Splunk® SOAR (On-premises)

Install and Upgrade Splunk SOAR (On-premises)

The classic playbook editor will be deprecated soon. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Install as an unprivileged user

TAR file distributions of are available for installing .

All services such as the PostgreSQL database are installed in the user space for the user account that runs Splunk SOAR (On-premises).


Make sure that your system is running one of the supported operating systems.

  • Red Hat Enterprise Linux 7.6 through 7.9
  • Red Hat Enterprise Linux 8.0 and and any of the minor versions of 8
  • CentOS 7.6 through 7.9
  • Amazon Linux 2
systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2023-01-10 19:06:30 GMT; 1 months 0 days ago
     Docs: man:firewalld(1)
 Main PID: 967 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─967 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
  • If the firewalld daemon is not running, or not installed, install firewalld and start it.
  1. Install firewalld.
    sudo yum install firewalld
  2. Start firewalld.
    sudo systemctl start firewalld
  3. Set firewalld to run whenever the system starts.
    sudo systemctl enable firewalld
  4. (Conditional) Set some basic firewall rules so that you can access the system during the install and for maintenance. You may need to implement other rules to comply with your organization's security policies.
    1. sudo firewall-cmd --permanent --zone public --add-port 22/tcp
    2. sudo firewall-cmd --permanent --zone public --add-port 2222/tcp
    3. sudo firewall-cmd --reload

Federal Information Processing Standard (FIPS) support

can be deployed in a FIPS compliant mode, if the operating system kernel is in FIPS mode.

  • Your operating system, either RHEL or CentOS must be in FIPS mode.
  • You must create a new, unprivileged deployment of , either as a single instance or as a cluster.

To determine whether your operating system kernel is in FIPS mode, run the following command.

cat /proc/sys/crypto/fips_enabled

If that command returns a 1, the kernel is in FIPS mode. If that command returns a 0, the kernel is not in FIPS mode.

You can learn more about setting your operating system to use FIPS mode from the operating system vendor's websites:

Install from the TAR file

Install in a two stage process, preparing the system for installation, then installing .

Prepare the system for installation

  1. On the machine where you want to install Splunk SOAR (On-premises), make sure the operating system is updated.
    sudo yum clean all
    sudo yum update
  2. If the machine where you want to install Splunk SOAR (On-premises) required kernel updates, reboot the system before continuing with the installation.
  3. Download the unprivileged installer from the Splunk SOAR Free Trial page.
  4. If you downloaded the installer onto a local machine and need to copy it to the machine where you want to install Splunk SOAR (On-premises), you can use the following command.
    scp -r ./splunk_soar-unpriv-<version>.tgz <user>@<installation_address>
  5. Log in as a user with root privileges to the machine where you want to install Splunk SOAR (On-premises).
  6. Extract the TAR file.
    tar -xzvf ./splunk_soar-unpriv-<version>.tgz
  7. Use the following command to prepare the system for the unprivileged installation:
    ./soar-prepare-system --splunk-soar-home <home_directory> --https-port <port_number>
    When you run the pre-install script, it prompts you to configure the system. All arguments for the script are optional.

    Run the ./soar-prepare-system --help command to see all the available arguments

    • The --splunk-soar-home argument specifies the home directory for Splunk SOAR (On-premises). That directory must exist and the user meant to run the installation must own that directory. If the --splunk-soar-home argument is not specified, the installation defaults to the directory where the installation package was extracted.
    • Use the --https-port argument to expose the web interface on the specified port, which must be a port between 1024 and 65535.

      The --https-port argument defaults to port 8443. The firewalld daemon must be running. The --port-forward argument will expose the Splunk SOAR (On-premises) web interface on port 443 in addition to the port specified with --https-port. Do not use the --port-forward argument if you are not using firewalld or if you are building a Splunk SOAR (On-premises) cluster.

  8. Answer each of the presented prompts:
    If a configuration requirement is already satisfied in your system, the prompt for that requirement might not appear.
    • Install pre-requisite RPM packages required by Splunk SOAR (Y/n): If prompted, you must answer Y to proceed.
    • GlusterFS is only needed if you are using an external file share. This is common if you're constructing a Splunk SOAR cluster. Do you want to run this step? (Y/n): You only need to answer Y if you are setting up certain cluster configurations of Splunk SOAR (On-premises), but you can answer Y even on individual instances.
    • Enable the ntpd service to guarantee clock synchronization. Do you want to run this step? (Y/n): Answer Y.
    • Create a non-privileged user for running Splunk SOAR (On-premises). (Y/n): If prompted, you must answer Y to proceed.
    • Do you want to set a password for <non-privileged_user> now? (Y/n): Answer Y if you created a non-privileged user for running Splunk SOAR (On-premises) in the previous step.
    • Set system resource limits for Splunk SOAR user, particularly file descriptor limits, which are low by default. (Y/n): Answer Y.


Make sure you are logged in as the user meant to own the installation. Do not perform the installation command as the root user.

  1. Run the soar-install installation script with the same arguments you included in the soar-prepare-system script.
    Use the --splunk-soar-home argument to specify the directory where will be installed. That directory must exist and must be owned by the user account that will run .
    As an example, --splunk-soar-home /opt/soar installs to the directory /opt/soar.
    ./soar-install --splunk-soar-home <home_directory> --https-port <port_number>
  2. The soar-install installation script displays the installation and path and HTTPS port number, then asks Do you want to proceed? (y/N). If the path and port are correct, answer y.

    The --https-port argument specifies what port the Splunk SOAR (On-premises) web server uses to expose the web user interface.

  3. The soar-install installation script displays the installation and path and HTTPS port number, then asks Do you want to proceed? (y/N). If the path and port are correct, answer y.

Run the sudo ./soar-prepare-system --help and sudo ./soar-install --help commands to see what optional arguments are available. See Splunk SOAR (On-premises) default credentials, script options, and sample configuration files.

Last modified on 12 December, 2023
Install using the Amazon Marketplace Image   Log in to the web interface

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.0.2, 6.1.0, 6.1.1

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters