Splunk® Phantom (Legacy)

Administer Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Warm standby tools

Use the phenv python /<PHANTOM_HOME>/bin/setup_warm_standby.pyc script to manage warm standby.

Warm standby script arguments

Argument Description
-h, --help Show this help message and exit.
--primary-mode Run the instance as the primary in the warm standby pairing.
--standby-mode Run the instance as the warm standby in the warm standby pairing.
--version Show the program's version number and exit.
--status Show the status of the current instance.
--configure Configure warm standby. Additional arguments are required.
--off Turn warm standby off on the current instance based on which mode the instance is in.
--convert-to-primary Convert a standby to primary valid only in case of --standby-mode
--primary-ip <PRIMARY_IP> IP address of the primary.
--standby-ip <STANDBY_IP> IP address of the warm standby.
-d, --ignore-database Ignore the PostgreSQL database. Ignores the Postgres database during setup. Only backs up system files.
-t, --ignore-vault Ignore vault. Ignores the vault from setup. Only backs up various contents from /<PHANTOM_HOME>/.
-l <RECOVERY_DATABASE_LOCATION>,

--recovery-database-location <RECOVERY_DATABASE_LOCATION>

When setting up the standby, copy the original database to this location for recovery in the event of a script failure.
--primary-phantom-version <PRIMARY_PHANTOM_VERSION> Version of the primary instance. Only valid for --standby-mode. If passed, validates against the current version.
-r <REMOTE_USER>, --remote-user <REMOTE_USER> The username of the remote user.
-x, --relax_verification Relax user verification requirements for non-root installations. Setting this option is not recommended.
-p <SSH_PORT>, --ssh-port <SSH_PORT> Port used to be used by all SSH commands.
--no-modify-ciphers Don't overwrite ssl_cipher in PostgreSQL configurations.
-u, --ignore-package-updates Skip updating packages. Skips re-installing rpm and pip packages.
--no-cron-install Set but don't install the warm standby crontab.
--recreate-local-db Purge current database and generate a blank instance when turning off your standby instance.

This will delete all of your data.

-w <WAL_KEEP_SEGMENTS>, --wal-keep-segments <WAL_KEEP_SEGMENTS> The number of wal segments retained on the primary instance. Increase the wal segments to allow greater network latency between the primary instance and standby instance. Increasing wal segments will take up additional disk space in your DB directory, specifically 16 MB per segment.
--replicator-password <REPLICATOR_PASSWORD> Password for the postgres replicator role. It can also be provided via the "PHANTOM_WARM_STANBY_REPLICATOR_PASSWORD" environment variable.
--ssh-password <SSH_PASSWORD> Password for the remote user. Can also be provided via the "PHANTOM_WARM_STANDBY_SSH_PASSWORD" environment variable.

SSL certificate information

The following arguments are options for the data required to generate an SSL certificate while configuring warm standby.

Argument Description
--ssl-country <SSL_COUNTRY> Value for a SSL certificate with the country code subject line.
--ssl-state <SSL_STATE> Value for a SSL certificate with the state code subject line.
--ssl-city <SSL_CITY> Value for a SSL certificate with the city subject line.
--ssl-org <SSL_ORG> Value for a SSL certificate with the organization subject line.
--ssl-unit <SSL_UNIT> Value for a SSL certificate with the organization unit subject line.
--ssl-domain <SSL_DOMAIN> Value for a SSL certificate with the domain subject line.
--ssl-email <SSL_EMAIL> Value for a SSL certificate with the email subject line.

Warm standby API

The API /rest/warm_standby_check can be used to determine if a instance is the standby in a warm standby pair. See REST Warm standby.

The API returns the same 500 result if used on either a warm standby or a cluster node. Clusters cannot use the warm standby feature.

Last modified on 08 September, 2021
Upgrade or maintain warm standby instances   Share data from Splunk Phantom

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters