Splunk® SOAR (On-premises)

Install and Upgrade Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Remediate directory changes

As of this release, Splunk SOAR (On-premises) features new methods for installing and upgrading.

The new installation and upgrade process includes changes to the directory structure for Splunk SOAR (On-premises). To determine whether the new structure requires remediation, ensuring your applications and playbooks run correctly, reference the following tables.

Remediate directory changes in privileged and unprivileged installations

Reference the directory schema and check for remediation actions in the following table for both privileged and unprivileged installations of .

Files Remediation
All local conf files for the internal Splunk instance
  • <PHANTOM_HOME>/splunk/etc/system/local/props.conf
  • <PHANTOM_HOME>/splunk/etc/system/local/web.conf
  • <PHANTOM_HOME>/splunk/etc/system/local/telemetry.conf
  • <PHANTOM_HOME>/splunk/etc/system/local/authorize.conf
  • <PHANTOM_HOME>/splunk/etc/system/local/server.conf
  • <PHANTOM_HOME>/splunk/etc/splunk-launch.conf
  • <PHANTOM_HOME>/splunk/etc/apps/splunk_httpinput/local/inputs.conf
  • <PHANTOM_HOME>/splunk/etc/apps/splunk_httpinput/local/app.conf
  • <PHANTOM_HOME>/splunk/etc/apps/search/local/app.conf
  • <PHANTOM_HOME>/splunk/etc/apps/alert_logevent/local/app.conf
  • <PHANTOM_HOME>/splunk/etc/apps/alert_webhook/local/app.conf
  • <PHANTOM_HOME>/splunk/etc/apps/appsbrowser/local/app.conf
  • <PHANTOM_HOME>/splunk/etc/apps/launcher/local/app.conf
  • <PHANTOM_HOME>/splunk/etc/apps/gettingstarted/local/app.conf
  • <PHANTOM_HOME>/splunk/etc/apps/introspection_generator_addon/local/app.conf
  • <PHANTOM_HOME>/splunk/etc/apps/learned/local/app.conf
  • <PHANTOM_HOME>/splunk/etc/apps/legacy/local/app.conf
  • <PHANTOM_HOME>/splunk/etc/apps/sample_app/local/app.conf
  • <PHANTOM_HOME>/splunk/etc/apps/splunk_archiver/local/app.conf
  • <PHANTOM_HOME>/splunk/etc/apps/SplunkForwarder/local/app.conf
  • <PHANTOM_HOME>/splunk/etc/apps/SplunkLightForwarder/local/app.conf
  • <PHANTOM_HOME>/splunk/etc/apps/splunk_monitoring_console/local/app.conf
  • <PHANTOM_HOME>/splunk/etc/apps/user-prefs/local/app.conf
  • <PHANTOM_HOME>/splunk/etc/apps/splunk_instrumentation/local/app.conf
  • <PHANTOM_HOME>/splunk/etc/apps/splunk_instrumentation/local/telemetry.conf
  • <PHANTOM_HOME>/splunk/etc/apps/framework/server/apps/quickstartfx/splunkd/local/app.conf
  • <PHANTOM_HOME>/splunk/etc/apps/framework/server/apps/homefx/splunkd/local/app.conf
  • <PHANTOM_HOME>/splunk/etc/apps/framework/server/splunkdj/app_templates/basic/splunkd/local/app.conf
  • <PHANTOM_HOME>/splunk/etc/apps/framework/server/splunkdj/app_templates/splunkweb/local/app.conf
  • <PHANTOM_HOME>/splunk/etc/licenses/fixed-sourcetype_8D5CE731EA83A7D11CF05F4FBA3465C457E53DD68FE64EA2C8196F66F07092A5/license.lic
No action required. doesn't support customization of the configuration for the internal Splunk instance.
<PHANTOM_HOME>/etc/supervisord.conf We recommend that you don't change the supervisord configuration. However, you may define a file at <PHANTOM_HOME>/usr/local/supervisord.conf and the application will read that file.

Remediate directory changes in privileged installations

Reference the directory schema and check for remediation actions in the following table for privileged installations of .

Files Remediation
pgbouncer configuration
  • /etc/pgbouncer/hba.conf
  • /etc/pgbouncer/userlist.txt
  • /etc/pgbouncer/pgbouncer.ini
If you need to customize pgbouncer configuration, create a file at <PHANTOM_HOME>/usr/local/pgbouncer.ini.
PostgeSQL configuration
  • /opt/phantom/data/db/pg_hba.conf
  • /opt/phantom/data/db/pg_ident.conf
  • /opt/phantom/data/db/postgresql.conf
If you need to customize postgresql configuration, create a file at <PHANTOM_HOME>/usr/local/postgresql.conf.
NGINX configuration
  • /etc/nginx/conf.d/default.conf
  • /usr/share/nginx/html/502.html
  • /usr/share/nginx/html/502_phantom.html
NGINX reads all files matching /etc/nginx/conf.d/*.conf.
UWSGI configuration
  • /etc/nginx/uwsgi.ini
  • /etc/nginx/uwsgi_log_json.ini
If you need to customize UWSGI configuration, create a file at /etc/nginx/uwsgi_local.ini.
/etc/logrotate.d/phantom_logrotate.conf If you need to customize the logrotate configuration, create a custom conf file at <PHANTOM_HOME>/usr/local/logrotate.conf.
/usr/lib/tmpfiles.d/phantom.conf No action required. doesn't support modification of this configuration.
/etc/fonts/conf.d/33-phantom-fonts.conf No action required. doesn't support modification of this configuration.
/etc/cron.d/phantom Use crontab instead.

Remediate directory changes in unprivileged installations

Reference the directory schema and check for remediation actions in the following table for unprivileged installations of .

Files Remediation
pgbouncer configuration
  • <PHANTOM_HOME>/etc/pgbouncer/hba.conf
  • <PHANTOM_HOME>/etc/pgbouncer/userlist.txt
  • <PHANTOM_HOME>/etc/pgbouncer/pgbouncer.ini
If you need to customize pgbouncer configuration, create a file at <PHANTOM_HOME>/usr/local/pgbouncer.ini.
PostgeSQL configuration
  • <PHANTOM_HOME>/data/db/pg_hba.conf
  • <PHANTOM_HOME>/data/db/postgresql.conf
If you need to customize postgresql configuration, create a file at <PHANTOM_HOME>/usr/local/postgresql.conf
NGINX configuration
  • <PHANTOM_HOME>/usr/nginx/conf/phantom-nginx-server.conf
  • <PHANTOM_HOME>/usr/nginx/conf/conf.d/phantom-nginx-server.conf
  • <PHANTOM_HOME>/usr/nginx/html/502.html
  • <PHANTOM_HOME>/usr/nginx/html/502_phantom.html
NGINX reads all files matching <PHANTOM_HOME>/usr/nginx/conf/conf.d/*.conf.
UWSGI configuration
  • <PHANTOM_HOME>/etc/uwsgi.ini
  • <PHANTOM_HOME>/etc/uwsgi_log_json.ini
If you need to customize UWSGI configuration, create a file at <PHANTOM_HOME>/etc/uwsgi_local.ini.
<PHANTOM_HOME>/etc/logrotate.d/phantom_logrotate.conf If you need to customize the logrotate configuration, create a custom conf file at <PHANTOM_HOME>/usr/local/logrotate.conf.
Last modified on 06 December, 2022
default credentials, script options, and sample configuration files  

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters