Recover Splunk UBA after an outage

You can recover Splunk UBA after a planned or unplanned outage. Complete the steps described in the following scenarios:

Shut down Splunk UBA for a planned outage

Perform the following steps to shut down Splunk UBA for a planned outage:

  1. In Splunk UBA, select Manage > Data Sources.
  2. Stop each running data source.
  3. From the command line, use SSH to log in to the Splunk UBA management node as the caspida user.
  4. Stop all services. 
    /opt/caspida/bin/Caspida stop-all
  5. Once step 4 completes successfully, SSH into each UBA node (if running a distributed UBA environment) then perform the following command to shutdown.
    sudo shutdown –h now

Restart Splunk UBA after an outage

After a planned or unplanned outage, perform these steps to restart all Splunk UBA services:

  1. From the command line, use SSH to log in to the Splunk UBA management node as the caspida user.
  2. Escalate caspida privileges to sudo. 
    sudo su - caspida
  3. If running a distributed UBA environment, ensure each UBA node is accessible by SSH before continuing.
  4. Start all services. 
    /opt/caspida/bin/Caspida start-all
  5. Log in to the Splunk UBA web interface.
  6. Select Manage > Data Sources.
  7. Start each data source.

Restart Splunk UBA and restart all services

Perform the following tasks to shut down Splunk UBA services, restart the server, and restart all Splunk UBA services:

  1. In Splunk UBA menu bar, select Manage > Data Sources.
  2. Stop each running data source.
  3. From the command line, use SSH to log in to the Splunk UBA management server as the caspida user.
  4. Stop all services. 
    /opt/caspida/bin/Caspida stop-all
  5. Once step 4 completes successfully, SSH into each UBA node (if running a distributed UBA environment) then perform the following command to restart.
  6. Restart Splunk UBA. 
    sudo shutdown –r now
  7. Verify that each Splunk UBA node (if applicable) is back online with either SSH or ping. 
    ping <UBA-hostname>
  8. From the command line, use SSH to log in to the Splunk UBA management server as the caspida user.
  9. Escalate caspida privileges to sudo. 
    sudo su - caspida
  10. If running a distributed UBA environment, ensure each UBA node is accessible by SSH before continuing.
  11. Start all services. 
    /opt/caspida/bin/Caspida start-all
  12. Log in to the Splunk UBA web interface.
  13. Select Manage > Data Sources.
  14. Start each data source.

Restart Splunk UBA Services

Perform the following tasks to restart Splunk UBA services:

Note: Restarting the Splunk UBA server does not restart the Splunk UBA services.
  1. In Splunk UBA, select Manage > Data Sources.
  2. Stop each running data source.
  3. From the command line, use SSH to log in to the Splunk UBA management server as the caspida user.
  4. Stop all services. 
    /opt/caspida/bin/Caspida stop-all
  5. After stop-all has completed, restart all services. 
    /opt/caspida/bin/Caspida start-all
  6. Log in to the Splunk UBA web interface.
  7. Select Manage > Data Sources.
  8. Start each data source.