Splunk Phantom upgrade overview and prerequisites
Splunk Phantom requires incremental upgrades from earlier versions.
Do not skip any required versions when upgrading Splunk Phantom. For example, to upgrade Splunk Phantom from version 4.2 to version 4.6, you must upgrade to version 4.5 before upgrading to version 4.6.
Upgrade checklist
Follow these steps to prepare for and then perform an upgrade.
Stage | Tasks | Description |
---|---|---|
1 | Make a full back up of your Splunk Phantom deployment | Make a full backup of your Splunk Phantom deployment before upgrading. See Backup or restore your Splunk Phantom instance in Administer Splunk Phantom.
For single instance deployments running as a virtual machine, you can create a snapshot of the virtual machine instead. |
2 | Do the prerequisites | See Prerequisites for upgrading Splunk Phantom.
|
3 | Prepare your Splunk Phantom deployment for upgrade | See Prepare your Splunk Phantom deployment for upgrade.
|
4 | Upgrade Splunk Phantom | See Upgrade Splunk Phantom |
Notes
- Splunk Phantom version 4.9 requires PostgreSQL version 11.6 and GlusterFS version 7.5. The upgrade process will automatically upgrade the PostgreSQL database for single-instance deployments of Splunk Phantom.
- If your Splunk Phantom deployment is a cluster or uses an external PostgresSQL database, then PostgreSQL must be upgraded before upgrading the Splunk Phantom platform. Reference scripts for upgrading PostgreSQL are included in the repositories or the installation .tar file.
- If your Splunk Phantom deployment is a cluster or uses an external GlusterFS fileshare, then GlusterFS must be upgraded before upgrading the Splunk Phantom platform. Scripts for upgrading GlusterFS are included in the repositories or the installation .tar file.
After the preparation stages are complete, you can upgrade your Splunk Phantom instance or cluster. For clustered deployments, after the preparation stages are complete, upgrading your Splunk Phantom cluster is done in a rolling fashion, one node at a time.
Prerequisites for upgrading Splunk Phantom
You need the following information before beginning your upgrade:
- Logins
- For privileged deployments, user accounts on the operating system for your Splunk Phantom instance or cluster nodes with sudo or root access on those systems.
- For unprivileged deployments, you also need the login credentials for the user account that runs Splunk Phantom.
- Your Splunk Phantom Community portal login.
- If your Splunk Phantom deployment has restricted internet access, you will need a local yum repository or a satellite server from which to get yum packages.
- A minimum of 5GB of space available in the
/tmp
directory on the Splunk Phantom instance or cluster node.
For deployments with restricted internet access, add local yum repositories for upgrade
If your Splunk Phantom deployment has no access or restricted access to the internet, you must either create a satellite server or local YUM repository for operating system packages and other dependencies. See the Red Hat Knowledgebase article How can we regularly update a disconnected system (A system without internet connection)?
The required upgrade repositories are:
OS version | CentOS | RHEL |
---|---|---|
6 | [base]
[updates] |
[rhel-6-server-rpms]
[rhel-server-rhscl-6-rpms] |
7 | [base]
[updates] |
[rhel-7-server-rpms]
[rhel-server-rhscl-7-rpms] |
Prepare your Splunk Phantom deployment for upgrade
Before you upgrade Splunk Phantom, you will need to prepare your instance or your cluster nodes by updating the operating system, installed packages, and adding the Splunk Phantom repositories and their signing keys.
Update the operating system and installed packages
Follow these steps to update the operating system and otherwise prepare your deployment for the upgrade.
For a clustered deployment of Splunk Phantom, prepare cluster nodes in a rolling fashion, one cluster node at a time.
- Log in to the Splunk Phantom instance's operating system:
- For privileged deployments, log in as the root user or a user with sudo privileges.
- For unprivileged deployments, log in as the user account that runs Splunk Phantom.
- If you use a warm standby or use ibackup.pyc for backups, you must disable those features before proceeding. If you are not using either of those features, you may skip these sub-steps.
- On a single instance deployment of Splunk Phantom, disable warm standby. See Upgrade or maintain warm standby instances in Administer Splunk Phantom.
- If you are using automation to run ibackup.pyc to make backups, cancel backups that could run during your upgrade window. For example, if you have configured a cron job to run ibackup.pyc, disable that cron job.
- Disable WAL archiving for the PostgreSQL database. Set the
archive_mode
to "off" in the file/opt/phantom/data/db/postgresql.phantom.conf
.sed -i -e 's/archive_mode = on/archive_mode = off/i' /<PHANTOM_HOME>/data/db/postgresql.phantom.conf
- Restart PostgreSQL to make the configuration change take effect.
/<PHANTOM_HOME>/bin/phsvc restart postgresql-11
- Stop all Splunk Phantom services. For example, as the root user:
/<PHANTOM_HOME>/bin/stop_phantom.sh
- Clear the YUM caches. As the root user:
yum clean all
- Update the installed software packages, excluding Nginx, and apply operating system patches. As the root user: Systems which cannot access YUM repositories over the internet need a satellite server. See For deployments with restricted internet access, add local yum repositories for upgrade.
yum update --exclude=nginx
If you are using the EPEL repository some packages may be upgraded to a version higher than supported by Splunk Phantom. In this case, you want to use the Official Offline RPMs instead of using YUM to get the required versions of package dependencies for Splunk Phantom. See For Splunk Phantom deployments without internet access or unprivileged deployments for instructions.
- If a kernel update was included in your operating system updates, restart the operating system. As the root user: If you did not need to restart the operating system, restart Splunk Phantom. As the root user:
reboot
/<PHANTOM_HOME>/bin/start_phantom.sh
- If a system restart was required, after the system restarts, log in to the operating system as either the root user or a user with sudo privileges.
- The install script requires the ability to create jobs in cron. See System requirements for production use. Check that the cron daemon is running.
ps -ef | grep crond
- If the cron daemon is not running, start it.
systemctl start crond.service
- If the cron daemon is not running, start it.
Install the Splunk Phantom repositories and signing keys
- For privileged deployments with internet access, install the Splunk Phantom repository and signing keys. See Splunk Phantom repositories and signing keys packages.
- For unprivileged deployments, or deployments with limited internet access, the repositories and signing keys are included in the upgrade tar file. See For Splunk Phantom deployments without internet access or unprivileged deployments.
Upgrade external PostgreSQL and GlusterFS
If your Splunk Phantom deployment uses an external PostgreSQL database or a GlusterFS-based fileshare you must upgrade those components before upgrading Splunk Phantom.
- If your deployment uses a PostgreSQL database that is external to your instance of Splunk Phantom, see Upgrade PostgreSQL for Splunk Phantom deployments with external databases.
- If your deployment uses an external GlusterFS-based fileshare, see Upgrade GlusterFS for Splunk Phantom deployments with GlusterFS fileshares.
Upgrade Splunk Phantom
When you are ready to upgrade Splunk Phantom, follow one of these sets of instructions, based on the type of your Splunk Phantom deployment.
Set up Splunk Enterprise | Splunk Phantom repositories and signing keys packages |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9
Feedback submitted, thanks!