Splunk® SOAR (On-premises)

Install and Upgrade Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

default credentials, script options, and sample configuration files

This section has the default credentials, script options and example configuration files.

Default credentials

The default credentials on a new installation of are:

Web Interface

  • Username: soar_local_admin
  • password: password

On Splunk SOAR (On-premises) deployments which have been upgraded from earlier releases the user account admin becomes a normal user account with the Administrator role.

The default credentials of a new AMI installation of are:

SSH accounts:

  • Username: phantom
  • Password: None. You must use the SSH key created when deploying the AMI version of .

Web Interface

  • Username: soar_local_admin
  • Password: <full AWS instance ID>

You should change the default passwords immediately after the installation is complete.

Installation or configuration scripts

This section lists various installation scripts and their command line options.

soar-prepare-system.sh

Use these arguments to prepare your system to install . This script must be run by the root user or a user with sudo privileges.

General arguments

These options are information or intended to be used for debugging purposes.

Argument Description
-h, --help Display the help message then exit.
Debugging options. These are not intended to be used in production systems.
--no-color Do not color log output
--dry-run If this argument is specified, just print the install steps instead of running them.
-v, --verbose, --debug Output debug-level logging to the console and the log file.

Arguments for install, upgrade, or removal

These options are used for any case; install, upgrade, or removal.

Argument Description
-y, --no-prompt If given, do not ask for confirmation before running the installation steps.
--log-format {json, plain, pretty-json} Default logging format is JSON. Pretty-JSON logging decorates log messages with useful context, whereas plain text logging mirrors the console output more closely.
--no-spinners If your terminal has problems with showing loading spinners, or you're automating the install and the spinner output is noisy, you can use this flag to disable them.

Arguments for new installations

This set of options is only for installing a new deployment of Splunk SOAR (On-premises).

Argument Description
--splunk-soar-home <PHANTOM_HOME> Path that should act as the Splunk SOAR installation directory. Defaults to the directory this script is located in, usually /opt/phantom.
--https-port <PHANTOM_PORT> TCP port to which Splunk SOAR's webserver will bind for HTTPS. Must be between 1024 and 65535, and defaults to 8443
--splunk-soar-user <PHANTOM_USER> Name of the user which will own the Splunk SOAR installation

Arguments for running optional steps without prompts

Use these arguments to run specific optional steps without prompting the user.

Argument Description
--gluster-fs GlusterFS is only needed if you are using an external file share. This is common if you're constructing a Splunk SOAR cluster.
--chronyd-service Activates the chronyd service to guarantee clock synchronization
--sysstat-service Activate the sysstat service. Required if you want to forward data using the Splunk Addon For Linux Logs.
--firewall Ensure that the required ports are opened in firewalld. Do not use this argument if you are not using firewalld.
--port-forward Make Splunk SOAR available on the default HTTPS port (443) in addition to the configured port. Do not use this argument if you are not using firewalld or if you are creating a cluster.
--migrate-priv-to-unpriv Use this argument to prepare your deployment to migrate a privileged deployment to an unprivileged deployment.

soar-install.sh

This script is used to install, upgrade, or remove .

Optional arguments

These arguments can be used to manually specify which action soar-install.sh should perform, or to turn on debugging options.

Argument Description
-h, --help Show the help message then exit.
--upgrade If a lower version of Splunk SOAR is already installed then upgrade it.
--remove If a lower version of Splunk SOAR is already installed then remove it.
--offline If the installation environment doesn't have internet access, use this argument to skip installation checks that use the internet.
Debug arguments. These arguments are not intended to be used in production.
--no-color Do not color log output.
--dry-run If this argument is specified, just print the install steps instead of running them.
-v, --verbose, --debug Output debug-level logging to the log file and the console.
--version <VERSION> Supply a custom Splunk SOAR version, rather than relying on the .soar file.

Arguments for install, upgrade, or removal

These options are used for any case; install, upgrade, or removal.

Argument Description
-y, --no-prompt If given, do not ask for confirmation before running the installation steps.
--log-format {json, plain, pretty-json} Default logging format is JSON. Pretty-JSON logging decorates log messages with useful context, whereas plain text logging mirrors the console output more closely.
--no-spinners If your terminal has problems with showing loading spinners, or you're automating the install and the spinner output is noisy, you can use this flag to disable them.

Arguments for new installations

This set of options is only for installing a new deployment of .

Argument Description
-c <CONTINUE_FROM>,
--continue-from <CONTINUE_FROM>
<CONTINUE_FROM> must be a name for an installation step. Use this option for recovering from a failure. Start running from the named step, and assume that previous steps have already run.
Note that removal steps are run in reverse.
-s <STOP_AT>, --stop-at <STOP_AT> <STOP_AT> must be a name for an installation step. Use this option for recovering from a failure. Stop running before the named step.
Note that removal steps are run in reverse.
--ova Install Splunk SOAR for use in OVA format
--splunk-soar-home <PHANTOM_HOME>,
--phantom-home <PHANTOM_HOME>
Path that should act as the Splunk SOAR installation directory. Defaults to the directory this script is located in, usually /opt/phantom.
--https-port <PHANTOM_PORT>,
--splunk-soar-port <PHANTOM_PORT>,
--phantom-port <PHANTOM_PORT>
TCP port to which Splunk SOAR's web server will bind for HTTPS. Must be between 1024 and 65535, and defaults to 8443
--ignore-warnings If specified, continue through any non-fatal warnings.

This setting is only recommended if you've previously run with warnings turned on and determined, possibly with the assistance of Splunk SOAR support, that the warnings you see can be safely ignored.

--with-apps If specified, install or upgrade apps at the same time as the platform.

Arguments for upgrade installations

Use these arguments for soar-install.sh when performing an upgrade.

Argument Description
--splunk-indexer-token <SPLUNK_INDEXER_TOKEN> (Optional) Use this argument to supply the Splunk TCP Token used to connect to your External Splunk Enterprise Indexers. Only use this argument when upgrading from a Splunk SOAR release 6.2.0 or higher.
--splunk-indexer-port <SPLUNK_INDEXER_PORT> Use this argument to specify the TCP port on which your External Splunk Enterprise Indexers are listening. The default TCP port is 9997. Only use this argument when upgrading from a Splunk SOAR release 6.2.0 or higher.
--splunk-indexer-credentials-package <SPLUNK_INDEXER_CREDENTIALS_PACKAGE> Use this argument to supply the credentials package for configuring a Splunk Universal Forwarder to forward data to your Splunk Cloud Platform deployment. Only use this argument when upgrading from a Splunk SOAR release 6.2.0 or higher.

make_server_node.pyc options

Use these options to control the make_server_node.pyc command.

Argument Description
--version Displays the program's version number.
--help Display a list and description of arguments.
--no-prompt Run the program. Do not display the warning prompt.

Configuration files

This section contains example configuration files. Use these as a guide when configuring items for use in your deployment.

HAProxy Configuration

    ##--------------------------------------------------------------------
    ## HAPROXY 1.8.7 CONFIGURATION FILE
    ##--------------------------------------------------------------------
    #---------------------------------------------------------------------
    # global settings
    #---------------------------------------------------------------------
    global
        tune.ssl.default-dh-param 2048
        log 127.0.0.1:514 local0
    
    #---------------------------------------------------------------------
    # common defaults
    #---------------------------------------------------------------------
    defaults
        mode http
        timeout connect 0ms
        timeout client 0ms
        timeout server 0ms
        log global
    
    #---------------------------------------------------------------------
    # SSL w/ redirect to HTTPS
    #---------------------------------------------------------------------
    frontend localhost
        bind *:80
        bind *:443 ssl crt /etc/haproxy/certificates no-sslv3 no-tlsv10 ciphers <ciphers go here>
    # for unprivileged installs, add another declaration
    #   bind *:<your https port> ssl crt /etc/haproxy/certificates no-sslv3
    # no-tlsv10 ciphers <ciphers go here>
        redirect scheme https if !{ ssl_fc }
        mode http
        default_backend nodes
    
    #---------------------------------------------------------------------
    # backend (output)
    #---------------------------------------------------------------------
    backend nodes
        mode http
        balance roundrobin
        option http-keep-alive
        option forwardfor
        cookie SRVNAME insert
        option httpchk GET /check HTTP/1.1\r\nHost:\ www.example.com
        http-check expect status 200
        default-server fastinter 1s downinter 5s
        server <phantom node UUID> <IP Address>:443 cookie <phantom node UUID> check ssl verify none
        http-request set-header X-Forwarded-Port %[dst_port]
        http-request add-header X-Forwarded-Proto https if { ssl_fc } 
Last modified on 10 July, 2024
Migrate from Splunk SOAR (On-premises) to Splunk SOAR (Cloud)  

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.2.0, 6.2.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters