All Apps and Add-ons

Splunk UBA Installation

archme
Explorer

Hi

I am trying to install the latest version of baremetal uba on rhel 7.8.

I have followed the requirements and steps mentioned in splunk docs.

When I ran the pre check script, i noticed the following:

/var/log symlinks: 13 <= expecting 14; verify missing link

... 'containers' symlink not found

 

It looks like the containers folder was not created in the /var/log folder

it also showed me this:

/var/log perm/owner: lrwxrwxrwx. 1 root root 23 Feb 3 12:58 /var/log/kafka -> /var/vcap/sys/log/kafka <= issue with one (or more) log sub-directories

The owner for this should be caspida:caspida correct?

Also showed me this:

interface: '<%' <== system.network.interface value in /etc/caspida/local/conf/uba-site.properties does not match 'eth0'

 

Splunk docs mentioned If the network interface is not the default eth0, edit configuration file /etc/caspida/local/conf/uba-site.properties and add the following entry with the corresponding interface:

system.network.interface=<interface>

My nic is already eth0

 

Any assistance will be appreciated..

 

Thanks

Labels (2)
0 Karma
1 Solution

ryansaunders
Explorer

Have you already completed the installation of UBA or are you simply running the pre-check script for the first time prior to installation?

If prior to installation, some errors are expected.  See the relevant docs here:
https://docs.splunk.com/Documentation/UBA/5.0.4/Install/CheckSystemStatus

You might see errors related to file-based configurations. Those configurations happen after setup, so you can ignore those errors when running the script before setting up Splunk UBA. 

I recently completed a UBA clustered setup on RHEL.  I don't recall whether we saw the symlink or /var/log errors, but I do remember seeing the eth0 error.  That eth0 message went away after installation.

If you haven't installed yet, I think you are likely safe to proceed.  Run the script again after installation to verify everything is set up correctly.

View solution in original post

0 Karma

ryansaunders
Explorer

Have you already completed the installation of UBA or are you simply running the pre-check script for the first time prior to installation?

If prior to installation, some errors are expected.  See the relevant docs here:
https://docs.splunk.com/Documentation/UBA/5.0.4/Install/CheckSystemStatus

You might see errors related to file-based configurations. Those configurations happen after setup, so you can ignore those errors when running the script before setting up Splunk UBA. 

I recently completed a UBA clustered setup on RHEL.  I don't recall whether we saw the symlink or /var/log errors, but I do remember seeing the eth0 error.  That eth0 message went away after installation.

If you haven't installed yet, I think you are likely safe to proceed.  Run the script again after installation to verify everything is set up correctly.

View solution in original post

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!