Splunk® SOAR (On-premises)

Install and Upgrade Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Run make_cluster_node.pyc

Do not use this release to create new clusters of Splunk SOAR (On-premises).

Use this release to upgrade from your current privileged deployment of Splunk Phantom 4.10.7 or Splunk SOAR (On-premises) releases 5.0.1 through 5.3.4.

If you are upgrading a privileged deployment of Splunk Phantom 4.10.7 or Splunk SOAR (On-premises) releases 5.0.1 through 5.3.4, upgrade to release 5.3.6, convert your deployment to unprivileged, then upgrade again directly to Splunk SOAR (On-premises) release 6.1.1 or higher.

If you have a privileged deployment of Splunk SOAR (On-premises) release 5.3.5, convert your deployment to unprivileged, then upgrade directly to Splunk SOAR (On-premises) release 6.1.1 or higher.

To learn how to upgrade see Splunk SOAR (On-premises) upgrade overview and prerequisites.

Use the make_cluster_node.pyc script to configure an installed instance into a node of a cluster. This script stores the bulk of required configuration information from the PostgreSQL database.

Before running make_cluster_node, make sure that all the required services are working, either as external services or as a Shared Services server. Additionally, make sure that the required ports and endpoints are opened in your firewall. See ports and endpoints.

Collect the required information

You need this information to answer prompts for make_cluster_node.

  • IP addresses or hostnames for:
    • PostgreSQL server
    • HAProxy server and the port that the HAProxy server uses to accept HTTPS connections
    • GlusterFS server
    • Splunk Enterprise instance REST port
    • Splunk Enterprise instance HTTP Event Collector port
  • User names, passwords, tokens, or SSH key information for:
    • pgbouncer PostgreSQL database user
    • postgres PostgreSQL database user
    • login password for the HAProxy server, unless it uses an ssh key
    • username and password for the install being converted
    • Splunk Enterprise user with phantomsearch permissions
    • Splunk Enterprise user with phantomdelete permissions
    • Splunk Enterprise HTTP Event Collector token

Not all SSH key formats are accepted by make_cluster_node.pyc. You can use keys generated with the ssh-keygen -m PEM -t rsa -b 4096 command.

Create a node

Once you have either a Shared Services server or external services established, you convert installations of into cluster nodes.

Privileged installation

On a privileged installation, such as an RPM installation, run the make_cluster_node.pyc script as root or a user with sudo permissions.

/opt/phantom/bin/phenv python /opt/phantom/bin/make_cluster_node.pyc --responses /path/to/mcn_responses.json

You don't have to use mcn_responses.json. However, if you don't supply an alternate JSON file, the script prompts you for the information needed to create mcn_responses.json. The mcn_responses.json file contains secrets such as usernames and passwords in plain text. Store it in a secure location or delete it after the cluster configuration is complete.

Unprivileged installation

On an unprivileged installation you must first change to the directory where is installed.

  1. Change to the home directory.
    cd <phantom_install_dir>/bin/
  2. Run make_cluster_node.pyc using python.
    phenv python ./make_cluster_node.pyc --responses /path/to/mcn_responses.json

    You don't have to use mcn_responses.json. However, if you don't supply an alternate JSON file, the script prompts you for the information needed to create mcn_responses.json. The mcn_responses.json file contains secrets such as usernames and passwords in plain text. Store it in a secure location or delete it after the cluster configuration is complete.

Last modified on 07 February, 2024
Run make_server_node.pyc   Set up an external PostgreSQL server

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.3.6


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters