Splunk SOAR (f.k.a. Phantom)

About to install Splunk Phantom Community Edition

clopmz
Explorer

Good morning,

I woud like to test Splunk Phantom Community Edition in my home lab. When I try to install it following the documentation, the following error appears:

About to proceed with Phantom install
Do you wish to proceed [y/N]
y
sed: can't read /opt/phantom/bin/stop_phantom.sh: No such file or directory
Enter username: admin
Enter password: ************
Loaded plugins: product-id, search-disabled-repos, subscription-manager
Cleaning repos: alternatives-phantom phantom-apps phantom-base phantom-product
: rhel-7-server-extras-rpms rhel-7-server-optional-rpms
: rhel-7-server-rh-common-rpms rhel-7-server-rpms
: rhel-7-server-supplementary-rpms rhel-server-rhscl-7-rpms
Updating phantom repo package

Error updating Phantom Repo package

https://***@repo.phantom.us/phantom/4.8/product/x86_64/repodata/repomd.xml: [Errno 14] HTTPS Error 401 - Unauthorized
Trying other mirror.

One of the configured repositories failed (Phantom product package),
and yum doesn't have enough cached data to continue. At this point the only
safe thing yum can do is fail. There are a few ways to work "fix" this:

 1. Contact the upstream for the repository and get them to fix the problem.

 2. Reconfigure the baseurl/etc. for the repository, to point to a working
    upstream. This is most often useful if you are using a newer
    distribution release than is supported by the repository (and the
    packages for the previous distribution release still work).

 3. Run the command with the repository temporarily disabled
        yum --disablerepo=phantom-product ...

 4. Disable the repository permanently, so yum won't use it by default. Yum
    will then just ignore the repository until you permanently enable it
    again or use --enablerepo for temporary usage:

        yum-config-manager --disable phantom-product
    or
        subscription-manager repos --disable=phantom-product

 5. Configure the failing repository to be skipped, if it is unavailable.
    Note that yum will try to contact the repo. when it runs most commands,
    so will have to try and fail each time (and thus. yum will be be much
    slower). If it is a very temporary problem though, this is often a nice
    compromise:

        yum-config-manager --save --setopt=phantom-product.skip_if_unavailable=true

failure: repodata/repomd.xml from phantom-product: [Errno 256] No more mirrors to try.
https://***@repo.phantom.us/phantom/4.8/product/x86_64/repodata/repomd.xml: [Errno 14] HTTPS Error 401 - Unauthorized

Is it not possible to install Splunk Phantom from RPMs packages? Is it only available via OVA for Community Edition?

Many thanks for your help.

Labels (2)
Tags (1)
1 Solution

cblumer_splunk
Splunk Employee
Splunk Employee

The Community Edition of Splunk>Phantom can only be installed via the OVA available on the my.phantom.us portal.

RPM-based installs are supported only for POV/POC or Production licenses.

View solution in original post

mpolisky_splunk
Splunk Employee
Splunk Employee

This error occurs event when a production license is installed:

Error updating Phantom Repo package

https://***@repo.phantom.us/phantom/4.8/product/x86_64/repodata/repomd.xml: [Errno 14] HTTPS Error 401 - Unauthorized
Trying other mirror.

What user/password is used to access this repo link? The my.phantom.us login/pass?

0 Karma

stiansplunkuser
Observer

Community users can´t download or install using RPM. So we have to use the OVA instead. Sadly this also affects the splunk attack range maintained by Splunk. 

Link to similar topic: https://community.splunk.com/t5/Splunk-Phantom/About-to-install-Splunk-Phantom-Community-Edition/td-...

0 Karma

cblumer_splunk
Splunk Employee
Splunk Employee

The Community Edition of Splunk>Phantom can only be installed via the OVA available on the my.phantom.us portal.

RPM-based installs are supported only for POV/POC or Production licenses.

sam_splunk
Splunk Employee
Splunk Employee

You can see here: https://docs.splunk.com/Documentation/Phantom/4.8/Install/InstallRPM :

Provide your Splunk Phantom community credentials when prompted for a username and password.

Basic community accounts cannot download or install from RPM, that has to be enabled by a sales engineering within Splunk. Community edition is essentially the OVA.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...