Send Splunk UBA logs to a custom index on the Splunk platform

You can specify a custom index to use instead of potentially overloading the default _internal index. Once the Splunk UBA logs are ingested by the Splunk platform, they can be used by the Splunk UBA Monitoring App.

Send Splunk UBA logs to a custom index for new Splunk UBA installations

Perform the following tasks to send Splunk UBA logs to a custom index on the Splunk platform:

  1. Begin by Contacting Splunk Support to request the Splunk license for ingesting Splunk UBA logs. See Obtain a Splunk license for ingesting Splunk UBA logs in Install and Configure Splunk User Behavior Analytics.
  2. Perform the following tasks on the Splunk UBA master node:
    1. Add the splunk.forwarder.server.index.name property to the /etc/caspida/local/conf/uba-site.properties file and set it to the name of The Splunk UBA index. For example: 
      splunk.forwarder.server.index.name=ubaindex
      If you specify an index name that does not already exist, create a new event index. See Create custom indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
    2. Synchronize the cluster in distributed deployments. Run the following command: 
      /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
    3. Run the following command to switch the index for all forwarders from the default _internal index to the new index, such as ubaindex in our example: 
      /opt/caspida/bin/Caspida switch-splunk-index
  3. On the Splunk search head with the Splunk UBA Monitoring App installed, modify the search macro uba_index to point to the new index.
    1. From Splunk web, select Settings > Advanced search.
    2. Click Add new in the Search Macros field.
    3. Select Splunk_UBA_Monitor as the Destination App.
    4. Specify uba_index as the Name of the macro.
    5. Specify the name of the new index in the Definition field. For example: 
      (index=ubaindex)

      If you want to keep the data in the existing _internal index along with the new index, use the following syntax: 

      (index IN (_internal, ubaindex))
    6. Click Save.

Perform additional setup on the Splunk platform when upgrading the Splunk UBA Monitoring App

If you are upgrading the Splunk UBA Monitoring App on the Splunk platform to the latest version, you will see a window indicating additional setup is required to complete the upgrade. Perform the following tasks:

  1. Click Set up now to set up the new version of the Splunk UBA Monitoring App.
  2. Update the macro for the Splunk UBA index. The default is (index=_internal). To add a custom index called ubaindex, change the macro to the following: 
    (index=_internal OR index=ubaindex)
    Keep _internal so that all existing data prior to the upgrade is preserved for continuity.
  3. Click Save.