Skip to main content
Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

Splunk® SOAR (On-premises)
6.0.0
As of version 6.4.0, the visual editor for classic playbooks is no longer part of Splunk SOAR. Before upgrading, convert your classic playbooks to modern mode. Your classic playbooks will continue to run and you can view and edit them in the SOAR Python code editor.
For details, see:

Use ibackup with warm standby

The warm standby and the backup and restore features require careful planning to use together.

Warm standby and ibackup features of Splunk SOAR (On-premises) use the Write Ahead Logging feature in PostgreSQL. When you configure a Splunk SOAR (On-premises) deployment to use both warm standby and ibackup, you must configure warm standby first. After restoring a deployment with ibackup, you must update the warm standby configuration.

The ibackup feature should only be configured on the primary instance.

Configuring warm standby after configuring ibackup archives all existing backups. Archiving all of the backups prevents new backups from being generated or existing backups from being used in a restore.

You can generate new backups once you run ibackup with the --setup option.

Restore a system configured for warm standby

In a warm standby configuration, when the primary Splunk SOAR (On-premises) instance is restored from a backup, you must update the warm standby configuration.

Prerequisites

You need the following information to update your warm standby configuration:

  • Password for the Splunk SOAR (On-premises) user on the secondary Splunk SOAR (On-premises) instance. If the Splunk SOAR (On-premises) user does not have a password, you must set one.
  • Password for the PostgreSQL database replication user.
  • Configuration information for creating the SSL certificate:
    • Country code
    • State code
    • Organization
    • Organization unit
    • Domain
    • Email

Restore a backup from a warm standby primary to the same Splunk SOAR (On-premises) instance

When you restore a backup of a Splunk SOAR (On-premises) warm standby primary to the same instance, the warm standby configuration must be updated.

To update the warm standby configuration, perform the following steps:

  1. Open a terminal session for both the primary and secondary Splunk SOAR (On-premises) instances. Keep these sessions open until you complete these steps.
    1. From the command line, SSH to your primary Splunk SOAR (On-premises) instance.
      SSH <username>@<primary_phantom_hostname>
    2. SSH to your secondary and warm standby Splunk SOAR (On-premises) instance.
      SSH <username>@<warm_standby_phantom_hostname>
    3. In both sessions, elevate to root.
      sudo su -
  2. On the primary instance of Splunk SOAR (On-premises), perform the restore. See Restore Splunk SOAR (On-premises) from a backup.
  3. On the primary instance of Splunk SOAR (On-premises), disable warm standby.
    phenv python /<PHANTOM_HOME>/bin/setup_warm_standby.pyc --primary-mode --off
  4. On the secondary instance of Splunk SOAR (On-premises), disable warm standby.
    phenv python /<PHANTOM_HOME>/bin/setup_warm_standby.pyc --standby-mode --off
  5. On the secondary instance of Splunk SOAR (On-premises), stop all Splunk SOAR (On-premises) services.
    /<PHANTOM_HOME>/bin/stop_phantom.sh

    Failing to stop these services on the secondary instance results in two active instances operating independently, polling for data and executing automated actions. This can result in data loss or other undesired results.

  6. On the primary instance of Splunk SOAR (On-premises), configure it to be the primary instance for warm standby. You are prompted to give passwords for the Splunk SOAR (On-premises) user, the PostgreSQL database replication user, and the information for creating a self-signed SSL certificate.
    phenv python /<PHANTOM_HOME>/bin/setup_warm_standby.pyc --primary-mode --configure --primary-ip <primary_ip> --standby-ip <standby_ip>
  7. On the secondary instance, configure it to be the warm standby instance.
    phenv python /<PHANTOM_HOME>/bin/setup_warm_standby.pyc --standby-mode --configure --primary-ip <primary_ip> --standby-ip <standby_ip>
  8. On the both instances of Splunk SOAR (On-premises), verify that warm standby is replicating on each Splunk SOAR (On-premises) instance.
    phenv python /<PHANTOM_HOME>/bin/setup_warm_standby.pyc --status

Example output from Splunk SOAR (On-premises) primary: 

========= Processed Params =========
  Instance looks like Primary
   DB replication configured with Standby set to:  <warm_standby_ip>/32
   DB replication currently streaming
   Vault sync configured
=========  Script Done =========

Example output from Splunk SOAR (On-premises) secondary or warm standby: 

========= Processed Params =========
  Instance looks like Standby
   DB replication configured
   rsync configured
=========  Script Done =========

Restore a backup from a warm standby primary to a new Splunk SOAR (On-premises) instance

When you restore a backup of a Splunk SOAR (On-premises) warm standby primary to a new instance that you want to become the new primary, you must update the warm standby configuration and move several keys to the secondary instance.

To update the warm standby configuration, perform the following steps:

  1. Open a terminal session for both the primary and secondary Splunk SOAR (On-premises) instances. Keep these sessions open until you complete these steps.
    1. From the command line, SSH to your primary Splunk SOAR (On-premises) instance.
      SSH <username>@<primary_phantom_hostname>
    2. SSH to your secondary and warm standby Splunk SOAR (On-premises) instance.
      SSH <username>@<warm_standby_phantom_hostname>
    3. In both sessions, elevate to root.
      sudo su -
  2. On the primary instance of Splunk SOAR (On-premises), perform the restore. See Restore Splunk SOAR (On-premises) from a backup.
  3. On the primary instance of Splunk SOAR (On-premises), disable warm standby.
    phenv python /<PHANTOM_HOME>/bin/setup_warm_standby.pyc --primary-mode --off
  4. On the secondary instance of Splunk SOAR (On-premises), disable warm standby.
    phenv python /<PHANTOM_HOME>/bin/setup_warm_standby.pyc --standby-mode --off
  5. On the secondary instance of Splunk SOAR (On-premises), stop all Splunk SOAR (On-premises) services.
    /<PHANTOM_HOME>/bin/stop_phantom.sh

    Failing to stop these services on the secondary instance results in two active instances operating independently, polling for data and executing automated actions. This can result in data loss or other undesired results.

  6. Copy these files from the new primary instance of Splunk SOAR (On-premises) to the secondary:
    1. /<PHANTOM_HOME>/keystore/private_key.pem
    2. /<PHANTOM_HOME>/www/phantom_ui/secret_key.py
  7. On the secondary instance of Splunk SOAR (On-premises), set the permissions, ownership, and SELinux security contexts for the files you copied to the secondary.
    1. chmod 0640 /<PHANTOM_HOME>/keystore/private_key.pem /<PHANTOM_HOME>/phantom/www/phantom_ui/secret_key.py
    2. chown root:phantom /<PHANTOM_HOME>/keystore/private_key.pem
    3. chown phantom:phantom /<PHANTOM_HOME>/www/phantom_ui/secret_key.py
    4. restorecon /<PHANTOM_HOME>/keystore/private_key.pem /<PHANTOM_HOME>/www/phantom_ui/secret_key.py
  8. On the primary instance of Splunk SOAR (On-premises), configure it to be the primary for warm standby. You are prompted to give passwords for the Splunk SOAR (On-premises) user, the PostgreSQL database replication user, and the information for creating a self-signed SSL certificate.
    phenv python /<PHANTOM_HOME>/bin/setup_warm_standby.pyc --primary-mode --configure --primary-ip <primary_ip> --standby-ip <standby_ip>
  9. On the secondary instance, configure it to be the warm standby instance.
    phenv python /<PHANTOM_HOME>/bin/setup_warm_standby.pyc --standby-mode --configure --primary-ip <primary_ip> --standby-ip <standby_ip>
  10. On both instances of Splunk SOAR (On-premises), verify that the warm standby instance is replicating on each Splunk SOAR (On-premises) instance.
    phenv python /<PHANTOM_HOME>/bin/setup_warm_standby.pyc --status

Example output from Splunk SOAR (On-premises) primary: 

========= Processed Params =========
  Instance looks like Primary
   DB replication configured with Standby set to:  <warm_standby_ip>/32
   DB replication currently streaming
   Vault sync configured
=========  Script Done =========

Example output from Splunk SOAR (On-premises) secondary or warm standby: 

========= Processed Params =========
  Instance looks like Standby
   DB replication configured
   rsync configured
=========  Script Done =========
Last modified on 19 March, 2024
Splunk SOAR (On-premises) backup tools   Warm standby feature overview

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0, 6.3.1, 6.4.0

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters