Splunk Enterprise

UBA Error

zksvc
Communicator

Hi Everyone, 

I encountered an error in UBA, specifically related to the 'caspida-outputconnector'. While the issue can be resolved by restarting UBA, I would like to understand the root cause. I have already reviewed the configuration file at '/etc/caspida/local/conf/uba-site.properties' and confirmed that everything appears to be correct. I have also tested the HEC token, and it is functioning properly. Does anyone have experience or guidance on how to troubleshoot and identify the root cause of this issue?

zksvc_0-1747988329507.png

zksvc_1-1747988342415.png

 

 

Labels (2)
0 Karma

livehybrid
Super Champion

Hi @zksvc 

Further to my other reply, have you been through this process of configuring a service account between UBA/ES?

https://docs.splunk.com/Documentation/UBA/5.4.2/Integration/SendIRdatatoES

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma

livehybrid
Super Champion

Hi @zksvc 

It might be worth reviewing the _internal logs in Splunk to see which page is throwing the Unauthorized - I would have thought it would be HEC but you said you have already checked that? 

It might be worth double checking with a CURL command such as:

curl https://<splunkServer>:8088/services/collector/health?token=<tokenFrom_uba-site.properties>

If you run that from your UBA host it would validate that it can reach HEC with the token You should get 

{"text":"HEC is healthy","code":17}

Does anything appear in _internal?

index=_internal status=401 OR "Unauthorized"

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...