Known issues in Splunk UBA

This version of Splunk UBA has the following known issues and workarounds.

If no issues are listed, none have been reported.

Date filed Issue number Description
2024-11-14UBA-19498, UBA-19460

Error when uploading UBA SSO metadata xml file in ADFS

Workaround:

Removing <#list> entries from the SP MetaData File.

2024-09-24UBA-19440

Upgrading to version 5.4.1 breaks data sources

Workaround:

1. Ask customer to generate new health check to get datasource information so that we may need to manually recreate datasource.

2. Have customer upgrade to UBA 5.4.1 following our public docs.

3. IF customer encounters the issue with the datasources page inaccessible, continue with the steps below.

4. Run the following script on the command line on the postgres node to identify datasource(s) that have corrupted connectString: 

#!/bin/bash
result=$(psql -d caspidadb -t  -c "select id, name, connectString from datasources")

while read -r result_line; do
  IFS="|" read -r salt name value <<< "$result_line"
  if  [ ! -z "$salt" ]  && [ ! -z "$name" ] && [ ! -z "$value" ]; then
    saltValue=$(echo "$salt" | xargs)
    value=$(echo "$value" | xargs)
    name=$(echo "$name" | xargs)
    decryptedValue=$(java -cp /opt/caspida/lib/CaspidaSecurity.jar com.caspida.common.tools.CryptoUtil -d "$saltValue" "$value" )
    echo $saltValue  $name $decryptedValue
  fi
done <<< "$result"

5. From the output, find and take note of the dataSourceId that have the corrupted connectString, as shown in the following example: https://docs.splunk.com/File:UBA-19440_workaround_image.png

6. Delete the datasource(s) using API call from UBA management node by replacing "XXXXXXXXXXX" with what was found in step 2: 

curl -Ssk -X DELETE https://localhost:9002/datasources/delete?id=XXXXXXXXXXX -H "Authorization: Bearer $(grep '^\s*jobmanager.restServer.auth.user.token=' /opt/caspida/conf/uba-default.properties | cut -d'=' -f2)"

7. Manually recreate datasource that was deleted.

2024-08-22UBA-19329PII masking doesn't work with "Export to SplunkES"
2024-08-16UBA-19309Custom models created by cloning a cloned custom model sometimes do not work
2024-04-30UBA-18862

Error Encountered When Cloning Splunk Datasource and Selecting Source Types

Workaround:

Re-enter the password on the Connection page for the Splunk endpoint.

2024-04-26UBA-18851Benign Error Message on Caspida start - Ncat: Connection Refused
2024-04-03UBA-18721

UBA identifies end user/service account are accessing hard disk volumes instead of built-in computer account

Workaround:

Disable the augmented_access rule.

Steps to disable rule:

1. remove (or move to some other location outside of UBA as a backup) the file /etc/caspida/conf/rules/user/ad/augmented_access.rule

2. sync-cluster (/opt/caspida/bin/Caspida sync-cluster /etc/caspida/conf/rules/user/ad/)

3. restart uba (/opt/caspida/bin/Caspida stop & /opt/caspida/bin/Caspida start)

2022-12-22UBA-16722Error in upgrade log, /bin/bash: which: line 1: syntax error: unexpected end of file
2022-06-22UBA-15882Benign Spark error message: Could not find CoarseGrainedScheduler in spark-local.log when upgrading UBA
2021-08-30UBA-14755Replication.err logging multiple errors - Cannot delete snapshot s_new from path /user: the snapshot does not exist.
2020-04-07UBA-13804

Kubernetes certificates expire after one year

Workaround:

Run the following commands on the Splunk UBA master node: 

/opt/caspida/bin/Caspida remove-containerization
/opt/caspida/bin/Caspida setup-containerization
/opt/caspida/bin/Caspida stop-all
/opt/caspida/bin/Caspida start-all
2017-04-05UBA-6341Audit events show up in the UBA UI with 30 minute delay