Migrate a Splunk Phantom install from REHL 6 or CentOS 6 to RHEL 7 or CentOS 7
Both Red Hat Enterprise Linux (RHEL) 6 and CentOS 6 reach their end of life on November 30, 2020. No further package updates or bug fixes will be delivered for those operating systems. In light of those operating systems reaching end-of-life status, Splunk Phantom version 4.9 is the final version that supports using either Red Hat Enterprise Linux 6 or CentOS 6.
Before upgrading to Splunk Phantom 4.10, customers must migrate their Splunk Phantom deployment from RHEL 6 or CentOS 6 systems to RHEL 7 or CentOS 7.
RHEL 8 or CentOS 8 are not currently supported.
The following kinds of deployments are affected by this change:
- Single instance, privileged Splunk Phantom deployments built using RPM. See Install Splunk Phantom to an existing server with RPM
- Single instance, privileged Splunk Phantom deployments built using the 'offline' installer. See Install Splunk Phantom on a system with limited internet access
All other ways to install Splunk Phantom either already require, or ship with preconfigured RHEL 7 or CentOS 7.
Operating system migration checklist
Follow these steps to prepare for and then perform an operating system migration.
Migrating Splunk Phantom to a supported operating system requires downtime. If your Splunk Phantom instance is left online during the migration, some events will not be included in your backup and not be restored to the new Splunk Phantom instance.
Stage | Tasks | Description |
---|---|---|
1 | Make a full back up of your Splunk Phantom deployment | Make a full backup of your Splunk Phantom deployment before attempting to upgrade Splunk Phantom. See Backup or restore your Splunk Phantom instance in Administer Splunk Phantom. This backup may be required if something goes wrong during your upgrade in stage 2. |
2 | Upgrade your Splunk Phantom deployment to version 4.9.39220 | If your Spunk Phantom deployment is not yet upgraded to version 4.9.39220, upgrade now. See Upgrade Splunk Phantom |
3 | Make a new full back up of your upgraded Splunk Phantom deployment | Make a full backup of your Splunk Phantom deployment before attempting to migrate operating systems. See Backup or restore your Splunk Phantom instance in Administer Splunk Phantom. You will use this backup to restore Splunk Phantom to a new system running a supported operating system. |
4 | Create a new server running RHEL 7 or CentOS 7 | Build a new server for Splunk Phantom. If you need a yum repository satellite server for this server, create it now. |
5 | Install Splunk Phantom 4.9.39220 | Use either the RPM or offline install methods. |
6 | Restore Splunk Phantom from your backup | See Restore Splunk Phantom from a backup. Use the backup created in stage 3. |
Migrating without upgrading to Splunk Phantom version 4.9.39220
You can migrate to a new operating system version without upgrading your Splunk Phantom to version 4.9.39220 first.
If you choose to migrate to a supported operating system before upgrading Splunk Phantom, you must make sure that the version of Splunk Phantom on your original instance and the version on your new instance are identical. If they are not identical, the backup will fail to properly restore.
Migrating an external PostgreSQL database to a supported operating system
To backup an existing external Splunk Phantom PostgreSQL database and restore it on another server running a supported operating systems, do these steps as the root user or a user with sudo permissions.
- On your Splunk Phantom instance, create a backup of the database. See See Back up a Splunk Phantom deployment in Administer Splunk Phantom.
- Stop all Splunk Phantom services.
<PHANTOM_HOME>/bin/stop_phantom.sh
- Set up your new external PostgreSQL database server on a supported operating system, either Red Hat Enterprise Linux or Cent OS version 7. See Set up an external PostgreSQL server in Install and Upgrade Splunk Phantom.
- On your Splunk Phantom instance, edit the
databases
section in the/etc/pgbouncer/pgbouncer.ini
file as shown in the following code.host
is the IP address or DNS name of the database server.phantom = user=pgbouncer password=<pgbouncerpassword> host=<pg server> postgres = user=postgres password=<postgrespassword> host=<pg server> server_tls_sslmode = require
- On your Splunk Phantom instance, reload pgbouncer.
<PHANTOM_HOME>/bin/phsvc restart pgbouncer
- On your Splunk Phantom instance, start Splunk Phantom.
<PHANTOM_HOME>/bin/start_phantom.sh
- Test the connection to the database server.If the connectivity test is successful, you will see the following message:
sudo -u postgres psql -h /tmp -p 6432
psql (11.6)
Type "help" for help.
postgres=# - On your Splunk Phantom instance, initialize the database to use with Splunk Phantom.
cd /opt/phantom/bin phenv prepare_db
- Restore the PostgreSQL database backup created earlier. Restore Splunk Phantom from a backup in Administer Splunk Phantom.
- Connect to the Splunk Phantom server's web user interface, and verify that everything is working.
Upgrade an unprivileged Splunk Phantom Cluster | Splunk Phantom default credentials, script options, and sample configuration files |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.10, 4.10.1, 4.10.2
Feedback submitted, thanks!