Splunk® SOAR (On-premises)

Install and Upgrade Splunk SOAR (On-premises)

This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

default credentials, script options, and sample configuration files

This section has the default credentials, script options and example configuration files.

Default credentials

The default credentials on a new installation of are:

SSH accounts for virtual machine image (.OVA), unprivileged installations

  • Username: phantom
  • Password: password

Web Interface

  • Username: admin
  • Password: password

The default credentials of a new AMI installation of are:

SSH accounts:

  • Username: phantom
  • Password: None. You must use the SSH key created when deploying the AMI version of .

Web Interface

  • Username: admin
  • Password: <full AWS instance ID>

You should change the default passwords immediately after the installation is complete.

Installation or configuration scripts

This section lists various installation scripts and their command line options.

phantom_tar_install.sh options

Use these arguments to control the phantom_tar_install.sh script. Only use this to install as an unprivileged user.

Option Argument Description
install --https-port=HTTPS_PORT Set the custom HTTPS port for .
--no-prompt Run the script without a confirmation prompt.
--without-apps Do not install any of the apps that ship with . Apps can be installed later using the GUI.
--no-space-check Do not check for available space in /tmp before attempting to install.
upgrade --no-prompt Run the script without a confirmation prompt.
--without-apps Do not install any of the apps that ship with . Apps can be installed later using the GUI.
--no-space-check Do not check for available space in /tmp before attempting to install.

Below is an example command that will install without installing any of the apps that ship with :

phantom_tar_install.sh install --without-apps

phantom_setup.sh options

Use these arguments to control the phantom_setup.sh script.

Option Argument Description
install --no-prompt Run the script without a confirmation prompt.
--without-apps Do not install any of the apps that ship with . Apps can be installed later using the GUI.
--no-space-check Do not check for available space in /tmp before attempting to install.
--non-root Run the watchdog daemon with reduced privileges.
--yumopts="..." Additional parameters to pass to yum.
--mingit Installs a minimal Git package without the Perl Git module.
--rhsc-psql Installs PostgreSQL from Red Hat Source Collections.
--version Specify which version of to install.
upgrade --no-prompt Run the script without a confirmation prompt.
--without-apps Do not install any of the apps that ship with . Apps can be installed later using the GUI.
--no-space-check Do not check for available space in /tmp before attempting to install.
--non-root Run the watchdog daemon with reduced privileges.
--yumopts="..." Additional parameters to pass to yum.
--version Specify which version of to install.

make_server_node.pyc options

Use these options to control the make_server_node.pyc command.

Argument Description
--version Displays the program's version number.
--help Display a list and description of arguments.
--no-prompt Run the program. Do not display the warning prompt.

Convert an OVA install of into a server node for a cluster. A server node provides one or more of the services a cluster requires, such as proxy, database, file share, or search endpoint.

Argument Description
all This is the default option. Install HAProxy, PostgreSQL, GlusterFS, and Splunk on this node. This option creates a best effort version of mcn_responses.json to be used with make_cluster_node.pyc.
fs Create and configure a single node GlusterFS file share on this node for . The directory tree starts with /opt/phantom/shared.
db Create the PostgreSQL database on this node to act as an external database.
proxy Install HAProxy to act as a load balancer for the cluster.
splunk Install Splunk Enterprise to act as remote search endpoint for the cluster.

make_cluster_node.pyc options

Convert an OVA install of into a cluster node for a cluster. A cluster node is a single instance of supported by one or more server nodes.

Argument Description
--responses Send prepared responses from mcn_responses.json or responses.json to the script.
--record Create to a responses.json file to use when running this script on another node. This version of the file does contain passwords.
--record-no-secret Create to a responses.json file to use when running this script on another node. This version of the file does not contain passwords.
--record-location Set the location to record the responses.json file. The default is /opt/phantom/bin/response.json.
--delete-responses-file Delete the responses file used from the machine with the script completes.
--version Show the program version number and exit.

Some versions of the responses.json file contain passwords. The mcn_responses.json file contains secrets such as usernames and passwords in plain text. Store it in a secure location or delete it after the cluster configuration is complete.

Configuration files

This section contains example configuration files. Use these as a guide when configuring items for use in your deployment.

HAProxy Configuration

    ##--------------------------------------------------------------------
    ## HAPROXY 1.8.7 CONFIGURATION FILE
    ##--------------------------------------------------------------------
    #---------------------------------------------------------------------
    # global settings
    #---------------------------------------------------------------------
    global
        tune.ssl.default-dh-param 2048
        log 127.0.0.1:514 local0
    
    #---------------------------------------------------------------------
    # common defaults
    #---------------------------------------------------------------------
    defaults
        mode http
        timeout connect 0ms
        timeout client 0ms
        timeout server 0ms
        log global
    
    #---------------------------------------------------------------------
    # SSL w/ redirect to HTTPS
    #---------------------------------------------------------------------
    frontend localhost
        bind *:80
        bind *:443 ssl crt /etc/haproxy/certificates no-sslv3 no-tlsv10 ciphers <ciphers go here>
    # for unprivileged installs, add another declaration
    #   bind *:<your https port> ssl crt /etc/haproxy/certificates no-sslv3
    # no-tlsv10 ciphers <ciphers go here>
        redirect scheme https if !{ ssl_fc }
        mode http
        default_backend nodes
    
    #---------------------------------------------------------------------
    # backend (output)
    #---------------------------------------------------------------------
    backend nodes
        mode http
        balance roundrobin
        option http-keep-alive
        option forwardfor
        cookie SRVNAME insert
        option httpchk GET /check HTTP/1.1\r\nHost:\ www.example.com
        http-check expect status 200
        default-server fastinter 1s downinter 5s
        server <phantom node UUID> <IP Address>:443 cookie <phantom node UUID> check ssl verify none
        http-request set-header X-Forwarded-Port %[dst_port]
        http-request add-header X-Forwarded-Proto https if { ssl_fc } 
Last modified on 22 September, 2021
Migrate from to Splunk SOAR (Cloud)  

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters