Splunk® SOAR (On-premises)

Install and Upgrade Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Migrate a Splunk SOAR (On-premises) install from CentOS 7 to Oracle Linux 8

In order to upgrade beyond Splunk SOAR (On-premises) 6.3.0 you must ensure it is running on a supported operating system. See System requirements for production use in Install and Upgrade Splunk SOAR (On-premises) for a list of supported operating systems.

  • CentOS Linux 7 reached end of life (EOL) on June 30, 2024. See What to know about CentOS Linux EOL on https://www.redhat.com.
  • Support was added for Oracle Linux in Splunk SOAR (On-premises) release 6.3.0.

Migrate CentOS 7 to Oracle Linux 8

You can migrate from CentOS 7 to Oracle Linux 8 on your existing server.

Oracle has published a blog containing instructions at Migrate and Upgrade: CentOS 7 to Oracle Linux 8 in one step on https://blogs.oracle.com/.

Before you begin the migration

Do these tasks before beginning your migration to Oracle Linux 8.

  1. If you have not already done so, upgrade your current deployment to release 6.3.0. See Splunk SOAR (On-premises) upgrade overview and prerequisites.
  2. After your upgrade to the current release is complete, make a full backup of of your current release deployment. See Back up a Splunk SOAR (On-premises) deployment.
  3. Stop all Splunk SOAR services.
    /<$PHANTOM_HOME>/bin/stop_phantom.sh
    Do not restart Splunk SOAR until the migration is complete.
  4. Delete all libssl* and libcrypto* files from the directory <$PHANTOM_HOME>/usr/lib64.
    cd /opt/phantom/usr/lib64
    rm libssl*
    rm libcrypto*
    
    These libraries are provided by the operating system in Oracle Linux 8. Deleting the copies in the SOAR distribution prevents conflicts, making the original CentOS 7 installation Oracle Linux 8 compatible.
  5. Conditional: If you are migrating systems which host a Splunk SOAR (On-premises) cluster, you must unmount the GlusterFS fileshares before you can migrate the operating system.
    • You will need root or sudo access to edit the fstab file.
    • Repeat this step on each cluster node host you intend to migrate.
    sed -i -e '/glusterfs/ s/^#*/#/' /etc/fstab
    umount /opt/phantom/vault
    umount /opt/phantom/apps
    umount /opt/phantom/scm
    umount /opt/phantom/tmp/shared
    umount /opt/phantom/local_data/app_states
    
  6. Install the Elevate package.
    sudo yum install -y http://repo.almalinux.org/elevate/elevate-release-latest-el$(rpm --eval %rhel).noarch.rpm
  7. Install the Leapp and Leapp Oracle Linux migration data packages.
    sudo yum install -y leapp-upgrade leapp-data-oraclelinux

Migrate the operating system from CentOS 7 to Oracle Linux 8

Now that your Splunk SOAR (On-premises) deployment's host is ready to migrate, follow the guide from Oracle at Migrate and Upgrade: CentOS 7 to Oracle Linux 8 in one step on https://blogs.oracle.com/.

You must run the leapp pre-upgrade check and address any issues it reports.

Restart Splunk SOAR (On-premises)

Once you have completed all the steps in the migration from the Oracle article, you can restart Splunk SOAR.

  1. Conditional: If you are migrating a clustered deployment, and dismounted your GlusterFS fileshares earlier, remount those fileshares. You will need sudo or root access to modify the fstab file.
    sed -i -e '/glusterfs/ s/#//' /etc/fstab
    mount -a
    
  2. As the SOAR user, run:
    /<$PHANTOM_HOME>/bin/start_phantom.sh
Last modified on 24 September, 2024
Migrate a Splunk SOAR (On-premises) install from RHEL 7 or CentOS 7 to RHEL 8   Migrate from Splunk SOAR (On-premises) to Splunk SOAR (Cloud)

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.3.0, 6.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters