Splunk SOAR (f.k.a. Phantom)

Splunk Phantom Underprivileged Installation

zubairaizatron
Explorer

Hi guys 

I tried installing Splunk Phantom as an underprivileged user as per the documentation:

https://docs.splunk.com/Documentation/SOARonprem/5.0.1/Install/InstallUnprivileged

Although I pretty much get through the process without problems, when I get to the last step i get warnings about storage

zubairaizatron_0-1642605084136.png

The installation does continue and then completes (i think)

zubairaizatron_1-1642605163078.png

I then navigate to the ./bin directory and run the ./start_phantom.sh script but it gives me a connection to postgres error

zubairaizatron_3-1642605326846.png

Postgres is installed so i dont know what the issue could be. Note this is a standalone instance of phantom

Has anyone experienced something similar?

Also I cannot access the frontend but I assume this is because phantom is not running 

 

Labels (2)
0 Karma
1 Solution

phanTom
SplunkTrust
SplunkTrust

@zubairaizatron I have not had to install the unpriv install in this way before so I am afraid I am not sure what else I can offer. 

All of the requirements should have been installed and no additional configuration, outside of the installation instructions, should need to be performed to get the system up and running. 

I think you need to start again and be sure you didn't miss or misunderstand a step.  

View solution in original post

0 Karma

phanTom
SplunkTrust
SplunkTrust

@zubairaizatron 

I am not sure what is going on with your install without checking some of the logs around the postgres startup. 

However, the instructions you are following are if you want to use any other account than the default. 5.x is unprivileged by default and now runs under the phantom user rather than the root user as it did previously. 

I suspect you will have more luck simply installing the latest version on SOAR either via OVA or RPM.  

As per the 1st paragraph on the OVA install: https://docs.splunk.com/Documentation/SOARonprem/5.0.1/Install/InstallOVA 

"The virtual machine image of Splunk SOAR (On-premises) is for an unprivileged installation, meaning the the application runs under the phantom user account, not as the root user."

If this is just for personal use then I would just go with the above. If it's for professional/licensed use then I would raise a support case under your customer entitlement. 

0 Karma

zubairaizatron
Explorer

Hi 

Thank you very much for your reply. This is for professional use however is is not an actual deployment, more of a poc and requires this kind of installation according to the needs of the customer.

That being said it seems the problem was the lack of a postgres "phantom" database.

zubairaizatron_0-1642629283268.png

 

I then created on and that got rid of that error. however now I am still getting the error for a supervisord.

zubairaizatron_2-1642629456266.png

 

This is the start of the installation but then it gives this error

zubairaizatron_3-1642629489757.png

 

on the installation logs i found the following errors 

zubairaizatron_4-1642629575394.png

This one i assume i fixed by creating the phantom database in postgres

zubairaizatron_5-1642629675453.png

zubairaizatron_6-1642629741811.png

zubairaizatron_7-1642629779068.png

zubairaizatron_8-1642629824626.png

 

Any suggestions?

 

0 Karma

phanTom
SplunkTrust
SplunkTrust

@zubairaizatron I have not had to install the unpriv install in this way before so I am afraid I am not sure what else I can offer. 

All of the requirements should have been installed and no additional configuration, outside of the installation instructions, should need to be performed to get the system up and running. 

I think you need to start again and be sure you didn't miss or misunderstand a step.  

0 Karma

zubairaizatron
Explorer

Hey @phanTom 

Thanks a lot man

I tried a earlier install of phantom and it worked.

 

 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...