Splunk® SOAR (On-premises)

Install and Upgrade Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Install as an unprivileged user

TAR file distributions of are available for installations where runs as an unprivileged user.

As of version 5.3.0, RPM files are no longer available for Splunk SOAR (On-premises) installations. Follow the updated instructions for privileged and unprivileged installations. Unique tarballs are available for privileged and unprivileged installations.

If you install a stand-alone instance as an unprivileged user, underlying services such as the PostgreSQL database are installed in the user space for that user.

Prerequisites

The following operating systems are supported.

  • Red Hat Enterprise Linux 7.6 through 7.9.
  • CentOS 7.6 through 7.9.

Federal Information Processing Standard (FIPS) support

can be deployed in a FIPS compliant mode, if the operating system kernel is in FIPS mode.

  • Your operating system, either RHEL or CentOS must be in FIPS mode.
  • You must create a new, unprivileged deployment of , either as a single instance or as a cluster.

To determine whether your operating system kernel is in FIPS mode, run the following command.

cat /proc/sys/crypto/fips_enabled

If that command returns a 1, the kernel is in FIPS mode. If that command returns a 0, the kernel is not in FIPS mode.

Information about setting up RHEL 7.x or CentOS 7.x in Federal Information Processing Standard (FIPS) mode can be found in the Red Hat Security Guide in Chapter 9.

Install from the TAR file

  1. On the machine where you want to install Splunk SOAR (On-premises), make sure the operating system is updated.
    sudo yum clean all
    sudo yum update
  2. If the machine where you want to install Splunk SOAR (On-premises) required kernel updates, reboot the system before continuing with the installation.
  3. Download the unprivileged installer from the web site.
  4. If you downloaded the installer onto a local machine and need to copy it to the machine where you want to install Splunk SOAR (On-premises), you can use the following command.
    scp -r ./splunk_soar-unpriv-<version>.tgz <user>@<installation_address>
  5. Log in as a user with root privileges to the machine where you want to install Splunk SOAR (On-premises).
  6. Extract the TAR file.
    tar -xzvf ./splunk_soar-unpriv-<version>.tgz
  7. To prepare the system for the unprivileged installation, run a pre-install script using the following command: ./soar-prepare-system --splunk-soar-home <home_directory> --https-port <port_number>. The arguments for the command are optional. If left undefined, the --splunk-soar-home argument defaults to the directory that contains the installation script and specifies the home directory for . That directory must exist and the user meant to run the installation must own that directory. The --https-port argument defaults to port 8443. When you run the pre-install script, it prompts you to configure the system.

    If a configuration requirements is already satisfied in your system, that prompt might not appear.

    • Install pre-requisite RPM packages required by Splunk SOAR (Y/n): If prompted, you must answer Y to proceed.
    • GlusterFS is only needed if you are using an external file share. This is common if you're constructing a Splunk SOAR cluster. Do you want to run this step? (Y/n): You only need to answer Y if you are setting up certain cluster configurations of Splunk SOAR (On-premises), but you can answer Y even on individual instances.
    • Enable the chronyd service to guarantee clock synchronization. Do you want to run this step? (Y/n): Answer Y.
    • Create a non-privileged user for running Splunk SOAR (On-premises). (Y/n): If prompted, you must answer Y to proceed.
    • Do you want to set a password for <non-privileged_user> now? (Y/n): Answer Y if you created a non-privileged user for running Splunk SOAR (On-premises) in the previous step.
    • Set system resource limits for Splunk SOAR user, particularly file descriptor limits, which are low by default. (Y/n):
    • Answer Y.
  8. If the --splunk-soar-home location differs from the location where you extracted the TAR file, follow these steps to move it to the --splunk-soar-home location and then extract it there:
    • Copy the TAR file to the --splunk-soar-home location.
      sudo cp ./splunk_soar-unpriv-<version>.tgz <home_directory>
    • Go to the --splunk-soar-home location.
      cd <home_directory>
    • Log in as the user meant to own the installation.
    • Extract the TAR file.
      tar -xzvf ./splunk_soar-unpriv-<version>.tgz
  9. Ensure you are logged in as the user meant to own the installation. Do not perform the installation command as the root user.
  10. Run the soar-install installation script with the same arguments you included in the soar-prepare-system script.
    Use the --splunk-soar-home argument to specify the directory where will be installed. That directory must exist and must be owned by the user account that will run .
    As an example, --splunk-soar-home /opt/soar installs to the directory /opt/soar.
    ./soar-install --splunk-soar-home <home_directory> --https-port <port_number>
  11. The soar-install installation script displays the installation and path and HTTPS port number, then asks Do you want to proceed? (y/N). If the path and port are correct, answer y.
    • The --https-port argument specifies what port webserver uses to expose the web user interface. If you ran the soar-prepare-system script to forward inbound traffic to port 443, the user interface is visible there, too.
  12. The soar-install installation script displays the installation and path and HTTPS port number, then asks Do you want to proceed? (y/N). If the path and port are correct, answer y.

Run the sudo ./soar-prepare-system --help and sudo ./soar-install --help commands to see what optional arguments are available.

Last modified on 10 July, 2024
Install as a privileged user   Log in to the web interface

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.3.5


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters