After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Run make_server_node.pyc
Do not use this release to create new clusters of Splunk SOAR (On-premises).
Use this release to upgrade from your current privileged deployment of Splunk Phantom 4.10.7 or Splunk SOAR (On-premises) releases 5.0.1 through 5.3.4.
If you are upgrading a privileged deployment of Splunk Phantom 4.10.7 or Splunk SOAR (On-premises) releases 5.0.1 through 5.3.4, upgrade to release 5.3.6, convert your deployment to unprivileged, then upgrade again directly to Splunk SOAR (On-premises) release 6.1.1 or higher.
If you have a privileged deployment of Splunk SOAR (On-premises) release 5.3.5, convert your deployment to unprivileged, then upgrade directly to Splunk SOAR (On-premises) release 6.1.1 or higher.
To learn how to upgrade see Splunk SOAR (On-premises) upgrade overview and prerequisites.
Use the make_server_node.pyc
script to convert an install into either a specific service or a Shared Services server for a cluster.
Additional configuration steps for unprivileged clusters
Perform the following steps on the load balancer or Shared Services server as root or as a user using sudo to get elevated permissions.
- Set SELINUX to allow HAProxy to bind to your custom HTTPS port.
If SELINUX is disabled, then skip this step.
semanage port --add --type http_port_t --proto tcp <HTTPS PORT>If you receive an error that the port is already defined, use
--modify
instead of--add
.semanage port --modify --type http_port_t --proto tcp <HTTPS PORT> - Edit
/etc/haproxy/haproxy.cfg
to remove the comment marker # from the frontend block on the line for your custom HTTPS port.# bind *:<HTTPS PORT> ssl crt /etc/haproxy/ …
Becomes:
bind *:<HTTPS PORT> ssl crt /etc/haproxy/ …
- Restart HAProxy.
systemctl restart rh-haproxy18-haproxy
A single Shared Services server becomes a single point of failure. Any problems on the Shared Services server impact your entire cluster. For production use, build a server for each service rather than a single Shared Services server.
A single Shared Services server is not recommended for production use. This mode is primarily intended for Proof of Value or demonstrations.
Create a Shared Services server as root or using sudo:
Making a Shared Services server also generates the /opt/phantom/bin/mcn_responses.json
file, which can be passed as an argument to make_cluster_node.pyc
to help set up the first node in your cluster.
The mcn_responses.json
file contains secrets such as usernames and passwords in plain text. Store it in a secure location or delete it after the cluster configuration is complete.
Create a specific function server
Create a specific function server, such as an HAProxy load balancer, PostgreSQL database, file share, or Splunk Enterprise as root or using sudo:
Repeat once on separate virtual machine image installations for each server.
Valid arguments:
- fs - sets up a single server GlusterFS for file shares.
- db - sets up the internal PostgreSQL database to be used as an external PostgreSQL database.
- proxy - installs and configures HAProxy to serve as a load balancer for your cluster.
- splunk - allows the local Splunk Enterprise to be used as a remote search endpoint.
make_server_node.pyc prompts and warnings
The make_server_node.pyc
script issues a warning that you are about to permanently change your instance.
The changes are:
- is removed from system boot scripts.
- Disabling the internal database.
- Configuring file shares.
- Installing HAProxy to act as a load balancer.
- Installing Splunk Enterprise.
- You must respond to the warning with "y" for yes to proceed.
You are prompted to supply information for the TLS certificate.
- Country Code
- State Code
- City
- Organization
- Organization unit
- Hostname (or IP address)
- Email address
The remaining prompts are:
- The subnet on which PostgreSQL will accept connections.
- Set the passwords for the postgres and pgbouncer user accounts.
- Password for the user account.
When the script completes it writes the file /opt/phantom/bin/mcn_responses.json
.
Logs are written to /var/log/phantom/make_server_node/make_server_node_<date and time>.log
.
Convert an existing instance into a cluster | Run make_cluster_node.pyc |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.3.6
Feedback submitted, thanks!