- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk SOAR (f.k.a. Phantom)
- :
- Installing Splunk SOAR On-Prem Unprivileged User- ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Installing Splunk SOAR On-Prem Unprivileged User- Why are we getting this error?
Hi,
I am trying to install Splunk SOAR 6.0.1 for Linux. I've followed the prerequisites here: https://docs.splunk.com/Documentation/SOARonprem/6.0.1/Install/InstallUnprivileged and built a VM running CentOS 7.9.
I've run the prepare script as above too and everything came back fine (I'm not running in FIPS mode, this is for a home lab).
I then run the install script with --ignore-warnings because it keeps shouting about the need for a 500GB disk, the disk attached to the VM is 500GB, but it thin provisioned in VMware ESXi v8.0.0. The install goes ok and then I get the below error message when it tries to start Splunk SOAR.
[splunksoar-adm@NEST-Splunk-SOAR-01 splunk-soar]$ sudo ./soar-install --splunk-soar-home /opt/splunk-soar --https-port 8443 --ignore-warnings
[sudo] password for splunksoar-adm:
Detailed logs will be located at /opt/splunk-soar/var/log/phantom/phantom_install_log
Starting install of Splunk SOAR 6.0.1.123902
Skipping pre-deploy phase; continuing from StartPhantom
================================================================================
You are about to install Splunk SOAR version 6.0.1.123902.
- Installation path: /opt/splunk-soar
- HTTPS port: 8443
Do you wish to proceed? (y/N): y
================================================================================
INSTALL: StartPhantom
Starting Splunk SOAR
Failed to start Splunk SOAR
Traceback (most recent call last):
File "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/console.py", line 207, in run
proc = subprocess.run(normalized_cmd, **cmd_args) # noqa: PHANTOM112
File "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/usr/python39/lib/python3.9/subprocess.py", line 528, in run
raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['/opt/splunk-soar/bin/start_phantom.sh']' returned non-zero exit status 1.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/./soar-install", line 72, in main
deployment.run()
File "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/deployments/deployment.py", line 132, in run
self.run_deploy()
File "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/usr/python39/lib/python3.9/contextlib.py", line 79, in inner
return func(*args, **kwds)
File "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/deployments/deployment.py", line 193, in run_deploy
operation.run()
File "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/operations/deployment_operation.py", line 135, in run
self.install()
File "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/operations/tasks/start_phantom.py", line 18, in install
self.shell.start_phantom()
File "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/console.py", line 302, in start_phantom
self.run(
File "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/console.py", line 224, in run
raise InstallError(
install.install_common.InstallError: Failed to start Splunk SOAR
install failed.
Below is all the messages from the log file at the time of running the command.
{"component": "installation_log", "time": "2023-06-01T20:00:46.952514", "logger": "install", "pid": 536, "level": "INFO", "file": "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/install_log/logger.py", "line": 52, "message": "Detailed logs will be located at /opt/splunk-soar/var/log/phantom/phantom_install_log", "install_run_uuid": "7af5f4ed-9863-488f-a0c1-fe2818588257"}
{"component": "installation_log", "time": "2023-06-01T20:00:49.494291", "logger": "install.deployments.deployment", "pid": 536, "level": "INFO", "file": "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/deployments/deployment.py", "line": 101, "message": "Starting install of Splunk SOAR 6.0.1.123902", "install_run_uuid": "7af5f4ed-9863-488f-a0c1-fe2818588257", "start_time": "2023-06-01T20:00:49.494112", "install_mode": "install", "installed_version": "6.0.1.123902", "proposed_version": "6.0.1.123902", "deployment_type": "unpriv", "continue_from": "StartPhantom", "time_elapsed_since_start": 0.000421}
{"component": "installation_log", "time": "2023-06-01T20:00:49.494734", "logger": "install.deployments.deployment", "pid": 536, "level": "INFO", "file": "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/deployments/deployment.py", "line": 128, "message": "Skipping pre-deploy phase; continuing from StartPhantom", "install_run_uuid": "7af5f4ed-9863-488f-a0c1-fe2818588257", "start_time": "2023-06-01T20:00:49.494112", "install_mode": "install", "installed_version": "6.0.1.123902", "proposed_version": "6.0.1.123902", "deployment_type": "unpriv", "continue_from": "StartPhantom", "time_elapsed_since_start": 0.000697}
{"component": "installation_log", "time": "2023-06-01T20:00:49.503321", "logger": "install.deployments.deployment", "pid": 536, "level": "INFO", "file": "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/deployments/deployment.py", "line": 91, "message": "\n\n================================================================================\nYou are about to install Splunk SOAR version 6.0.1.123902.\n - Installation path: /opt/splunk-soar\n - HTTPS port: 8443\n", "install_run_uuid": "7af5f4ed-9863-488f-a0c1-fe2818588257", "start_time": "2023-06-01T20:00:49.494112", "install_mode": "install", "installed_version": "6.0.1.123902", "proposed_version": "6.0.1.123902", "deployment_type": "unpriv", "continue_from": "StartPhantom", "phase": "deploy", "time_elapsed_since_start": 0.009425}
{"component": "installation_log", "time": "2023-06-01T20:00:52.228354", "logger": "install.operations.deployment_operation", "pid": 536, "level": "DEBUG", "file": "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/operations/deployment_operation.py", "line": 123, "message": "Starting install task operation", "install_run_uuid": "7af5f4ed-9863-488f-a0c1-fe2818588257", "start_time": "2023-06-01T20:00:49.494112", "install_mode": "install", "installed_version": "6.0.1.123902", "proposed_version": "6.0.1.123902", "deployment_type": "unpriv", "continue_from": "StartPhantom", "phase": "deploy", "operation_start_time": "2023-06-01T20:00:52.228275", "operation_name": "StartPhantom", "operation_status": "started", "operation_type": "task", "operation_cluster_phase": "ClusterPhase.NONE", "time_elapsed_since_start": 2.734319, "time_elapsed_since_operation_start": 0.000164}
{"component": "installation_log", "time": "2023-06-01T20:00:52.228635", "logger": "install.console", "pid": 536, "level": "INFO", "file": "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/console.py", "line": 301, "message": "Starting Splunk SOAR", "install_run_uuid": "7af5f4ed-9863-488f-a0c1-fe2818588257", "start_time": "2023-06-01T20:00:49.494112", "install_mode": "install", "installed_version": "6.0.1.123902", "proposed_version": "6.0.1.123902", "deployment_type": "unpriv", "continue_from": "StartPhantom", "phase": "deploy", "operation_start_time": "2023-06-01T20:00:52.228275", "operation_name": "StartPhantom", "operation_status": "started", "operation_type": "task", "operation_cluster_phase": "ClusterPhase.NONE", "time_elapsed_since_start": 2.734676, "time_elapsed_since_operation_start": 0.000518}
{"component": "installation_log", "time": "2023-06-01T20:00:52.229350", "logger": "install.console", "pid": 536, "level": "DEBUG", "file": "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/console.py", "line": 204, "message": "Running subprocess", "install_run_uuid": "7af5f4ed-9863-488f-a0c1-fe2818588257", "start_time": "2023-06-01T20:00:49.494112", "install_mode": "install", "installed_version": "6.0.1.123902", "proposed_version": "6.0.1.123902", "deployment_type": "unpriv", "continue_from": "StartPhantom", "phase": "deploy", "operation_start_time": "2023-06-01T20:00:52.228275", "operation_name": "StartPhantom", "operation_status": "started", "operation_type": "task", "operation_cluster_phase": "ClusterPhase.NONE", "log_type": "subprocess", "command": "/opt/splunk-soar/bin/start_phantom.sh", "environment_variables": {"PATH": "/sbin:/bin:/usr/sbin:/usr/bin", "HOME": "/root"}, "time_elapsed_since_start": 2.735282, "time_elapsed_since_operation_start": 0.001123}
{"component": "installation_log", "time": "2023-06-01T20:00:52.252023", "logger": "install.console", "pid": 536, "level": "DEBUG", "file": "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/console.py", "line": 250, "message": "Subprocess completed.", "install_run_uuid": "7af5f4ed-9863-488f-a0c1-fe2818588257", "start_time": "2023-06-01T20:00:49.494112", "install_mode": "install", "installed_version": "6.0.1.123902", "proposed_version": "6.0.1.123902", "deployment_type": "unpriv", "continue_from": "StartPhantom", "phase": "deploy", "operation_start_time": "2023-06-01T20:00:52.228275", "operation_name": "StartPhantom", "operation_status": "started", "operation_type": "task", "operation_cluster_phase": "ClusterPhase.NONE", "log_type": "subprocess", "command": "/opt/splunk-soar/bin/start_phantom.sh", "environment_variables": {"PATH": "/sbin:/bin:/usr/sbin:/usr/bin", "HOME": "/root"}, "status": "failed", "exit_code": 1, "stdout": ["Error: cannot run as a superuser"], "stderr": [], "time_elapsed_since_start": 2.758061, "time_elapsed_since_operation_start": 0.023908}
{"component": "installation_log", "time": "2023-06-01T20:00:52.252605", "logger": "install.operations.deployment_operation", "pid": 536, "level": "DEBUG", "file": "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/operations/deployment_operation.py", "line": 142, "message": "Completed install task operation", "install_run_uuid": "7af5f4ed-9863-488f-a0c1-fe2818588257", "start_time": "2023-06-01T20:00:49.494112", "install_mode": "install", "installed_version": "6.0.1.123902", "proposed_version": "6.0.1.123902", "deployment_type": "unpriv", "continue_from": "StartPhantom", "phase": "deploy", "operation_start_time": "2023-06-01T20:00:52.228275", "operation_name": "StartPhantom", "operation_status": "failed", "operation_type": "task", "operation_cluster_phase": "ClusterPhase.NONE", "time_elapsed_since_start": 2.758546, "time_elapsed_since_operation_start": 0.024388}
{"component": "installation_log", "time": "2023-06-01T20:00:52.253022", "logger": "install", "pid": 536, "level": "DEBUG", "file": "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/meta.py", "line": 224, "message": "Adding deployment state to metadata", "continue_from": "StartPhantom", "cluster_phase": "ClusterPhase.NONE", "install_run_uuid": "7af5f4ed-9863-488f-a0c1-fe2818588257", "start_time": "2023-06-01T20:00:49.494112", "install_mode": "install", "installed_version": "6.0.1.123902", "proposed_version": "6.0.1.123902", "deployment_type": "unpriv", "time_elapsed_since_start": 2.758997}
{"component": "installation_log", "time": "2023-06-01T20:00:52.254129", "logger": "install", "pid": 536, "level": "ERROR", "file": "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/./soar-install", "line": 95, "message": "Failed to start Splunk SOAR", "install_run_uuid": "7af5f4ed-9863-488f-a0c1-fe2818588257", "start_time": "2023-06-01T20:00:49.494112", "install_mode": "install", "installed_version": "6.0.1.123902", "proposed_version": "6.0.1.123902", "deployment_type": "unpriv", "continue_from": "StartPhantom", "time_elapsed_since_start": 2.762006, "pretty_exc_info": ["Traceback (most recent call last):", " File \"/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/console.py\", line 207, in run", " proc = subprocess.run(normalized_cmd, **cmd_args) # noqa: PHANTOM112", " File \"/home/splunksoar-adm/Splunk-SOAR/splunk-soar/usr/python39/lib/python3.9/subprocess.py\", line 528, in run", " raise CalledProcessError(retcode, process.args,", "subprocess.CalledProcessError: Command '['/opt/splunk-soar/bin/start_phantom.sh']' returned non-zero exit status 1.", "", "During handling of the above exception, another exception occurred:", "", "Traceback (most recent call last):", " File \"/home/splunksoar-adm/Splunk-SOAR/splunk-soar/./soar-install\", line 72, in main", " deployment.run()", " File \"/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/deployments/deployment.py\", line 132, in run", " self.run_deploy()", " File \"/home/splunksoar-adm/Splunk-SOAR/splunk-soar/usr/python39/lib/python3.9/contextlib.py\", line 79, in inner", " return func(*args, **kwds)", " File \"/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/deployments/deployment.py\", line 193, in run_deploy", " operation.run()", " File \"/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/operations/deployment_operation.py\", line 135, in run", " self.install()", " File \"/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/operations/tasks/start_phantom.py\", line 18, in install", " self.shell.start_phantom()", " File \"/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/console.py\", line 302, in start_phantom", " self.run(", " File \"/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/console.py\", line 224, in run", " raise InstallError(", "install.install_common.InstallError: Failed to start Splunk SOAR"]}
No idea what's causing it to fail and can't find anything online. Let me know if you need more info, any help will be appreciated.
Cheers
Rob
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
