Splunk® SOAR (On-premises)

Install and Upgrade Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Upgrade a privileged cluster

When you upgrade your Splunk SOAR (On-premises) clustered deployment to release 5.4.0 your privileged deployment is automatically converted to an unprivileged one. For more information on this conversion, see Convert a privileged deployment to an unprivileged deployment.

Perform the following tasks to upgrade your cluster. These tasks apply to privileged clusters running on local hardware, or privileged clusters running in Amazon Web Services.

Before you begin

Before you begin to upgrade your cluster, do the following steps:

  1. Read upgrade overview and prerequisites.
  2. Prepare your cluster's server node or load balancer, if the load balancer is separate from your cluster's server node.
    1. Log in to the operating system of your server node or load balancer as either the root user or a user with sudo privileges.
    2. Update the firewalld rules to allow the custom HTTPS port for . 
      firewall-cmd --permanent --add-port=8443/tcp
    3. Reload firewalld. 
      fireall-cmd --reload
    4. Configure haproxy (or other load balancer) to add the custom HTTPS port. On in /etc/haproxy/haproxy.cfg, copy the entry that looks like this: 
      bind *:443 ssl crt /etc/haproxy/certificates no-sslv3 no-tlsv10 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256

      Add a copy of that entry, edited with your custom HTTPS port: 

      bind *:8443 ssl crt /etc/haproxy/certificates no-sslv3 no-tlsv10 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256
    5. Reload haproxy. 
      systemctl reload haproxy
      or 
      systemctl reload rh-haproxy18-haproxy

      If you use a load balancer other than haproxy, you need to do the equivalent of these steps for that load balancer.

Upgrade the cluster nodes

For each SOAR node, follow the upgrade instructions, one node at a time:

The same TAR file is used for install and upgrade processes. The file detects the presence of SOAR and installs or upgrades accordingly.

  1. Restart the operating system if you did not recently restart it as part of the prerequisites.
    This step is required to ensure that the upgrade completes successfully and efficiently.
    As the root user: 
    reboot
  2. After the system restarts, log in to the operating system as either the root user or a user with sudo privileges.
  3. Download the privileged installer from the Splunk SOAR site. The installer is packaged with static versions of the product's dependencies when the product is built. The installer is named in the format splunk_soar-priv-<major>.<minor>.<patch>.<build>-<commit_short_sha>-el7-x86_64.tgz.
  4. Extract the TGZ file you downloaded using tar -xf <installer>.tgz into the /opt/phantom directory.
  5. The installer package you extracted creates a file called soar-install in the <$PHANTOM_HOME>/splunk-soar directory. Run that as root: 
    sudo <$PHANTOM_HOME>/splunk-soar/soar-install --upgrade --with-apps

You can see the full list of arguments for the soar-install script by using the --help option.

Last modified on 14 September, 2023
Upgrade a Splunk SOAR (On-premises) instance   Upgrade an unprivileged cluster

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.4.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters