Hi Everyone,
I encountered an error in UBA, specifically related to the 'caspida-outputconnector'. While the issue can be resolved by restarting UBA, I would like to understand the root cause. I have already reviewed the configuration file at '/etc/caspida/local/conf/uba-site.properties' and confirmed that everything appears to be correct. I have also tested the HEC token, and it is functioning properly. Does anyone have experience or guidance on how to troubleshoot and identify the root cause of this issue?
Hi @zksvc
Further to my other reply, have you been through this process of configuring a service account between UBA/ES?
https://docs.splunk.com/Documentation/UBA/5.4.2/Integration/SendIRdatatoES
🌟 Did this answer help you? If so, please consider:
Your feedback encourages the volunteers in this community to continue contributing
Hi @zksvc
It might be worth reviewing the _internal logs in Splunk to see which page is throwing the Unauthorized - I would have thought it would be HEC but you said you have already checked that?
It might be worth double checking with a CURL command such as:
curl https://<splunkServer>:8088/services/collector/health?token=<tokenFrom_uba-site.properties>
If you run that from your UBA host it would validate that it can reach HEC with the token You should get
{"text":"HEC is healthy","code":17}
Does anything appear in _internal?
index=_internal status=401 OR "Unauthorized"
🌟 Did this answer help you? If so, please consider:
Your feedback encourages the volunteers in this community to continue contributing