Known issues in Splunk UBA

This version of Splunk UBA has the following known issues and workarounds.

If no issues are listed, none have been reported.

Date filed Issue number Description
2024-06-07 UBA-19004, TEA-983 Offline model Abnormal_VPN_Session_Model took extra long time to run
2024-05-21 UBA-18950 Splunk UBA does not showing destination details in the Excessive data transmission anomaly.
2024-04-30 UBA-18862 Error Encountered When Cloning Splunk Datasource and Selecting Source Types
Workaround:
Re-enter the password on the Connection page for the Splunk endpoint.
2024-04-26 UBA-18851 Benign Error Message on Caspida start - Ncat: Connection Refused
2024-04-03 UBA-18721 UBA identifies end user/service account are accessing hard disk volumes instead of built-in computer account
Workaround:
Disable the augmented_access rule.

Steps to disable rule:

1. remove (or move to some other location outside of UBA as a backup) the file /etc/caspida/conf/rules/user/ad/augmented_access.rule

2. sync-cluster (/opt/caspida/bin/Caspida sync-cluster /etc/caspida/conf/rules/user/ad/)

3. restart uba (/opt/caspida/bin/Caspida stop & /opt/caspida/bin/Caspida start)
2024-03-18 UBA-18668, UBA-18354 Powershell command for "Suspicious Powershell Activity" anomaly is missing in anomaly description
2024-03-04 UBA-18536, UBA-18708 PBGC - Anomaly type "Multiple Authentications" not displaying device information
2023-11-06 UBA-18068 Vulnerability Mitigation for CVE-2023-44487
Workaround:
[NOTE: Run the following workaround as caspida user]

1. Remove go.mod from UBA upgrade and/or install packages.

2. Upgrade node.js to 20.9.0.

a. Stop UBA on management node: 
/opt/caspida/bin/Caspida stop-all

b. Remove pre-existing node.js files on all UBA nodes: 

sudo rm -rvf /usr/local/bin/corepack
sudo rm -rvf /usr/local/bin/node
sudo rm -rvf /usr/local/bin/npm
sudo rm -rvf /usr/local/bin/npx
sudo rm -rvf /usr/local/share/systemtap/tapset/node.stp
sudo rm -rvf /usr/local/share/doc/node
sudo rm -rvf /usr/local/share/man/man1/node.1
sudo rm -rvf /usr/local/lib/node_modules/
sudo rm -rvf /usr/local/include/node/
c. Download the node.js 20.9.0 tarball on all UBA nodes: 
wget https://nodejs.org/dist/v20.9.0/node-v20.9.0-linux-x64.tar.gz
d. Extract the tarball to /usr/local on all UBA nodes: 
sudo tar xvfz node-v20.9.0-linux-x64.tar.gz -C /usr/local --strip-components 1

e. Verify node and npm versions on all UBA nodes: 

node -v
--- 20.9.0
npm -v
--- 10.1.0
f. Start UBA on management node: 
/opt/caspida/bin/Caspida start-all
2023-11-06 UBA-18067 Ubuntu Vulnerability Mitigation for CVE-2022-1292
Workaround:
Run: sudo apt upgrade libssl1.0.2-dbg
2023-10-25 UBA-18034 ubasudoers file fails to allow caspida user access to postgresql service command
Workaround:
Run the following command to update the ubasudoers file: 
sed -i 's/service postgresql \*,/service postgresql\*,/g' /opt/caspida/etc/sudoers.d/ubasudoers
2023-10-25 UBA-18039 Unable to install UBA with 2 networking interfaces
Workaround:
1) If you encounter the following error while executing the Caspida setup, you can follow the steps below:

Error: 

	Tue Oct 17 16:37:04 UTC 2023: adding worker node: <uba-hostname>
	Tue Oct 17 16:37:04 UTC 2023: joining worker: <uba-hostname>, cmd=sudo  kubeadm join <uba-ip>:6443 --token <token> --discovery-token-ca-cert-hash <hash>  --cri-socket=unix:///var/run/cri-dockerd.sock --ignore-preflight-errors Swap
	Tue Oct 17 16:42:04 UTC 2023: Failed to add worker: uba-hostname2.local, exiting

Steps: a) Manually generate the token from the management node: 

sudo kubeadm token create --print-join-command

b) Run the command from the second node with sudo and the necessary flags: 

sudo <output of the fist command> --cri-socket=unix:///var/run/cri-dockerd.sock --ignore-preflight-errors Swap --v=5

c) Here, if you observe the error is due to "dial tcp <uba-ip>:6443: connect: no route to host."

d) Open the 6443 port on all worker nodes: 

sudo firewall-cmd --permanent --zone=public --add-port=6443/tcp
	    sudo firewall-cmd --reload

e) Re-run the Caspida setup.

2) If you have not attached the second interface and have not run the Caspida setup yet, follow the steps below:

a) Build a server with a single interface.

b) Ensure that the interface is associated with the public firewall zone.

c) Install Splunk UBA following Splunk documentation using the node names that resolve to an IP address on this attached interface.

d) Perform post-installation sync.

e) Stop all UBA services.

f) Create a new firewall zone named "control-plane".

g) Add a new interface associated with the "control plane" zone.

h) Add inbound firewall rules permitting SSH and HTTPS.

i) Start all UBA services.
2023-09-08 UBA-17849 Multiple offline rules are failing after 5.3.0 upgrade due to AnalysisException: Could not resolve column/field reference
Workaround:
If multiple offline and real-time rules are failing due to "AnalysisException: Could not resolve column/field reference: 'count'" or similar exceptions after upgrading to UBA 5.3.0, run the following commands on the management node to refresh and re-install the rules:

Run the following query from the management node (for 1, 3, 5, 7, and 10 node deployment) and 2nd node (for 20 and 20XL node deployment): 

psql -d caspidadb -c "UPDATE rulepackages SET version = 0 WHERE namespace LIKE 'secteam.%';"

From the management node, run the following command: 

curl -w "\n" -Ssk -H "Authorization: Bearer $(grep '^\s*jobmanager.restServer.auth.user.token=' /opt/caspida/conf/uba-default.properties | cut -d'=' -f2)" -m 60 -X "POST" "https://localhost:9002/rules/installSystemPackages"

Note: There is NO need to restart any UBA services
2023-08-14 UBA-17734 UBA 5.3.0 Ubuntu deployments contain Log4j in a dangling Docker image layer
Workaround:
On UBA 5.3.0 Ubuntu deployments, customers' security scans may detect a log4j jar in /var/vcap/store/docker/aufs/diff/<Image Layer ID>/usr/lib/impala/lib/log4j-1.2.17.jar.

They can safely resolve this by removing the entire /var/vcap/store/docker/aufs/diff/<Image Layer ID> directory since it does not correspond to any Docker image/container/volume currently used in UBA 5.3.0.
2023-07-27 UBA-17641, UBA-17602 Upgrade Error: Job for redis-server.service failed because the service did not take the steps required by its unit configuration
Workaround:
On all nodes in the cluster, run the following command to update the redis.conf to allow the configure steps to complete: 
sudo sed -i 's/^supervised no$/supervised auto/g' /etc/redis/redis.conf
2023-01-31 UBA-16886 Kubelet unable to fetch container log stats for inactive pods
Workaround:
This issue pertains to a bug in cri-dockerd, which does not have a fixed version. A more permanent workaround will be released in 5.4.0. In the meantime, please find the temporary workaround below.

1. SSH as caspida user to UBA management node.

2. Take a backup of the ContainerizationCleanup.sh script: 

cp /opt/caspida/containerization/bin/ContainerizationCleanup.sh /opt/caspida/containerization/bin/ContainerizationCleanup.sh.ORIG

3. Insert the following code snippet at the end of the ContainerizationCleanup.sh script before the last line: echo "$(date): $0: DONE" 

#############
for node in "${!uniqHostsArr[@]}"
do
  echo "$(date): Check broken symlink of pods-log at Container Node : ${node}"
  ssh ${node} "(
    for i in \$(sudo find /var/log/pods -type l)
    do
      LOGFILE=\$(sudo ls -l \${i} | awk -F '->' '{print \$2}');
      if sudo test -f \$LOGFILE; then
         echo "$(date): INFO - symlink of pod-log is OK. symlink=\${i}";
      else
         echo "$(date): WARN - symlink of pod-log is BROKEN, so deleting it. symlink=\${i}";
         sudo rm \${i};
      fi
    done
  )"
done
#############

4. Run the following sync-cluster command: 

/opt/caspida/bin/Caspida sync-cluster /opt/caspida/containerization/bin/
2022-12-22 UBA-16722 Error in upgrade log, /bin/bash: which: line 1: syntax error: unexpected end of file
2022-12-05 UBA-16617 Repeated Kafka warning message "Received a PartitionLeaderEpoch assignment for an epoch < latestEpoch. This implies messages have arrived out of order"
Workaround:
1) On zookeeper node (typically node 2 on a multi-node deployment), find all leader-epoch-checkpoint files: 
locate leader-epoch-checkpoint
(can also use a find command if locate isn't available)

a) Copy result into a script, adding ">" prior to each result. i.e. 

#!/bin/bash
> /var/vcap/store/kafka/AnalyticsTopic-0/leader-epoch-checkpoint
> /var/vcap/store/kafka/AnalyticsTopic-1/leader-epoch-checkpoint
> /var/vcap/store/kafka/AnalyticsTopic-10/leader-epoch-checkpoint
> /var/vcap/store/kafka/AnalyticsTopic-11/leader-epoch-checkpoint
...
b) Make script executable: 
chmod +x <script name>.sh
2) On node 1, run: 
/opt/caspida/bin/Caspida stop-all
3) On zookeeper node, run: 
./<script name>.sh
4) On node 1, run: 
/opt/caspida/bin/Caspida start-all
5) Check logs to see if warn messages still show up on zookeeper node: 
tail -f /var/vcap/sys/log/kafka/server.log

6) If you see the following warning repeated: 

WARN Resetting first dirty offset of __consumer_offsets-17 to log start offset 3346 since the checkpointed offset 3332 is invalid. (kafka.log.LogCleanerManager$)
a) Clear cleaner-offset-checkpoint on zookeeper node by running: 
> /var/vcap/store/kafka/cleaner-offset-checkpoint
b) Then on node 1, run: 
/opt/caspida/bin/Caspida stop-all && /opt/caspida/bin/Caspida start-all
2022-07-26 UBA-15997 Benign error messages on CaspidaCleanup: Relations do not exist, Kafka topic does not exist on ZK path
2022-06-22 UBA-15882 Benign Spark error message: Could not find CoarseGrainedScheduler in spark-local.log when upgrading UBA
2022-02-14 UBA-15364 Spark HistoryServer running out of memory for large deployments with error: "java.lang.OutOfMemoryError: GC overhead limit exceeded"
Workaround:
Open the following file to edit on the Spark History Server: /var/vcap/packages/spark/conf/spark-env.sh

You can check deployments.conf field spark.history to find out which node runs the Spark History Server.

Update the following setting to 3G: SPARK_DAEMON_MEMORY=3G

Afterwards, restart the spark services: 

/opt/caspida/bin/Caspida stop-spark && /opt/caspida/bin/Caspida start-spark
2021-08-30 UBA-14755 Replication.err logging multiple errors - Cannot delete snapshot s_new from path /user: the snapshot does not exist.
2020-04-07 UBA-13804 Kubernetes certificates expire after one year
Workaround:
Run the following commands on the Splunk UBA master node: 
/opt/caspida/bin/Caspida remove-containerization
/opt/caspida/bin/Caspida setup-containerization
/opt/caspida/bin/Caspida stop-all
/opt/caspida/bin/Caspida start-all
2019-10-07 UBA-13227 Backend anomaly and custom model names are displayed in Splunk UBA
Workaround:
Click the reload button in the web browser to force reload the UI page.
2019-08-06 UBA-12910 Splunk Direct - Cloud Storage does not expose src_ip field
Workaround:
When ingesting Office 365 Sharepoint/OneDrive logs through Splunk Direct - Cloud Storage, add an additional field mapping for src_ip in the final SPL to be mapped from ClientIP (| eval src_ip=ClientIP). Make sure to add src_ip in the final list of fields selected using the fields command. For example: 
| fields app,change_type,dest_user,file_hash,file_size,object,object_path,object_type,parent_category,parent_hash,sourcetype,src_user,tag,src_ip
2017-04-05 UBA-6341 Audit events show up in the UBA UI with 30 minute delay