Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk UBA Installation
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I am trying to install the latest version of baremetal uba on rhel 7.8.
I have followed the requirements and steps mentioned in splunk docs.
When I ran the pre check script, i noticed the following:
/var/log symlinks: 13 <= expecting 14; verify missing link
... 'containers' symlink not found
It looks like the containers folder was not created in the /var/log folder
it also showed me this:
/var/log perm/owner: lrwxrwxrwx. 1 root root 23 Feb 3 12:58 /var/log/kafka -> /var/vcap/sys/log/kafka <= issue with one (or more) log sub-directories
The owner for this should be caspida:caspida correct?
Also showed me this:
interface: '<%' <== system.network.interface value in /etc/caspida/local/conf/uba-site.properties does not match 'eth0'
Splunk docs mentioned If the network interface is not the default eth0, edit configuration file /etc/caspida/local/conf/uba-site.properties and add the following entry with the corresponding interface:
system.network.interface=<interface>
My nic is already eth0
Any assistance will be appreciated..
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you already completed the installation of UBA or are you simply running the pre-check script for the first time prior to installation?
If prior to installation, some errors are expected. See the relevant docs here:
https://docs.splunk.com/Documentation/UBA/5.0.4/Install/CheckSystemStatus
You might see errors related to file-based configurations. Those configurations happen after setup, so you can ignore those errors when running the script before setting up Splunk UBA.
I recently completed a UBA clustered setup on RHEL. I don't recall whether we saw the symlink or /var/log errors, but I do remember seeing the eth0 error. That eth0 message went away after installation.
If you haven't installed yet, I think you are likely safe to proceed. Run the script again after installation to verify everything is set up correctly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you Plz share installation files for UBA?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you already completed the installation of UBA or are you simply running the pre-check script for the first time prior to installation?
If prior to installation, some errors are expected. See the relevant docs here:
https://docs.splunk.com/Documentation/UBA/5.0.4/Install/CheckSystemStatus
You might see errors related to file-based configurations. Those configurations happen after setup, so you can ignore those errors when running the script before setting up Splunk UBA.
I recently completed a UBA clustered setup on RHEL. I don't recall whether we saw the symlink or /var/log errors, but I do remember seeing the eth0 error. That eth0 message went away after installation.
If you haven't installed yet, I think you are likely safe to proceed. Run the script again after installation to verify everything is set up correctly.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
