All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk UBA Installation

archme
Explorer
‎02-05-2021 01:21 AM

Hi

I am trying to install the latest version of baremetal uba on rhel 7.8.

I have followed the requirements and steps mentioned in splunk docs.

When I ran the pre check script, i noticed the following:

/var/log symlinks: 13 <= expecting 14; verify missing link

... 'containers' symlink not found

 

It looks like the containers folder was not created in the /var/log folder

it also showed me this:

/var/log perm/owner: lrwxrwxrwx. 1 root root 23 Feb 3 12:58 /var/log/kafka -> /var/vcap/sys/log/kafka <= issue with one (or more) log sub-directories

The owner for this should be caspida:caspida correct?

Also showed me this:

interface: '<%' <== system.network.interface value in /etc/caspida/local/conf/uba-site.properties does not match 'eth0'

 

Splunk docs mentioned If the network interface is not the default eth0, edit configuration file /etc/caspida/local/conf/uba-site.properties and add the following entry with the corresponding interface:

system.network.interface=<interface>

My nic is already eth0

 

Any assistance will be appreciated..

 

Thanks

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ryansaunders
Explorer
‎02-05-2021 01:10 PM

Have you already completed the installation of UBA or are you simply running the pre-check script for the first time prior to installation?

If prior to installation, some errors are expected.  See the relevant docs here:
https://docs.splunk.com/Documentation/UBA/5.0.4/Install/CheckSystemStatus

You might see errors related to file-based configurations. Those configurations happen after setup, so you can ignore those errors when running the script before setting up Splunk UBA. 

I recently completed a UBA clustered setup on RHEL.  I don't recall whether we saw the symlink or /var/log errors, but I do remember seeing the eth0 error.  That eth0 message went away after installation.

If you haven't installed yet, I think you are likely safe to proceed.  Run the script again after installation to verify everything is set up correctly.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

haward_tech
New Member
‎07-20-2021 03:22 AM

Can you Plz share installation files for UBA?

0 Karma
Reply
Solved! Jump to solution
Solution

ryansaunders
Explorer
‎02-05-2021 01:10 PM

Have you already completed the installation of UBA or are you simply running the pre-check script for the first time prior to installation?

If prior to installation, some errors are expected.  See the relevant docs here:
https://docs.splunk.com/Documentation/UBA/5.0.4/Install/CheckSystemStatus

You might see errors related to file-based configurations. Those configurations happen after setup, so you can ignore those errors when running the script before setting up Splunk UBA. 

I recently completed a UBA clustered setup on RHEL.  I don't recall whether we saw the symlink or /var/log errors, but I do remember seeing the eth0 error.  That eth0 message went away after installation.

If you haven't installed yet, I think you are likely safe to proceed.  Run the script again after installation to verify everything is set up correctly.

0 Karma
Reply
Related Topics
Splunk UBA Installation?
Get Updates on the Splunk Community!

SOC Modernization: How Automation and Splunk SOAR are Shaping the Next-Gen Security ...

Security automation is no longer a luxury but a necessity. Join us to learn how Splunk ES and SOAR empower ...

Ask It, Fix It: Faster Investigations with AI Assistant in Observability Cloud

  Join us in this Tech Talk and learn about the recently launched AI Assistant in Observability Cloud. With ...

Index This | How many sides does a circle have?

  March 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...
Top