make_server_node.pyc script to convert a virtual machine image install into either a specific service or a Shared Services server for a Splunk Phantom cluster.
Additional configuration steps for unprivileged clusters
Perform the following steps on the load balancer or Shared Services server as root or as a user using sudo to get elevated permissions.
- Set SELINUX to allow HAProxy to bind to your custom HTTPS port.
If SELINUX is disabled, then skip this step.semanage port --add --type http_port_t --proto tcp <HTTPS PORT>
If you receive an error that the port is already defined, use
--add.semanage port --modify --type http_port_t --proto tcp <HTTPS PORT>
/etc/haproxy/haproxy.cfgto remove the comment marker # from the frontend block on the line for your custom HTTPS port.
# bind *:<HTTPS PORT> ssl crt /etc/haproxy/ …
bind *:<HTTPS PORT> ssl crt /etc/haproxy/ …
- Restart HAProxy.
systemctl restart rh-haproxy18-haproxy
A single Shared Services server becomes a single point of failure. Any problems on the Shared Services server impact your entire Splunk Phantom cluster. For production use, build a server for each service rather than a single Shared Services server.
A single Shared Services server is not recommended for production use. This mode is primarily intended for Proof of Value or demonstrations.
Create a Shared Services server as root or using sudo:
Making a Shared Services server also generates the
/opt/phantom/bin/mcn_responses.json file, which can be passed as an argument to
make_cluster_node.pyc to help set up the first Splunk Phantom node in your cluster.
mcn_responses.json file contains secrets such as usernames and passwords in plain text. Store it in a secure location or delete it after the cluster configuration is complete.
Create a specific function server
Create a specific function server, such as an HAProxy load balancer, PostgreSQL database, file share, or Splunk Enterprise as root or using sudo:
Repeat once on separate virtual machine image installations for each server.
- fs - sets up a single server GlusterFS for file shares.
- db - sets up the internal PostgreSQL database to be used as an external PostgreSQL database.
- proxy - installs and configures HAProxy to serve as a load balancer for your Splunk Phantom cluster.
- splunk - allows the local Splunk Enterprise to be used as a remote search endpoint.
make_sever_node.pyc prompts and warnings
make_server_node.pyc script issues a warning that you are about to permanently change your Splunk Phantom instance.
The changes are:
- Splunk Phantom is removed from system boot scripts.
- Disabling the internal Splunk Phantom database.
- Configuring file shares.
- Installing HAProxy to act as a load balancer.
- Installing Splunk Enterprise.
- You must respond to the warning with "y" for yes to proceed.
You are prompted to supply information for the TLS certificate.
- Country Code
- State Code
- Organization unit
- Hostname (or IP address)
- Email address
The remaining prompts are:
- The subnet on which PostgreSQL will accept connections.
- Set the passwords for the postgres and pgbouncer user accounts.
- Password for the user account.
When the script completes it writes the file
Logs are written to
/var/log/phantom/make_server_node/make_server_node_<date and time>.log.
Convert an existing Splunk Phantom instance into a cluster
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7