:	localhost.sv.splunk.com
Address: 127.0.0.1

Configure host name lookups and DNS

Configure your environment so that Splunk UBA can resolve host names properly.

  • Configure the name switching service.
  • Configure the DNS resolver.
  • Verify the network interface configuration.
  • Configure local DNS using the /etc/hosts file.
  • Verify your name lookup and DNS settings.

Configure the name switching service

The name switching service in Linux environments determines the order in which services are queried for host name lookups. Use cat /etc/nsswitch.conf to verify that your name switching service is using files before DNS. Check the hosts line in the output:

  • If you see files dns it means that /etc/hosts will be queried before checking DNS.
  • If you see dns files it means that DNS will be queried before the /etc/hosts file.

Also make sure myhostname is the last item on the hosts line so that the system can determine its own host name from the local config files. 

$ cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat
group:          compat
shadow:         compat
gshadow:        files

hosts:          files dns myhostname
...

Configure the DNS resolver

Some Splunk UBA services use DNS during installation and while the product is running. All nodes in your Splunk UBA deployment must point to the same DNS server. Verify this is the case in the /etc/resolv.conf file on each node. Use the following command to check if /etc/resolv.conf exists on your system: 

ls -lH /etc/resolv.conf

If the file does not exist, create the file by performing the following tasks:

  1. Run the following command: 
    sudo systemctl enable resolvconf
  2. Restart the server.
  3. Run the ls -lH /etc/resolv.conf command again to verify that the /etc/resolv.conf exists.

Verify the network interface configuration

Verify that the network interface configuration has a dns-search value configured to match your domain, such as mgmt.corp.local. Check the /etc/resolv.conf file to see if search mgmt.corp.local is present so that any shortname lookups for other local nodes are resolved correctly.

  • On Ubuntu systems, the configuration is located in /etc/network/interfaces as: 
    dns-search mgmt.corp.local
  • On CentOS, RHEL, and Oracle Linux systems, the configuration may be located in /etc/sysconfig/network-scripts/ifcfg-eth0 as: 
    DOMAIN=mgmt.corp.local
    More recent CentOS, RHEL, and Oracle Linux systems may use a different slot-based naming scheme. The exact name may vary depending on your specific environment.

Be consistent with your naming conventions and use either all fully qualified domain names (FQDN) such has host.example.com or all short names such as host. Do not use FQDNs in some places and short names in others.

Configure local DNS using the /etc/hosts file

Verify that the /etc/hosts file identifies each node in your Splunk UBA cluster using the following format: 

<IP address> <FQDN> <short name> <alias>

For example: 

192.168.10.1    spluba01.mgmt.corp.local    spluba01    ubanode01
192.168.10.2    spluba02.mgmt.corp.local    spluba02    ubanode02
192.168.10.3    spluba03.mgmt.corp.local    spluba03    ubanode03
192.168.10.4    spluba04.mgmt.corp.local    spluba04    ubanode04
192.168.10.5    spluba05.mgmt.corp.local    spluba05    ubanode05

In this example, host spluba01 has an IP address of 192.168.10.1 and its FQDN is spluba01.mgmt.corp.local. Anything after the first three field is considered an alias, and is optional. In this example, we use ubanode1 is used to identify node number 1, ubanode2 is used to identify node number 2, and so on.

Formatting your /etc/hosts file this way in conjunction with using files before DNS in /etc/nsswitch.conf means that both short names and FQDNs can be obtained without any DNS lookups.

If you choose to not include the FQDN in the /etc/hosts file, you must add the domain name into the /etc/resolv.conf file in order for DNS to work properly in your environment.

Verifying your name lookup and DNS settings

Test your name lookup and DNS settings to make sure you get the expected output.

  • Use various hostname commands and verify the expected output. For example, from the spluba01.mgmt.corp.local node: 
    $ hostname
spluba01
$ hostname -s
spluba01
$ hostname --fqdn
spluba01.mgmt.corp.local
  • Use the ping <short name> command from each Splunk UBA node to all other Splunk UBA nodes and verify that all nodes can be reached.
  • Use the ping <FQDN> command from each Splunk UBA node to all other Splunk UBA nodes and verify that all nodes can be reached.

Supported web browsers

Open Splunk UBA in the latest versions of any of the following web browsers. Splunk UBA does not support other web browsers, such as Internet Explorer.

  • Mozilla Firefox
  • Google Chrome
  • Apple Safari

Supported single sign-on identity providers

Splunk UBA supports single sign-on integration with the following identity providers:

  • Ping Identity
  • Okta
  • Microsoft ADFS
  • OneLogin

See Configure authentication using single sign-on in Administer Splunk User Behavior Analytics.

Requirements for connecting to and getting data from the Splunk platform

To send data from Splunk platform to Splunk UBA, you must have Splunk platform version 6.3.x or later installed and a properly configured user account.

Requirements for the Splunk Enterprise user account

Verify that you have a Splunk Enterprise user account with:

  • Capabilities to perform real-time search, perform REST API calls, and access to the data. The admin role in Splunk Enterprise has the required capabilities by default. If you use a different role, you need the rt_search, edit_forwarders, list_forwarders, and edit_uba_settings capabilities. Add these capabilities to a role in Splunk Web. See Add and edit roles with Splunk Web in Securing Splunk Enterprise.
  • Configure the search job limits for the Splunk Enterprise user account and role so that they are twice the number of maximum allowed data sources for your deployment.
    Size of cluster Max number of data sources User-level concurrent search job limit User-level concurrent real-time search job limit Role-level concurrent search job limit Role-level concurrent real-time search job limit
    1 node 6 12 12 12 12
    3 nodes 10 20 20 20 20
    5 nodes 12 24 24 24 24
    7 nodes 24 48 48 48 48
    10 nodes 32 64 64 64 64
    20 nodes 64 128 128 128 128
  • Configure the Splunk Enterprise user account to have sufficient disk usage quota (for example, 40GB).

Send data to and receive data from Splunk Enterprise Security

To send and receive data from Splunk Enterprise Security, you must have the Splunk add-on for Splunk UBA installed and enabled on your search head with the ueba index deployed to your indexers. See Deploy the Splunk add-on for Splunk UBA in Splunk Add-on for Splunk UBA for information about version compatibility among products.

Splunk Cloud customers must contact Splunk Support to fully integrate with Splunk UBA. The Splunk Cloud admin role cannot perform Splunk UBA setup.

Send data from Splunk Enterprise directly to Kafka in Splunk UBA

Use the Splunk UBA Kafka Ingestion App to send data from large data sets in Splunk Enterprise directly to Kafka in Splunk UBA. Sending data directly to Kafka offloads the processing task from the search heads to the indexers. See Requirements for Kafka data ingestion in the Splunk UBA Kafka Ingestion App manual.

Monitor Splunk UBA directly from Splunk Enterprise

Use the Splunk UBA Monitoring App to monitor the health of Splunk UBA and investigate Splunk UBA issues directly from Splunk Enterprise. See Splunk UBA Monitoring app requirements in the Splunk UBA Monitoring App manual.

Installing Splunk UBA in environments with no Internet access

Some environments require Splunk UBA to be installed without access to the Internet. In such cases, the functionality of Splunk UBA will be limited in the following areas:

  • Splunk UBA pages that normally show visual geographical location information about a device will show warnings that the Google Maps API cannot be reached. Perform the following tasks to disable Splunk UBA from using geographical location and displaying the warning:
    • In Splunk UBA, select Manage > Settings.
    • Select Geo Location.
    • Deselect the checkbox in the Show Geo Maps field.
    • Click OK.
  • Clicking the Learn more link on any Splunk UBA page will open a new tab with a link to quickdraw.splunk.com. This is the URL used to generate the correct help link to the Splunk UBA documentation.
Last modified on 07 May, 2020
PREVIOUS
Plan and scale your Splunk UBA deployment 		  NEXT
Check system status before and after installation

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.3

Comments

Back To Top

System requirements for Splunk UBA

  • Hardware requirements
    • Disk space and memory requirements for installing Splunk UBA
    • Disk space requirements for Splunk UBA warm standby
    • Supported AWS server instance types
    • Disk subsystem IOPS requirements
    • Network interface requirements
    • Directories created or modified on the disk
  • Operating system requirements
  • User access requirements
  • Networking requirements
  • Configure host name lookups and DNS
  • Supported web browsers
  • Supported single sign-on identity providers
  • Requirements for connecting to and getting data from the Splunk platform
  • Installing Splunk UBA in environments with no Internet access
  • Was this topic useful?

Was this documentation topic helpful?

Please specify the reason

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

  • Contact
  • Career
  • Privacy
  • Terms of Use
  • Export Control
© 2005 - 2020 Splunk Inc. All rights reserved. Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk® Light, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more here ›