Splunk® SOAR (On-premises)

Install and Upgrade Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Set up a load balancer with an HAProxy server

Do not use this release to create new deployments of Splunk SOAR (On-premises).

Use this release to upgrade from your current privileged deployment of Splunk Phantom 4.10.7 or Splunk SOAR (On-premises) releases 5.0.1 through 5.3.4.

If you are upgrading a privileged deployment of Splunk Phantom 4.10.7 or Splunk SOAR (On-premises) releases 5.0.1 through 5.3.4, upgrade to release 5.3.6, convert your deployment to unprivileged, then upgrade again directly to Splunk SOAR (On-premises) release 6.1.1 or higher.

If you have a privileged deployment of Splunk SOAR (On-premises) release 5.3.5, convert your deployment to unprivileged, then upgrade directly to Splunk SOAR (On-premises) release 6.1.1 or higher.

To learn how to upgrade see Splunk SOAR (On-premises) upgrade overview and prerequisites.

A cluster uses HAProxy as a load balancer to distribute requests between instances. supports the default version of HAProxy provided by the base CentOS and RHEL repositories.

You can use a different load balancer. Your load balancer must be configured to:

  • provide round-robin balancing
  • support SSL/TLS
  • handle redirection from HTTP to HTTPS services.

The HA Proxy server that serves a cluster with the default configuration will encrypt traffic from clients to the proxy, and from the proxy to the nodes. The traffic to the nodes is sent over port 443, but the certificates of the nodes do not require validation.

If you use a different load balancer when creating a cluster, see Configuration files in the Reference section for an HAProxy configuration to use as an example.

  1. Install and configure one of the supported operating systems according to your organization's requirements.
  2. Update SELinux and any firewalls to allow access to the ports for HAProxy, and your cluster nodes.
  3. Install HAProxy.
    yum install haproxy
  4. Add SSL/TLS certificates to /etc/haproxy/certificates. These certificates are used to encrypt communications between the load balancer and clients.

    Do not use a self-signed certificate in a production environment for client communications.

  5. Edit /etc/haproxy/haproxy.cfg. If the file does not exist, create it. Use the example file HAProxy Configuration as a guide. If you are creating an unprivileged cluster, make sure to include a directive for your custom HTTPS port such as:
    bind *:443 ssl crt /etc/haproxy/certificates no-sslv3 no-tlsv10 ciphers <ciphers go here>
    # for unprivileged installs, add another declaration
    bind *:<your https port> ssl crt /etc/haproxy/certificates no-sslv3

    The custom HTTPS port must be accessible to the load balancer. For example, if the port you are using for HTTPS for the Splunk SOAR (On-premises) cluster nodes is port 8443, you must also open port 8443 on the load balancer.

  6. Set HAProxy to start when the system starts.
    systemctl enable haproxy.service
  7. Start HAProxy.
    systemctl start haproxy.service

See also

  • For general setup and information on HAProxy, see the HAProxy documentation on the HAProxy.org website.
  • For specific information on SSL/TLS certificates, see the section about certs in the HAProxy Configuration Manual.
Last modified on 19 September, 2023
Set up external file shares using GlusterFS   Set up Splunk Enterprise

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.3.6


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters