Splunk® SOAR (On-premises)

Install and Upgrade Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Install as an unprivileged user

TAR file distributions of are available for installing .

All services such as the PostgreSQL database are installed in the user space for the user account that runs Splunk SOAR (On-premises).

Prerequisites

Make sure that your system is running one of the supported operating systems.

  • Red Hat Enterprise Linux 7.6 through 7.9
  • Red Hat Enterprise Linux 8.0 and and any of the minor versions of 8
  • Amazon Linux 2
  • Oracle Linux 8

Check and set each of these items before installing:

The mirror for GlusterFS packages has moved, changing the URL Splunk SOAR (On-premises) uses download those packages. You will need to update the file install_common.py before you can build or upgrade a clustered deployment, or use a GlusterFS external fileshare.

  • With a text editor, update install_common.py.
    On or around line 208, modify the GLUSTER_RPM_SOURCE_BASE_URL_EL8 declaration.
    Change the word "mirror" in the URL to the word "vault."
    GLUSTER_RPM_SOURCE_BASE_URL_EL8 = ("https://vault.centos.org/centos/8-stream/storage/x86_64/gluster-9/Packages/")
  • Make sure the firewalld daemon is running. Additionally, review required ports and endpoints. See Splunk SOAR (On-premises) ports and endpoints.
systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2023-01-10 19:06:30 GMT; 1 months 0 days ago
     Docs: man:firewalld(1)
 Main PID: 967 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─967 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
  • If the firewalld daemon is not running, or not installed, install firewalld and start it.
  1. Install firewalld.
    sudo yum install firewalld
  2. Start firewalld.
    sudo systemctl start firewalld
  3. Set firewalld to run whenever the system starts.
    sudo systemctl enable firewalld
  4. (Conditional) Set some basic firewall rules so that you can access the system during the install and for maintenance. You may need to implement other rules to comply with your organization's security policies.
    1. sudo firewall-cmd --permanent --zone public --add-port 22/tcp
    2. sudo firewall-cmd --permanent --zone public --add-port 2222/tcp
    3. sudo firewall-cmd --reload
  • (Conditional) If you are installing on Amazon Linux 2, install libxcrypt-compat.
sudo yum install libxcrypt-compat
  • Set your system to use the UTF8 character set and the US keymap.
sudo localectl set-locale LANG=en_US.UTF-8
sudo localectl set-keymap us

Federal Information Processing Standard (FIPS) support

can be deployed in a FIPS compliant mode, if the operating system kernel is in FIPS mode.

  • Your operating system, either RHEL or CentOS must be in FIPS mode.
  • You must create a new, unprivileged deployment of , either as a single instance or as a cluster.

To determine whether your operating system kernel is in FIPS mode, run the following command.

cat /proc/sys/crypto/fips_enabled

If that command returns a 1, the kernel is in FIPS mode. If that command returns a 0, the kernel is not in FIPS mode.

You can learn more about setting your operating system to use FIPS mode from the operating system vendor's websites:

Install from the TAR file

Install in a two stage process, preparing the system for installation, then installing .

Prepare the system for installation

  1. Log in as a user with root or sudo privileges to the machine where you want to install Splunk SOAR (On-premises).
  2. On the machine where you want to install Splunk SOAR (On-premises), make sure the operating system is updated.
    sudo yum clean all
    sudo yum update
  3. If the machine where you want to install Splunk SOAR (On-premises) required kernel updates, reboot the system before continuing with the installation.
  4. Download the unprivileged installer from the Splunk SOAR Free Trial page.
  5. If you downloaded the installer onto a local machine and need to copy it to the machine where you want to install Splunk SOAR (On-premises), you can use the following command.
    scp -r ./splunk_soar-unpriv-<version>.tgz <user>@<installation_address>
  6. Extract the TAR file.
    tar -xzvf ./splunk_soar-unpriv-<version>.tgz
  7. Change directory to the splunk-soar directory created when you extracted the TAR file.
    cd splunk-soar
  8. Use the following command to prepare the system for the unprivileged installation:
    sudo ./soar-prepare-system --splunk-soar-home <home_directory> --https-port <port_number>
    When you run the pre-install script, it prompts you to configure the system. All arguments for the script are optional.

    A full list of available options for the soar-prepare-system script are available in the topic Splunk SOAR (On-premises) default credentials, script options, and sample configuration files in the Install and Upgrade Splunk SOAR (On-premises) manual.

    • The --splunk-soar-home argument specifies the home directory for Splunk SOAR (On-premises). That directory must exist and the user meant to run the installation must own that directory. If the --splunk-soar-home argument is not specified, the installation defaults to the directory where the installation package was extracted.
    • Use the --https-port argument to expose the web interface on the specified port, which must be a port between 1024 and 65535.

      The --https-port argument defaults to port 8443. The firewalld daemon must be running. The --port-forward argument will expose the Splunk SOAR (On-premises) web interface on port 443 in addition to the port specified with --https-port. Do not use the --port-forward argument if you are not using firewalld or if you are building a Splunk SOAR (On-premises) cluster.

  9. Answer each of the presented prompts:
    If a configuration requirement is already satisfied in your system, the prompt for that requirement might not appear.
    • Install pre-requisite RPM packages required by Splunk SOAR (Y/n): If prompted, you must answer Y to proceed.
    • GlusterFS is only needed if you are using an external file share. This is common if you're constructing a Splunk SOAR cluster. Do you want to run this step? (Y/n): You only need to answer Y if you are setting up certain cluster configurations of Splunk SOAR (On-premises), but you can answer Y even on individual instances.
    • Enable the chronyd service to guarantee clock synchronization. Do you want to run this step? (Y/n): Answer Y.
    • Create a non-privileged user for running Splunk SOAR (On-premises). (Y/n): If prompted, you must answer Y to proceed.
    • Do you want to set a password for <non-privileged_user> now? (Y/n): Answer Y if you created a non-privileged user for running Splunk SOAR (On-premises) in the previous step.
    • Set system resource limits for Splunk SOAR user, particularly file descriptor limits, which are low by default. (Y/n): Answer Y.

Install

Make sure you are logged in as the user meant to own the installation. Do not perform the installation command as the root user.

  1. Run the soar-install installation script with the same arguments you included in the soar-prepare-system script.
    Use the --splunk-soar-home argument to specify the directory where will be installed. That directory must exist and must be owned by the user account that will run .
    As an example, --splunk-soar-home /opt/soar installs to the directory /opt/soar.
    ./soar-install --splunk-soar-home <home_directory> --https-port <port_number>
  2. The soar-install installation script displays the installation and path and HTTPS port number, then asks Do you want to proceed? (y/N). If the path and port are correct, answer y.

    The --https-port argument specifies what port the Splunk SOAR (On-premises) web server uses to expose the web user interface.

  3. The soar-install installation script displays the installation and path and HTTPS port number, then asks Do you want to proceed? (y/N). If the path and port are correct, answer y.

Run the sudo ./soar-prepare-system --help and sudo ./soar-install --help commands to see what optional arguments are available. See Splunk SOAR (On-premises) default credentials, script options, and sample configuration files.

Last modified on 16 September, 2024
FIPS compliance   Log in to the web interface

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.3.0, 6.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters