Splunk® SOAR (On-premises)

Install and Upgrade Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Run make_server_node.pyc

Use the make_server_node.pyc script to convert an install into either a specific service or a Shared Services server for a cluster.

Create a Shared Services server

A single Shared Services server becomes a single point of failure. Any problems on the Shared Services server impact your entire cluster. For production use, build a server for each service rather than a single Shared Services server.

A single Shared Services server is not recommended for production use. This mode is primarily intended for Proof of Value or demonstrations.

Create a Shared Services server:

/opt/phantom/bin/phenv python /opt/phantom/bin/make_server_node.pyc

Making a Shared Services server also generates the /opt/phantom/bin/mcn_responses.json file, which can be passed as an argument to make_cluster_node.pyc to help set up the first node in your cluster.

The mcn_responses.json file contains secrets such as usernames and passwords in plain text. Store it in a secure location or delete it after the cluster configuration is complete.

Create a specific function server

Create a specific function server, such as an HAProxy load balancer, PostgreSQL database, file share, or Splunk Enterprise as root or using sudo:

/opt/phantom/bin/phenv python /opt/phantom/bin/make_server_node.pyc --<option argument>

Repeat once on separate systems for each server.

Valid arguments:

  • fs - sets up a single server GlusterFS for file shares.
  • db - sets up the internal PostgreSQL database to be used as an external PostgreSQL database.
  • proxy - installs and configures HAProxy to serve as a load balancer for your cluster.

make_server_node.pyc prompts and warnings

The make_server_node.pyc script issues a warning that you are about to permanently change your instance.

The changes are:

  • is removed from system boot scripts.
  • Disabling the internal database.
  • Configuring file shares.
  • Installing HAProxy to act as a load balancer.
  • You must respond to the warning with "y" for yes to proceed.

You are prompted to supply information for the TLS certificate.

  • Country Code
  • State Code
  • City
  • Organization
  • Organization unit
  • Hostname (or IP address)
  • Email address

The remaining prompts are:

  • The subnet on which PostgreSQL will accept connections.
  • Set the passwords for the postgres and pgbouncer user accounts.
  • Password for the user account.

When the script completes it writes the file /opt/phantom/bin/mcn_responses.json.

Logs are written to /var/log/phantom/make_server_node/make_server_node_<date and time>.log.

Additional configuration steps for unprivileged clusters

Perform the following steps on the load balancer or Shared Services server as root or as a user using sudo to get elevated permissions.

  1. Set SELINUX to allow HAProxy to bind to your custom HTTPS port.

    If SELINUX is disabled, then skip this step.

    semanage port --add --type http_port_t --proto tcp <HTTPS PORT>
  2. Conditional: If you receive an error that the port is already defined, use --modify instead of --add.
    semanage port --modify --type http_port_t --proto tcp <HTTPS PORT>
Last modified on 12 April, 2024
Convert an existing instance into a cluster   Run make_cluster_node.pyc

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.2.2, 6.3.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters