All Apps and Add-ons

Splunk UBA Installation

archme
Explorer

Hi

I am trying to install the latest version of baremetal uba on rhel 7.8.

I have followed the requirements and steps mentioned in splunk docs.

When I ran the pre check script, i noticed the following:

/var/log symlinks: 13 <= expecting 14; verify missing link

... 'containers' symlink not found

 

It looks like the containers folder was not created in the /var/log folder

it also showed me this:

/var/log perm/owner: lrwxrwxrwx. 1 root root 23 Feb 3 12:58 /var/log/kafka -> /var/vcap/sys/log/kafka <= issue with one (or more) log sub-directories

The owner for this should be caspida:caspida correct?

Also showed me this:

interface: '<%' <== system.network.interface value in /etc/caspida/local/conf/uba-site.properties does not match 'eth0'

 

Splunk docs mentioned If the network interface is not the default eth0, edit configuration file /etc/caspida/local/conf/uba-site.properties and add the following entry with the corresponding interface:

system.network.interface=<interface>

My nic is already eth0

 

Any assistance will be appreciated..

 

Thanks

Labels (2)
0 Karma
1 Solution

ryansaunders
Explorer

Have you already completed the installation of UBA or are you simply running the pre-check script for the first time prior to installation?

If prior to installation, some errors are expected.  See the relevant docs here:
https://docs.splunk.com/Documentation/UBA/5.0.4/Install/CheckSystemStatus

You might see errors related to file-based configurations. Those configurations happen after setup, so you can ignore those errors when running the script before setting up Splunk UBA. 

I recently completed a UBA clustered setup on RHEL.  I don't recall whether we saw the symlink or /var/log errors, but I do remember seeing the eth0 error.  That eth0 message went away after installation.

If you haven't installed yet, I think you are likely safe to proceed.  Run the script again after installation to verify everything is set up correctly.

View solution in original post

0 Karma

haward_tech
New Member

Can you Plz share installation files for UBA?

0 Karma

ryansaunders
Explorer

Have you already completed the installation of UBA or are you simply running the pre-check script for the first time prior to installation?

If prior to installation, some errors are expected.  See the relevant docs here:
https://docs.splunk.com/Documentation/UBA/5.0.4/Install/CheckSystemStatus

You might see errors related to file-based configurations. Those configurations happen after setup, so you can ignore those errors when running the script before setting up Splunk UBA. 

I recently completed a UBA clustered setup on RHEL.  I don't recall whether we saw the symlink or /var/log errors, but I do remember seeing the eth0 error.  That eth0 message went away after installation.

If you haven't installed yet, I think you are likely safe to proceed.  Run the script again after installation to verify everything is set up correctly.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...