All Apps and Add-ons

Splunk UBA Installation

archme
Explorer

Hi

I am trying to install the latest version of baremetal uba on rhel 7.8.

I have followed the requirements and steps mentioned in splunk docs.

When I ran the pre check script, i noticed the following:

/var/log symlinks: 13 <= expecting 14; verify missing link

... 'containers' symlink not found

 

It looks like the containers folder was not created in the /var/log folder

it also showed me this:

/var/log perm/owner: lrwxrwxrwx. 1 root root 23 Feb 3 12:58 /var/log/kafka -> /var/vcap/sys/log/kafka <= issue with one (or more) log sub-directories

The owner for this should be caspida:caspida correct?

Also showed me this:

interface: '<%' <== system.network.interface value in /etc/caspida/local/conf/uba-site.properties does not match 'eth0'

 

Splunk docs mentioned If the network interface is not the default eth0, edit configuration file /etc/caspida/local/conf/uba-site.properties and add the following entry with the corresponding interface:

system.network.interface=<interface>

My nic is already eth0

 

Any assistance will be appreciated..

 

Thanks

Labels (2)
0 Karma
1 Solution

ryansaunders
Explorer

Have you already completed the installation of UBA or are you simply running the pre-check script for the first time prior to installation?

If prior to installation, some errors are expected.  See the relevant docs here:
https://docs.splunk.com/Documentation/UBA/5.0.4/Install/CheckSystemStatus

You might see errors related to file-based configurations. Those configurations happen after setup, so you can ignore those errors when running the script before setting up Splunk UBA. 

I recently completed a UBA clustered setup on RHEL.  I don't recall whether we saw the symlink or /var/log errors, but I do remember seeing the eth0 error.  That eth0 message went away after installation.

If you haven't installed yet, I think you are likely safe to proceed.  Run the script again after installation to verify everything is set up correctly.

View solution in original post

0 Karma

haward_tech
New Member

Can you Plz share installation files for UBA?

0 Karma

ryansaunders
Explorer

Have you already completed the installation of UBA or are you simply running the pre-check script for the first time prior to installation?

If prior to installation, some errors are expected.  See the relevant docs here:
https://docs.splunk.com/Documentation/UBA/5.0.4/Install/CheckSystemStatus

You might see errors related to file-based configurations. Those configurations happen after setup, so you can ignore those errors when running the script before setting up Splunk UBA. 

I recently completed a UBA clustered setup on RHEL.  I don't recall whether we saw the symlink or /var/log errors, but I do remember seeing the eth0 error.  That eth0 message went away after installation.

If you haven't installed yet, I think you are likely safe to proceed.  Run the script again after installation to verify everything is set up correctly.

0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...