Splunk® Phantom (Legacy)

Install and Upgrade Splunk Phantom

This documentation does not apply to the most recent version of Splunk® Phantom (Legacy). For documentation on the most recent version, go to the latest release.

Migrate a Splunk Phantom install from REHL 6 or CentOS 6 to RHEL 7 or CentOS 7

Both Red Hat Enterprise Linux (RHEL) 6 and CentOS 6 reach their end of life on November 30, 2020. No further package updates or bug fixes will be delivered for those operating systems. In light of those operating systems reaching end-of-life status, Splunk Phantom version 4.9 is the final version that supports using either Red Hat Enterprise Linux 6 or CentOS 6.

Before upgrading to Splunk Phantom 4.10, customers must migrate their Splunk Phantom deployment from RHEL 6 or CentOS 6 systems to RHEL 7 or CentOS 7.

RHEL 8 or CentOS 8 are not currently supported.

The following kinds of deployments are affected by this change:

All other ways to install Splunk Phantom either already require, or ship with preconfigured RHEL 7 or CentOS 7.

Operating system migration checklist

Follow these steps to prepare for and then perform an operating system migration.

Migrating Splunk Phantom to a supported operating system requires downtime. If your Splunk Phantom instance is left online during the migration, some events will not be included in your backup and not be restored to the new Splunk Phantom instance.

Stage Tasks Description
1 Make a full back up of your Splunk Phantom deployment Make a full backup of your Splunk Phantom deployment before attempting to upgrade Splunk Phantom. See Backup or restore your Splunk Phantom instance in Administer Splunk Phantom. This backup may be required if something goes wrong during your upgrade in stage 2.
2 Upgrade your Splunk Phantom deployment to version 4.9.39220 If your Spunk Phantom deployment is not yet upgraded to version 4.9.39220, upgrade now. See Upgrade Splunk Phantom
3 Make a new full back up of your upgraded Splunk Phantom deployment Make a full backup of your Splunk Phantom deployment before attempting to migrate operating systems. See Backup or restore your Splunk Phantom instance in Administer Splunk Phantom. You will use this backup to restore Splunk Phantom to a new system running a supported operating system.
4 Create a new server running RHEL 7 or CentOS 7 Build a new server for Splunk Phantom. If you need a yum repository satellite server for this server, create it now.
5 Install Splunk Phantom 4.9.39220 Use either the RPM or offline install methods.
6 Restore Splunk Phantom from your backup See Restore Splunk Phantom from a backup. Use the backup created in stage 3.

Migrating without upgrading to Splunk Phantom version 4.9.39220

You can migrate to a new operating system version without upgrading your Splunk Phantom to version 4.9.39220 first.

If you choose to migrate to a supported operating system before upgrading Splunk Phantom, you must make sure that the version of Splunk Phantom on your original instance and the version on your new instance are identical. If they are not identical, the backup will fail to properly restore.

Migrating an external PostgreSQL database to a supported operating system

To backup an existing external Splunk Phantom PostgreSQL database and restore it on another server running a supported operating systems, do these steps as the root user or a user with sudo permissions.

  1. On your Splunk Phantom instance, create a backup of the database. See See Back up a Splunk Phantom deployment in Administer Splunk Phantom.
  2. Stop all Splunk Phantom services.
    <PHANTOM_HOME>/bin/stop_phantom.sh
  3. Set up your new external PostgreSQL database server on a supported operating system, either Red Hat Enterprise Linux or Cent OS version 7. See Set up an external PostgreSQL server in Install and Upgrade Splunk Phantom.
  4. On your Splunk Phantom instance, edit the databases section in the /etc/pgbouncer/pgbouncer.ini file as shown in the following code.
    host is the IP address or DNS name of the database server.
    phantom = user=pgbouncer password=<pgbouncerpassword> host=<pg server>
    postgres = user=postgres password=<postgrespassword> host=<pg server>
    server_tls_sslmode = require
  5. On your Splunk Phantom instance, reload pgbouncer.
    <PHANTOM_HOME>/bin/phsvc restart pgbouncer
  6. On your Splunk Phantom instance, start Splunk Phantom.
    <PHANTOM_HOME>/bin/start_phantom.sh
  7. Test the connection to the database server.
    sudo -u postgres psql -h /tmp -p 6432
    If the connectivity test is successful, you will see the following message:
    psql (11.6)
    

    Type "help" for help.

    postgres=#
  8. On your Splunk Phantom instance, initialize the database to use with Splunk Phantom.
    cd /opt/phantom/bin
    phenv prepare_db
  9. Restore the PostgreSQL database backup created earlier. Restore Splunk Phantom from a backup in Administer Splunk Phantom.
  10. Connect to the Splunk Phantom server's web user interface, and verify that everything is working.
Last modified on 29 March, 2021
Upgrade an unprivileged Splunk Phantom Cluster   Splunk Phantom default credentials, script options, and sample configuration files

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.10, 4.10.1, 4.10.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters