Create a warm standby
You will need two identical instances of Splunk Phantom, one to serve as your primary Splunk Phantom instance, and the second to serve as the warm standby.
Do these steps to create your warm standby.
- Complete the prerequisites.
- Create a second Splunk Phantom instance to be the warm standby.
- Setup SSH access between the primary Splunk Phantom instance and the new warm standby.
- Configure warm standby using the setup_warm_standby.pyc script.
Creating a warm standby will restart Splunk Phantom. You should schedule setting up warm standby for a change window or other scheduled downtime.
Prerequisites
There are some tasks that need to be completed before you can set up warm standby.
- Create a full backup or a virtual machine snapshot of the Splunk Phantom instance that will be your primary.
- Create a DNS A record for a hostname for your Splunk Phantom instance. You may need to work with other teams who manage DNS to accomplish this. Establish an appropriate Time To Live (TTL) value for this record since you will update the DNS A record in the event of a failover.
- Set the Base URL for Phantom Appliance with the the hostname from the DNS A record in Main Menu > Administration > Company Settings. Example: https://phantom.example.com
- Open the following ports on the primary Splunk Phantom instance's firewall TCP 22 for SSH, TCP 443 (HTTPS), and TCP 5432 for PostgreSQL operations.
- Set up SSH between the primary Splunk Phantom instance and the warm standby.
Create a second Splunk Phantom instance to be the warm standby
You can either:
- clone the virtual machine that is your primary Splunk Phantom instance, or
- create an entirely new instance of Splunk Phantom to serve as the warm standby.
Create a Clone of your primary Splunk Phantom instance
You can create a clone of your primary Splunk Phantom instance. This clone will serve as the warm standby.
Consult the documentation for your virtualization software or the operating system software for how to clone and deploy the cloned instance of Splunk Phantom.
Your clone will need to have its own IP and MAC addresses.
Before you clone the Splunk Phantom instance check to see if it is already being used as part of a warm standby pair. If the instance is part of a warm standby pairing, warm standby must be disabled before cloning the instance. See Disable warm standby.
- Clone your Splunk Phantom instance as described by your virtualization or operating system documentation.
- Change the MAC and IP addresses for the new clone copy of Splunk Phantom.
- On the clone copy and primary instance of Splunk Phantom, set a password for the phantom user account. This password will be used later during configuration. passwd phantom
- On the clone of Splunk Phantom, disable cron to prevent any jobs from making changes during setup and configuration. sudo systemctl stop crond.service
Create a new Splunk Phantom instance
If using a clone of your primary Splunk Phantom instance is not feasible or is otherwise unwanted, you can install a new instance of Splunk Phantom to serve as your warm standby.
Do these steps as either the root user or a user with sudo access.
- Install Splunk Phantom. See How can Splunk Phantom be installed? in Install and Upgrade Splunk Phantom.
- SSH to your warm standby Splunk Phantom instance. ssh <username>@<warm_standby_phantom_hostname>
- Stop Splunk Phantom services on the standby.
sudo /<PHANTOM_HOME>/bin/stop_phantom.sh - Copy these files from the primary instance of Splunk Phantom to the new warm standby instance.
- /<PHANTOM_HOME>/keystore/private_key.pem
- /<PHANTOM_HOME>/www/phantom_ui/secret_key.py
- On the warm standby instance of Splunk Phantom, set the permissions, ownership, and SELinux security contexts for the files you copied to it.
- chmod 0640 /<PHANTOM_HOME>/keystore/private_key.pem /<PHANTOM_HOME>/www/phantom_ui/secret_key.py
- chown phantom:phantom /<PHANTOM_HOME>/keystore/private_key.pem
- chown phantom:phantom /<PHANTOM_HOME>/www/phantom_ui/secret_key.py
- restorecon /<PHANTOM_HOME>/keystore/private_key.pem /<PHANTOM_HOME>/www/phantom_ui/secret_key.py
- On both the new warm standby instance and the primary instance of Splunk Phantom, set a password for the phantom user account. This password will be used later during configuration.passwd phantom
- On both the new warm standby instance and the primary instance of Splunk Phantom, make sure that the port used for PostgreSQL 5432 is allowed through your firewalls.
- Check your firewall rules. firewall-cmd --list-all
- (Conditional) If the port 5432 is not permitted through the firewall, add an entry to the firewall rules for it. firewall-cmd --zone=public --add-port=5432/tcp
- Check your firewall rules.
- On the new warm standby instance of Splunk Phantom, disable cron to prevent any jobs from making changes during setup and configuration. sudo systemctl stop crond.service
If you have installed and configured CyberArk AIM on your Splunk Phantom primary, you will need to install and configure CyberArk AIM on your warm standby.
Setup SSH between the primary and the new warm standby
During setup the primary instance of Splunk Phantom will need to connect to the warm standby instance of Splunk Phantom using SSH.
If password authentication is disabled, it must be enabled in order to proceed and can be disabled once set up is complete.
Configure warm standby using the setup_warm_standby.pyc script
Once both your primary and warm standby instances are ready, you can configure warm standby using the setup_warm_standby.pyc script.
If you do not know if one or both of the instances are already part of a warm standby configuration, check warm standby status before proceeding. See How to check the status of warm standby in the Warm standby feature overview.
Warm standby must be disabled before reconfiguring warm standby to use different Splunk Phantom instances. See Disable warm standby.
Do these steps as either the root user or a user with sudo permissions.
- On the primary Splunk Phantom instance, run the setup_warm_standby.pyc script. phenv python /<PHANTOM_HOME>/bin/setup_warm_standby.pyc --primary-mode --configure --primary-ip <IP address of the primary> --standby-ip <IP address of the warm standby>You will be prompted for:
- The password for the user account phantom on the warm standby. This password was set when the warm standby instance was created earlier.
- Create a password for the database replication user. This password will be used to configure PostgreSQL database replication.
For versions of Splunk Phantom 4.9 and earlier, do not use bash shell special characters, such as @, !, *, semi-colons, and so on, in this password. See the Splunk Phantom 4.9 release notes Known issues.
- Configuration information to create the SSL certificate file used for communication between the primary and warm standby Splunk Phantom instances.
Example:Country Code: US
State Code: CA
City: Palo Alto
Organization: Example
Organization Unit: Security
Domain: phantom.soc.example.com
Email: soc@example.com
- On the warm standby Splunk Phantom instance, run the setup_warm_standby.pyc script. phenv python /<PHANTOM_HOME>/bin/setup_warm_standby.pyc --standby-mode --configure --primary-ip <IP address of the primary> --standby-ip <IP address of the warm standby>
- On the warm standby reenable the cron service. sudo systemctl start crond.service
Warm standby feature overview | Failover to the warm standby |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4
Feedback submitted, thanks!