Splunk® Phantom (Legacy)

Install and Upgrade Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Run make_server_node.pyc

Use the make_server_node.pyc script to convert a virtual machine image install into either a specific service or a Shared Services server for a Splunk Phantom cluster.

Additional configuration steps for unprivileged clusters

Perform the following steps on the load balancer or Shared Services server as root or as a user using sudo to get elevated permissions.

  1. Set SELINUX to allow HAProxy to bind to your custom HTTPS port.

    If SELINUX is disabled, then skip this step.

    semanage port --add --type http_port_t --proto tcp <HTTPS PORT>

    If you receive an error that the port is already defined, use --modify instead of --add.

    semanage port --modify --type http_port_t --proto tcp <HTTPS PORT>
  2. Edit /etc/haproxy/haproxy.cfg to remove the comment marker # from the frontend block on the line for your custom HTTPS port.
    # bind *:<HTTPS PORT> ssl crt /etc/haproxy/ … 


    bind *:<HTTPS PORT> ssl crt /etc/haproxy/ …
  3. Restart HAProxy.
    systemctl restart rh-haproxy18-haproxy

Create a Shared Services server

A single Shared Services server becomes a single point of failure. Any problems on the Shared Services server impact your entire Splunk Phantom cluster. For production use, build a server for each service rather than a single Shared Services server.

A single Shared Services server is not recommended for production use. This mode is primarily intended for Proof of Value or demonstrations.

Create a Shared Services server as root or using sudo:

/opt/phantom/bin/phenv python /opt/phantom/bin/make_server_node.pyc

Making a Shared Services server also generates the /opt/phantom/bin/mcn_responses.json file, which can be passed as an argument to make_cluster_node.pyc to help set up the first Splunk Phantom node in your cluster.

The mcn_responses.json file contains secrets such as usernames and passwords in plain text. Store it in a secure location or delete it after the cluster configuration is complete.

Create a specific function server

Create a specific function server, such as an HAProxy load balancer, PostgreSQL database, file share, or Splunk Enterprise as root or using sudo:

/opt/phantom/bin/phenv python /opt/phantom/bin/make_server_node.pyc --<option argument>

Repeat once on separate virtual machine image installations for each server.

Valid arguments:

  • fs - sets up a single server GlusterFS for file shares.
  • db - sets up the internal PostgreSQL database to be used as an external PostgreSQL database.
  • proxy - installs and configures HAProxy to serve as a load balancer for your Splunk Phantom cluster.
  • splunk - allows the local Splunk Enterprise to be used as a remote search endpoint.

make_sever_node.pyc prompts and warnings

The make_server_node.pyc script issues a warning that you are about to permanently change your Splunk Phantom instance.

The changes are:

  • Splunk Phantom is removed from system boot scripts.
  • Disabling the internal Splunk Phantom database.
  • Configuring file shares.
  • Installing HAProxy to act as a load balancer.
  • Installing Splunk Enterprise.
  • You must respond to the warning with "y" for yes to proceed.

You are prompted to supply information for the TLS certificate.

  • Country Code
  • State Code
  • City
  • Organization
  • Organization unit
  • Hostname (or IP address)
  • Email address

The remaining prompts are:

  • The subnet on which PostgreSQL will accept connections.
  • Set the passwords for the postgres and pgbouncer user accounts.
  • Password for the user account.

When the script completes it writes the file /opt/phantom/bin/mcn_responses.json.

Logs are written to /var/log/phantom/make_server_node/make_server_node_<date and time>.log.

Last modified on 02 September, 2021
Convert an existing Splunk Phantom instance into a cluster   Run make_cluster_node.pyc

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters