Set up an external PostgreSQL server
Splunk Phantom uses a PostgreSQL 11.6 database. In many installations, the database runs on the same server as Splunk Phantom. It is possible to put the database on its own server. For more information about configuring and operating a PostgreSQL database, consult the PostgreSQL website and their documentation.
Install and configure PostgreSQL
If you run the PostgreSQL database on its own server, install and configure PostgreSQL before installing Splunk Phantom.
These instructions are based on CentOS 7 or Red Hat Enterprise Linux 7. If you choose to to install PostgreSQL on another operating system, consult the documentation on the PostgreSQL website.
- Install one of the operating systems supported by PostgreSQL 11.6. Configure the operating system according to your organization's requirements. See Supported Platforms on PostgreSQL.org.
- Update the kernel semaphore parameters and refresh the system configuration.
echo "kernel.sem=250 32000 32 5000" >> /etc/sysctl.conf sysctl --system
- Configure your firewall to allow access. For a complete list of ports, see Splunk Phantom required ports.
- Add any additional yum repositories that you need. Use the tool on the Linux downloads (Red Hat family) page to identify the correct repository for your architecture and operating system combination.
yum install <URL>
- Install the PostgreSQL server.
yum install postgresql11-server-11.6
- Initialize the PostgreSQL database.
/usr/pgsql-11/bin/postgresql-11-setup initdb
- Set PostgreSQL to start when the system starts.
systemctl enable postgresql-11
- Change to the postgres user.
su - postgres
- Change to the PostgreSQL data directory.
cd /var/lib/pgsql/11
- Generate the SSL certificate PostgreSQL uses.
openssl req -new -x509 -days 3650 -nodes -text -out server.crt -keyout server.key -subj "/CN=postgres.cluster1"
You can use an SSL certificate purchased from a Certificate Authority instead of generating a self-signed certificate.
- Set the permissions on the server.key file.
chmod og-rwx server.key
- Run a PostgreSQL shell as the
postgres
user.You should already be the postgres user.
psql - Set the postgres user password, if it has not already been set.
ALTER USER postgres PASSWORD '<postgrespassword>';
- Create the pgbouncer user.
CREATE USER pgbouncer PASSWORD '<pgbouncerpassword>';
- Set PostgreSQL to use SSL. Provide the keys and cipher level.
ALTER SYSTEM SET ssl = on; ALTER SYSTEM SET ssl_cert_file = '/var/lib/pgsql/11/server.crt'; ALTER SYSTEM SET ssl_key_file = '/var/lib/pgsql/11/server.key'; ALTER SYSTEM SET ssl_ciphers = 'HIGH:+3DES:!aNULL';
- Exit the PostgreSQL shell by typing CTRL+D.
- Change back to the
root
user.exit - Edit the
pg_hba.conf
file to enable access to the database. Splunk Phantom must be able to connect as both thepostgres
andpgbouncer
users. In each entry, supply the IP range that will be used by your Splunk Phantom install or cluster.# TYPE DATABASE USER ADDRESS METHOD local all all peer hostssl all postgres <IP Range>/<XX> md5 hostssl phantom pgbouncer <IP Range>/<XX> md5
- Edit
postgresql.conf
. Set values formax_connections
,work_mem
,shared_buffers
, andlisten_address
.max_connections=2500 work_mem=2796kB shared_buffers=2GB listen_addresses = '*' # what IP address(es) to listen on;
Several factors can influence the amount of memory dedicated to the
work_mem
setting. Larger, high event volume deployments will want significantly more, while smaller, lower volume deployments may use slightly less. The setting above assumes a medium sized deployment with a moderate event volume.For
listen_address
set a value that matches your security requirements. Valid settings are:*
for all addresses, 0.0.0. for all IPv4 addresses::
for all IPv6 addresses- specific addresses you supply.
- Restart the PostgreSQL service.
systemctl restart postgresql-11
Backup a Splunk Phantom database and restore to an external database
To backup a Splunk Phantom database and restore it on an external database, do these steps as the root user or a user with sudo permissions.
You must use identical versions of Splunk Phantom for this procedure. For example, if your PostgreSQL backup is from Splunk Phantom 4.9.39220, you must restore it to use with an instance of Splunk Phantom 4.9.39220.
- Backup the database.
cd <PHANTOM_HOME>/bin phenv python backup.pyc --all
- Copy the file path that shows the backup file that was created to use in a future step.
All data backed up to /opt/phantom/data/phantom_backups/phantom_backup_2017-07-15-20-47-04.126913.tgz
- Edit the
/etc/pgbouncer/pgbouncer.ini
(privileged deployments) or<PHANTOM_HOME>/etc/pgbouncer/pgbouncer.ini
(unprivileged deployments) file as shown in the following code.host
is the IP address or DNS name of the database server.[databases] phantom = user=pgbouncer password=<pgbouncerpassword> host=<pg server> postgres = user=postgres password=<postgrespassword> host=<pg server> [pgbouncer] server_tls_sslmode = require
Amazon Web Services RDS PostgreSQL databases do not need the
server_tls_sslmode = require
entry. - Stop all Splunk Phantom services.
<PHANTOM_HOME>/bin/stop_phantom.sh
- Reload pgbouncer. For all deployments, use the following command:
<PHANTOM_HOME>/bin/phsvc restart pgbouncer
- Test the connection to the database server.
Privileged deployments:sudo -u postgres psql -h /tmp -p 6432
Unprivileged deployments:
<PHANTOM_HOME>/bin/phenv psql -h /tmp -p 6432 -d postgres
If connectivity is successful, you will see the following message:
psql (11.6) Type "help" for help. postgres=#
- Initialize the database to use with Splunk Phantom.
cd /opt/phantom/bin phenv python prepare_db.pyc
- Start all Splunk Phantom services.
<PHANTOM_HOME>/bin/start_phantom.sh
- Restore the backup using the file name you copied in step 2.
cd <PHANTOM_HOME>/bin phenv python restore.pyc --file /opt/phantom/data/phantom_backups/phantom_backup_2017-07-15-20-47-04.126913.tgz
- Connect to the Splunk Phantom server's web user interface.
Run make_cluster_node.pyc | Set up external file shares using GlusterFS |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9
Feedback submitted, thanks!