Splunk® SOAR (On-premises)

Install and Upgrade Splunk SOAR (On-premises)

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). Click here for the latest version.
Acrobat logo Download topic as PDF

Install as an unprivileged user

Tar file distributions of are available for installations where runs as an unprivileged user.

If you install a stand-alone instance as an unprivileged user, underlying services such as the PostgreSQL database are installed in the user space for that user.


Contact support to get this installation file.

Supported Operating Systems for this method:

  • Red Hat Enterprise Linux 7.6 or later
  • CentOS 7.6 or later

Prepare the system

Before you install as an unprivileged user, the root user or a user with sudo access must prepare the system.

Do all these tasks with root permissions, either by logging in as root or as a user with sudo permission.

Install the operating system dependencies

  1. Edit /etc/selinux/config to disable SELinux. Change the SELINUX= entry to:
  2. Clear yum caches.
    yum clean all
  3. Update installed packages.
    yum update
  4. Restart the operating system.
    shutdown -r now
  5. Install dependencies.
    yum install -y libevent libicu c-ares bind-utils java-1.8.0-openjdk-headless mailcap fontconfig ntpdate perl rsync xmlsec1 xmlsec1-openssl libxslt ntp zip net-tools policycoreutils-python libxml2 libcurl gnutls
  6. If you are using an external file share using GlusterFS, download the GlusterFS packages.
    mkdir gfinstall
    cd gfsinstall 
    curl -O https://repo.phantom.us/phantom/5.0/base/7/x86_64/glusterfs-7.5-1.el7.x86_64.rpm
    curl -O https://repo.phantom.us/phantom/5.0/base/7/x86_64/glusterfs-api-7.5-1.el7.x86_64.rpm
    curl -O https://repo.phantom.us/phantom/5.0/base/7/x86_64/glusterfs-cli-7.5-1.el7.x86_64.rpm
    curl -O https://repo.phantom.us/phantom/5.0/base/7/x86_64/glusterfs-client-xlators-7.5-1.el7.x86_64.rpm
    curl -O https://repo.phantom.us/phantom/5.0/base/7/x86_64/glusterfs-coreutils-0.2.0-1.el7.x86_64.rpm
    curl -O https://repo.phantom.us/phantom/5.0/base/7/x86_64/glusterfs-devel-7.5-1.el7.x86_64.rpm
    curl -O https://repo.phantom.us/phantom/5.0/base/7/x86_64/glusterfs-events-7.5-1.el7.x86_64.rpm
    curl -O https://repo.phantom.us/phantom/5.0/base/7/x86_64/glusterfs-fuse-7.5-1.el7.x86_64.rpm
    curl -O https://repo.phantom.us/phantom/5.0/base/7/x86_64/glusterfs-libs-7.5-1.el7.x86_64.rpm
    curl -O https://repo.phantom.us/phantom/5.0/base/7/x86_64/glusterfs-server-7.5-1.el7.x86_64.rpm
  7. If you are using an external file share using GlusterFS, install the GlusterFS packages.
    yum install *.rpm
  8. Set firewall rules to allow the required ports listed in required ports.
  9. Synchronize the system clock.
    ntpdate -v -u 0.centos.pool.ntp.org
    systemctl enable ntpd

Create the user account that will run

An unprivileged install of will run in the user space of a specific user.

When you create the user account that will run Splunk SOAR (On-premises), do not use special characters other than a hyphen or underscore. A hyphen or underscore must not be the first character in the username. Other special characters are not supported.

  1. Create the user account that will be used to run .
    adduser -c "Splunk SOAR User" <username>
    passwd <username>
  2. Create a directory for .
    su - <username> -c "mkdir /home/<username>/<directory_name>"
  3. Create a file called /etc/security/limits.d/25-phantom-limits.conf. This file sets resource limits for the user that will run .
    touch /etc/security/limits.d/25-phantom-limits.conf
  4. Edit the file /etc/security/limits.d/25-phantom-limits.conf to add these settings:
    <username>          hard    nofile          64000
    <username>          soft    nofile          64000
    <username>          hard    nproc           64000
    <username>          soft    nproc           64000           
  5. Save the file.
  6. Apply the new security settings.
    sysctl --system

Install from the tar file

  1. Log in as the user that will run . Do not perform these steps as the root user.
  2. Copy the installation tar file to the directory /home/<username>/<directory_name> created earlier.
  3. Verify your downloaded file's SHA256 hash against the SHA256 hash displayed on the Community site.
    sha256sum  phantom-<version>.tgz
  4. Extract the tar file.
    tar -xvzf phantom-<version>.tgz
  5. Copy the new kernel settings file 50-phantom.conf from the the extracted files to /etc/sysctl.d. This step requires sudo permissions.
    cp /home/<username>/<directory_name>/etc/sysctl.d/50-phantom.conf /etc/sysctl.d/
  6. Apply the new kernel settings. This step requires sudo permissions.
    sysctl --system
  7. Run the installation script. Make sure to specify the ports for to use for HTTPS traffic. The HTTPS port cannot be a port which is already in use. This port must be a port greater than 1023.
    ./phantom_tar_install.sh install --https-port=<port>

For more installation command line options, see phantom_tar_install.sh options.

Next step: log in to verify the installation

You can log in to the web interface after the setup script completes to configure user accounts and additional settings. See Log in to the web interface.

Last modified on 17 March, 2022
Install on a system with limited internet access
Log in to the web interface

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.0.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters