Splunk® SOAR (On-premises)

Install and Upgrade Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

General system requirements

requires certain minimum system requirements. Your environment must meet or exceed these requirements. This section details operating systems, web browsers, system storage, Linux file systems, and other requirements for operating .

Supported operating systems

supports these operating systems and versions:

  • Red Hat Enterprise Linux 7.6 through 7.9
  • CentOS 7.6 through 7.9

Splunk SOAR (On-premises) cannot be installed inside of a Docker or Podman container.

Supported browsers

requires a web browser that supports HTML 5, SVG graphics, and TLS.

Use the latest, fully patched version of one of the following browsers:

  • Google Chrome
  • Mozilla Firefox
  • Microsoft Edge
  • Apple Safari

Operating system accounts

A privileged deployment of uses several operating system accounts.

Account Group Description
git-user git-user User for git repository.
gluster gluster Account used by GlusterFS daemons.
nginx nginx Nginx web server account.
pgbouncer pgbouncer PgBouncer server account.
phantom phantom Default Splunk SOAR user. On an unprivileged deployment, this user account will be whichever user account is created to host your deployment.
phantom-worker phantom Splunk SOAR worker account.
postgres postgres PostgreSQL server account.

On unprivileged deployments, only the phantom operating system user account is created and used.

Supported file systems and required directories

supports any file system where the user account running the application can be given write permissions.

In a clustered environment, implements GlusterFS for its file shares. If your organization requires a different file system for your cluster, make sure that the user account running has write permissions to the required directories.

Required directories for a standard installation:

  • /opt/phantom/apps
  • /opt/phantom/bin (spawn and spawn3 daemons)
  • /opt/phantom/local_data/app_states
  • /opt/phantom/scm
  • /opt/phantom/vault
  • /opt/phantom/tmp/shared

Required directories for an installation as an unprivileged user:

  • <phantom_install_dir>/apps
  • <phantom_install_dir>/local_data/app_states
  • <phantom_install_dir>/scm
  • <phantom_install_dir>/vault
  • <phantom_install_dir>/tmp/shared

File permissions

is installed in the following environments:

  • On a privileged deployment - /opt/phantom
  • On an unprivileged OVA or AMI deployment - /opt/phantom, also called <PHANTOM_HOME>.
  • On an unprivileged deployment - the home directory of the user account that will run , also called <PHANTOM_HOME>.

The installer expects a umask of 0022 during installation. Applying a different umask may lead to unexpected behavior.

In general, you should not modify file permissions for . Changing the file permissions can cause errors, or prevent from working.

You can check to see if an access control list has been applied using the Linux getfacl command, clear any access control list which is incorrectly being applied using the setfacl -b command, or apply correct permissions to a file with the chmod command. If you have changed file permissions, you will need to restart .

Directory Permissions
(symbolic)
Permissions
(numeric)
Owner Group Notes
/opt/phantom drwxr-xr-x 755 phantom phantom This is the default 'root' directory.
On an unprivileged deployment, it changes to be the user account that runs .
Referred to as <PHANTOM_HOME> in the documentation.
/opt/phantom/apps drwxrwxr-x 775 phantom phantom Required to allow the web-based UI to install apps.
Apps installed by the web-based UI will be owned by nginx in the phantom group.
/opt/phantom/local_data drwxrwxr-x 775 phantom phantom
/opt/phantom/local_data/

app_states

drwxrwxr-x 775 phantom phantom
/opt/phantom/scm drwxrwx--- 770 phantom phantom Allows for non-nginx users of to have write access to playbooks.
/opt/phantom/spool drwxrwxr-x 775 phantom phantom Allows the nginx user of the phantom group to have access to create items, such as the uwsgi sub-directory.
/opt/phantom/tmp drwxrwx--- 770 phantom phantom Allows non-root users of the phantom group to have write access.
/opt/phantom/vault drwxrwxr-x 775 phantom phantom Allow non-phantom user of phantom group, such as the nginx user, to have the write access to add the file to vault, to create reports, and so on.
/opt/phantom/var/log drwxr-xr-x 755 phantom phantom Allows the web-based UI and other tools to create and write log files for actions. You should not modify the permissions for this directory. If logs cannot be written, app installation or other actions may fail.

On a privileged deployment, logging is done in /var/log/phantom/.

/opt/phantom/var/log/

phantom/app_install.log

-rw-rw-r-- 664 phantom phantom Allows the web-based UI to write to the app_install.log and other tools to read it. You should not modify the permissions for this file. If this log cannot be written to, the web-based UI displays the error message "internal server error."

On a privileged deployment, logging is done in /var/log/phantom/.

/opt/phantom/var/log/

phantom/app_interface.log

-rw-rw---- 660 phantom phantom Contains logs from the app-interface module, REST handlers, and apps that provide custom views.

On a privileged deployment, logging is done in /var/log/phantom/.

/run/gluster drwxr-x--- 750 gluster gluster Only for use with privileged deployments.
/var/cache/nginx drwxr-x--- 750 nginx nginx Only for use with privileged deployments.
/opt/phantom/data/db drwxr-x--- 750 postgres postgres Only for use with privileged deployments.
Last modified on 11 July, 2023
Uninstall   System requirements for evaluation use

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters