Splunk® Phantom (Legacy)

Install and Upgrade Splunk Phantom

This documentation does not apply to the most recent version of Splunk® Phantom (Legacy). For documentation on the most recent version, go to the latest release.

Splunk Phantom default credentials, script options, and sample configuration files

This section has the default Splunk Phantom credentials, script options and example configuration files.

Default credentials

The default credentials on a new installation of Splunk Phantom are:

  • Username: admin
  • Password: password

The default credentials of a new AMI installation of Splunk Phantom are:

  • Username: admin
  • Password: <full AWS instance ID>

Change the password immediately after you install Splunk Phantom.

Installation or configuration scripts

This section lists various installation scripts and their command line options.

phantom_tar_install.sh options

Use these arguments to control the phantom_tar_install.sh script. Only use this to install Splunk Phantom as an unprivileged user.

Option Argument Description
install --https-port=HTTPS_PORT Set the custom HTTPS port for Splunk Phantom.
--no-prompt Run the script without a confirmation prompt.
--without-apps Do not install any of the apps that ship with Splunk Phantom. Apps can be installed later using the GUI.
upgrade --no-prompt Run the script without a confirmation prompt.
--without-apps Do not install any of the apps that ship with Splunk Phantom. Apps can be installed later using the GUI.

Below is an example command that will install Splunk Phantom without installing any of the apps that ship with Splunk Phantom:

phantom_tar_install.sh install --without-apps

phantom_setup.sh options

Use these arguments to control the phantom_setup.sh script.

Option Argument Description
install --no-prompt Run the script without a confirmation prompt.
--without-apps Do not install any of the apps that ship with Splunk Phantom. Apps can be installed later using the GUI.
--non-root Run the watchdog daemon with reduced privileges.
--yumopts="..." Additional parameters to pass to yum.
--mingit Installs a minimal Git package without the Perl Git module.
--rhsc-psql Installs PostgreSQL from Red Hat Source Collections.
--version Specify which version of Splunk Phantom to install.
upgrade --no-prompt Run the script without a confirmation prompt.
--without-apps Do not install any of the apps that ship with Splunk Phantom. Apps can be installed later using the GUI.
--non-root Run the watchdog daemon with reduced privileges.
--yumopts="..." Additional parameters to pass to yum.
--version Specify which version of Splunk Phantom to install.

make_server_node.pyc options

Use these options to control the make_server_node.pyc command.

Argument Description
--version Displays the program's version number.
--help Display a list and description of arguments.
--no-prompt Run the program. Do not display the warning prompt.

Convert an OVA install of Splunk Phantom into a server node for a cluster. A server node provides one or more of the services a cluster requires, such as proxy, database, file share, or search endpoint.

Argument Description
all This is the default option. Install HAProxy, PostgreSQL, GlusterFS, and Splunk on this node. This option creates a best effort version of mcn_responses.json to be used with make_cluster_node.pyc.
fs Create and configure a single node GlusterFS file share on this node for Splunk Phantom. The directory tree starts with /opt/phantom/shared.
db Create the Splunk Phantom PostgreSQL database on this node to act as an external database.
proxy Install HAProxy to act as a load balancer for the Splunk Phantom cluster.
splunk Install Splunk Enterprise to act as remote search endpoint for the cluster.

make_cluster_node.pyc options

Convert an OVA install of Splunk Phantom into a cluster node for a cluster. A cluster node is a single instance of Splunk Phantom supported by one or more server nodes.

Argument Description
--responses Send prepared responses from mcn_responses.json or responses.json to the script.
--record Create to a responses.json file to use when running this script on another node. This version of the file does contain passwords.
--record-no-secret Create to a responses.json file to use when running this script on another node. This version of the file does not contain passwords.
--record-location Set the location to record the responses.json file. The default is /opt/phantom/bin/response.json.
--delete-responses-file Delete the responses file used from the machine with the script completes.
--version Show the program version number and exit.

Some versions of the responses.json file contain passwords.

Configuration files

This section contains example configuration files. Use these as a guide when configuring items for use in your Splunk Phantom deployment.

HAProxy Configuration

    ##--------------------------------------------------------------------
    ## HAPROXY 1.8.7 CONFIGURATION FILE
    ##--------------------------------------------------------------------
    #---------------------------------------------------------------------
    # global settings
    #---------------------------------------------------------------------
    global
        tune.ssl.default-dh-param 2048
        log 127.0.0.1:514 local0
    
    #---------------------------------------------------------------------
    # common defaults
    #---------------------------------------------------------------------
    defaults
        mode http
        timeout connect 0ms
        timeout client 0ms
        timeout server 0ms
        log global
    
    #---------------------------------------------------------------------
    # SSL w/ redirect to HTTPS
    #---------------------------------------------------------------------
    frontend localhost
        bind *:80
        bind *:443 ssl crt /etc/haproxy/certificates no-sslv3 no-tlsv10 ciphers <ciphers go here>
    # for unprivileged installs, add another declaration
    #   bind *:<your https port> ssl crt /etc/haproxy/certificates no-sslv3
    # no-tlsv10 ciphers <ciphers go here>
        redirect scheme https if !{ ssl_fc }
        mode http
        default_backend nodes
    
    #---------------------------------------------------------------------
    # backend (output)
    #---------------------------------------------------------------------
    backend nodes
        mode http
        balance roundrobin
        option http-keep-alive
        option forwardfor
        cookie SRVNAME insert
        option httpchk GET /check HTTP/1.1\r\nHost:\ www.example.com
        http-check expect status 200
        default-server fastinter 1s downinter 5s
        server <phantom node UUID> <IP Address>:443 cookie <phantom node UUID> check ssl verify none
        http-request set-header X-Forwarded-Port %[dst_port]
        http-request add-header X-Forwarded-Proto https if { ssl_fc } 
Last modified on 12 October, 2020
Upgrade an unprivileged Splunk Phantom Cluster  

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters