Splunk SOAR (f.k.a. Phantom)

Keeping accurate time on your Splunk Phantom virtual machine

kevinh_splunk
Splunk Employee
Splunk Employee
In some cases, the Splunk Phantom virtual appliance can lose its time synchronization with the system time. For example, some virtual machine management functions can be run that would revert the Splunk Phantom virtual appliance an older snapshot that is still running, thus pausing the virtual appliance and losing synchronization with the system time.
 

You can use any of the strategies on this page to work around this issue.

Install VMWare Tools on the virtual appliance

You can install the VMWare Tools configuration utility on the virtual appliance and synchronize it with the ESX host. In this scenario, the time is automatically synchronized whenever the host is resumed or reverted.

Manually update the time on the host

You can use the ntpdate command to force the date to be updated. Access the command line of the virtual appliance as root, then run the ntpdate command. For example:

ntpdate -v -u 0.centos.pool.ntp.org​

Replace the NTP host or pool as desired.

Install the VMWare Tools on your Splunk Phantom virtual machine

In VMWare environments, you can install VMWare Tools configuration utility on your Splunk Phantom virtual machine. This causes the virtual machine to automatically synchronize the time with the physical host, assuming the physical host as NTP configured.

Perform the following steps:

    1. Make sure NTP is properly configured on the physical host.
    2. In the VMWare management environment, install the VMWare Tools configuration utility on the virtual machine. This "inserts" a CD containing VMWare Tools into the virtual CD-ROM drive.
    3. Access the command line of virtual machine as the root user.
    4. Run the following command:
      mount /dev/cdrom /mnt
    5. Untar the file from the /mnt directory into the root user's home directory:
      [root@localhost]# cd ~
      [root@localhost]# tar -xvf /mnt/VMWareTools-9.4.5-1598834.tar.gz
      [root@localhost]# cd vmware-tools-distrib/
    6. Run the following command to start the installer, and follow the prompts to complete the installation:
      [root@localhost]# ./vmware-install.pl
Labels (2)
Tags (3)
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...