Splunk® SOAR (On-premises)

Install and Upgrade Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Run make_server_node.pyc

Do not use this release to create new clusters of Splunk SOAR (On-premises).

Use this release to upgrade from your current privileged deployment of Splunk Phantom 4.10.7 or Splunk SOAR (On-premises) releases 5.0.1 through 5.3.4.

If you are upgrading a privileged deployment of Splunk Phantom 4.10.7 or Splunk SOAR (On-premises) releases 5.0.1 through 5.3.4, upgrade to release 5.3.6, convert your deployment to unprivileged, then upgrade again directly to Splunk SOAR (On-premises) release 6.1.1 or higher.

If you have a privileged deployment of Splunk SOAR (On-premises) release 5.3.5, convert your deployment to unprivileged, then upgrade directly to Splunk SOAR (On-premises) release 6.1.1 or higher.

To learn how to upgrade see Splunk SOAR (On-premises) upgrade overview and prerequisites.

Use the make_server_node.pyc script to convert an install into either a specific service or a Shared Services server for a cluster.

Additional configuration steps for unprivileged clusters

Perform the following steps on the load balancer or Shared Services server as root or as a user using sudo to get elevated permissions.

  1. Set SELINUX to allow HAProxy to bind to your custom HTTPS port.

    If SELINUX is disabled, then skip this step.

    semanage port --add --type http_port_t --proto tcp <HTTPS PORT>

    If you receive an error that the port is already defined, use --modify instead of --add.

    semanage port --modify --type http_port_t --proto tcp <HTTPS PORT>
  2. Edit /etc/haproxy/haproxy.cfg to remove the comment marker # from the frontend block on the line for your custom HTTPS port.
    # bind *:<HTTPS PORT> ssl crt /etc/haproxy/ … 

    Becomes:

    bind *:<HTTPS PORT> ssl crt /etc/haproxy/ …
  3. Restart HAProxy.
    systemctl restart rh-haproxy18-haproxy

Create a Shared Services server

A single Shared Services server becomes a single point of failure. Any problems on the Shared Services server impact your entire cluster. For production use, build a server for each service rather than a single Shared Services server.

A single Shared Services server is not recommended for production use. This mode is primarily intended for Proof of Value or demonstrations.

Create a Shared Services server as root or using sudo:

/opt/phantom/bin/phenv python /opt/phantom/bin/make_server_node.pyc

Making a Shared Services server also generates the /opt/phantom/bin/mcn_responses.json file, which can be passed as an argument to make_cluster_node.pyc to help set up the first node in your cluster.

The mcn_responses.json file contains secrets such as usernames and passwords in plain text. Store it in a secure location or delete it after the cluster configuration is complete.

Create a specific function server

Create a specific function server, such as an HAProxy load balancer, PostgreSQL database, file share, or Splunk Enterprise as root or using sudo:

/opt/phantom/bin/phenv python /opt/phantom/bin/make_server_node.pyc --<option argument>

Repeat once on separate virtual machine image installations for each server.

Valid arguments:

  • fs - sets up a single server GlusterFS for file shares.
  • db - sets up the internal PostgreSQL database to be used as an external PostgreSQL database.
  • proxy - installs and configures HAProxy to serve as a load balancer for your cluster.
  • splunk - allows the local Splunk Enterprise to be used as a remote search endpoint.

make_server_node.pyc prompts and warnings

The make_server_node.pyc script issues a warning that you are about to permanently change your instance.

The changes are:

  • is removed from system boot scripts.
  • Disabling the internal database.
  • Configuring file shares.
  • Installing HAProxy to act as a load balancer.
  • Installing Splunk Enterprise.
  • You must respond to the warning with "y" for yes to proceed.

You are prompted to supply information for the TLS certificate.

  • Country Code
  • State Code
  • City
  • Organization
  • Organization unit
  • Hostname (or IP address)
  • Email address

The remaining prompts are:

  • The subnet on which PostgreSQL will accept connections.
  • Set the passwords for the postgres and pgbouncer user accounts.
  • Password for the user account.

When the script completes it writes the file /opt/phantom/bin/mcn_responses.json.

Logs are written to /var/log/phantom/make_server_node/make_server_node_<date and time>.log.

Last modified on 19 September, 2023
Convert an existing instance into a cluster   Run make_cluster_node.pyc

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.3.6


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters