Splunk SOAR

Installing Splunk SOAR On-Prem Unprivileged User- Why are we getting this error?

casperr
New Member

Hi,

I am trying to install Splunk SOAR 6.0.1 for Linux. I've followed the prerequisites here: https://docs.splunk.com/Documentation/SOARonprem/6.0.1/Install/InstallUnprivileged and built a VM running CentOS 7.9.

I've run the prepare script as above too and everything came back fine (I'm not running in FIPS mode, this is for a home lab).

I then run the install script with --ignore-warnings because it keeps shouting about the need for a 500GB disk, the disk attached to the VM is 500GB, but it thin provisioned in VMware ESXi v8.0.0. The install goes ok and then I get the below error message when it tries to start Splunk SOAR.

[splunksoar-adm@NEST-Splunk-SOAR-01 splunk-soar]$ sudo ./soar-install --splunk-soar-home /opt/splunk-soar --https-port 8443 --ignore-warnings
[sudo] password for splunksoar-adm:
Detailed logs will be located at /opt/splunk-soar/var/log/phantom/phantom_install_log
Starting install of Splunk SOAR 6.0.1.123902
Skipping pre-deploy phase; continuing from StartPhantom


================================================================================
You are about to install Splunk SOAR version 6.0.1.123902.
- Installation path: /opt/splunk-soar
- HTTPS port: 8443

Do you wish to proceed? (y/N): y


================================================================================
INSTALL: StartPhantom

Starting Splunk SOAR

Failed to start Splunk SOAR
Traceback (most recent call last):
File "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/console.py", line 207, in run
proc = subprocess.run(normalized_cmd, **cmd_args) # noqa: PHANTOM112
File "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/usr/python39/lib/python3.9/subprocess.py", line 528, in run
raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['/opt/splunk-soar/bin/start_phantom.sh']' returned non-zero exit status 1.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/./soar-install", line 72, in main
deployment.run()
File "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/deployments/deployment.py", line 132, in run
self.run_deploy()
File "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/usr/python39/lib/python3.9/contextlib.py", line 79, in inner
return func(*args, **kwds)
File "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/deployments/deployment.py", line 193, in run_deploy
operation.run()
File "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/operations/deployment_operation.py", line 135, in run
self.install()
File "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/operations/tasks/start_phantom.py", line 18, in install
self.shell.start_phantom()
File "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/console.py", line 302, in start_phantom
self.run(
File "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/console.py", line 224, in run
raise InstallError(
install.install_common.InstallError: Failed to start Splunk SOAR
install failed.

Below is all the messages from the log file at the time of running the command.

{"component": "installation_log", "time": "2023-06-01T20:00:46.952514", "logger": "install", "pid": 536, "level": "INFO", "file": "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/install_log/logger.py", "line": 52, "message": "Detailed logs will be located at /opt/splunk-soar/var/log/phantom/phantom_install_log", "install_run_uuid": "7af5f4ed-9863-488f-a0c1-fe2818588257"}
{"component": "installation_log", "time": "2023-06-01T20:00:49.494291", "logger": "install.deployments.deployment", "pid": 536, "level": "INFO", "file": "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/deployments/deployment.py", "line": 101, "message": "Starting install of Splunk SOAR 6.0.1.123902", "install_run_uuid": "7af5f4ed-9863-488f-a0c1-fe2818588257", "start_time": "2023-06-01T20:00:49.494112", "install_mode": "install", "installed_version": "6.0.1.123902", "proposed_version": "6.0.1.123902", "deployment_type": "unpriv", "continue_from": "StartPhantom", "time_elapsed_since_start": 0.000421}
{"component": "installation_log", "time": "2023-06-01T20:00:49.494734", "logger": "install.deployments.deployment", "pid": 536, "level": "INFO", "file": "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/deployments/deployment.py", "line": 128, "message": "Skipping pre-deploy phase; continuing from StartPhantom", "install_run_uuid": "7af5f4ed-9863-488f-a0c1-fe2818588257", "start_time": "2023-06-01T20:00:49.494112", "install_mode": "install", "installed_version": "6.0.1.123902", "proposed_version": "6.0.1.123902", "deployment_type": "unpriv", "continue_from": "StartPhantom", "time_elapsed_since_start": 0.000697}
{"component": "installation_log", "time": "2023-06-01T20:00:49.503321", "logger": "install.deployments.deployment", "pid": 536, "level": "INFO", "file": "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/deployments/deployment.py", "line": 91, "message": "\n\n================================================================================\nYou are about to install Splunk SOAR version 6.0.1.123902.\n - Installation path: /opt/splunk-soar\n - HTTPS port: 8443\n", "install_run_uuid": "7af5f4ed-9863-488f-a0c1-fe2818588257", "start_time": "2023-06-01T20:00:49.494112", "install_mode": "install", "installed_version": "6.0.1.123902", "proposed_version": "6.0.1.123902", "deployment_type": "unpriv", "continue_from": "StartPhantom", "phase": "deploy", "time_elapsed_since_start": 0.009425}
{"component": "installation_log", "time": "2023-06-01T20:00:52.228354", "logger": "install.operations.deployment_operation", "pid": 536, "level": "DEBUG", "file": "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/operations/deployment_operation.py", "line": 123, "message": "Starting install task operation", "install_run_uuid": "7af5f4ed-9863-488f-a0c1-fe2818588257", "start_time": "2023-06-01T20:00:49.494112", "install_mode": "install", "installed_version": "6.0.1.123902", "proposed_version": "6.0.1.123902", "deployment_type": "unpriv", "continue_from": "StartPhantom", "phase": "deploy", "operation_start_time": "2023-06-01T20:00:52.228275", "operation_name": "StartPhantom", "operation_status": "started", "operation_type": "task", "operation_cluster_phase": "ClusterPhase.NONE", "time_elapsed_since_start": 2.734319, "time_elapsed_since_operation_start": 0.000164}
{"component": "installation_log", "time": "2023-06-01T20:00:52.228635", "logger": "install.console", "pid": 536, "level": "INFO", "file": "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/console.py", "line": 301, "message": "Starting Splunk SOAR", "install_run_uuid": "7af5f4ed-9863-488f-a0c1-fe2818588257", "start_time": "2023-06-01T20:00:49.494112", "install_mode": "install", "installed_version": "6.0.1.123902", "proposed_version": "6.0.1.123902", "deployment_type": "unpriv", "continue_from": "StartPhantom", "phase": "deploy", "operation_start_time": "2023-06-01T20:00:52.228275", "operation_name": "StartPhantom", "operation_status": "started", "operation_type": "task", "operation_cluster_phase": "ClusterPhase.NONE", "time_elapsed_since_start": 2.734676, "time_elapsed_since_operation_start": 0.000518}
{"component": "installation_log", "time": "2023-06-01T20:00:52.229350", "logger": "install.console", "pid": 536, "level": "DEBUG", "file": "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/console.py", "line": 204, "message": "Running subprocess", "install_run_uuid": "7af5f4ed-9863-488f-a0c1-fe2818588257", "start_time": "2023-06-01T20:00:49.494112", "install_mode": "install", "installed_version": "6.0.1.123902", "proposed_version": "6.0.1.123902", "deployment_type": "unpriv", "continue_from": "StartPhantom", "phase": "deploy", "operation_start_time": "2023-06-01T20:00:52.228275", "operation_name": "StartPhantom", "operation_status": "started", "operation_type": "task", "operation_cluster_phase": "ClusterPhase.NONE", "log_type": "subprocess", "command": "/opt/splunk-soar/bin/start_phantom.sh", "environment_variables": {"PATH": "/sbin:/bin:/usr/sbin:/usr/bin", "HOME": "/root"}, "time_elapsed_since_start": 2.735282, "time_elapsed_since_operation_start": 0.001123}
{"component": "installation_log", "time": "2023-06-01T20:00:52.252023", "logger": "install.console", "pid": 536, "level": "DEBUG", "file": "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/console.py", "line": 250, "message": "Subprocess completed.", "install_run_uuid": "7af5f4ed-9863-488f-a0c1-fe2818588257", "start_time": "2023-06-01T20:00:49.494112", "install_mode": "install", "installed_version": "6.0.1.123902", "proposed_version": "6.0.1.123902", "deployment_type": "unpriv", "continue_from": "StartPhantom", "phase": "deploy", "operation_start_time": "2023-06-01T20:00:52.228275", "operation_name": "StartPhantom", "operation_status": "started", "operation_type": "task", "operation_cluster_phase": "ClusterPhase.NONE", "log_type": "subprocess", "command": "/opt/splunk-soar/bin/start_phantom.sh", "environment_variables": {"PATH": "/sbin:/bin:/usr/sbin:/usr/bin", "HOME": "/root"}, "status": "failed", "exit_code": 1, "stdout": ["Error: cannot run as a superuser"], "stderr": [], "time_elapsed_since_start": 2.758061, "time_elapsed_since_operation_start": 0.023908}
{"component": "installation_log", "time": "2023-06-01T20:00:52.252605", "logger": "install.operations.deployment_operation", "pid": 536, "level": "DEBUG", "file": "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/operations/deployment_operation.py", "line": 142, "message": "Completed install task operation", "install_run_uuid": "7af5f4ed-9863-488f-a0c1-fe2818588257", "start_time": "2023-06-01T20:00:49.494112", "install_mode": "install", "installed_version": "6.0.1.123902", "proposed_version": "6.0.1.123902", "deployment_type": "unpriv", "continue_from": "StartPhantom", "phase": "deploy", "operation_start_time": "2023-06-01T20:00:52.228275", "operation_name": "StartPhantom", "operation_status": "failed", "operation_type": "task", "operation_cluster_phase": "ClusterPhase.NONE", "time_elapsed_since_start": 2.758546, "time_elapsed_since_operation_start": 0.024388}
{"component": "installation_log", "time": "2023-06-01T20:00:52.253022", "logger": "install", "pid": 536, "level": "DEBUG", "file": "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/meta.py", "line": 224, "message": "Adding deployment state to metadata", "continue_from": "StartPhantom", "cluster_phase": "ClusterPhase.NONE", "install_run_uuid": "7af5f4ed-9863-488f-a0c1-fe2818588257", "start_time": "2023-06-01T20:00:49.494112", "install_mode": "install", "installed_version": "6.0.1.123902", "proposed_version": "6.0.1.123902", "deployment_type": "unpriv", "time_elapsed_since_start": 2.758997}
{"component": "installation_log", "time": "2023-06-01T20:00:52.254129", "logger": "install", "pid": 536, "level": "ERROR", "file": "/home/splunksoar-adm/Splunk-SOAR/splunk-soar/./soar-install", "line": 95, "message": "Failed to start Splunk SOAR", "install_run_uuid": "7af5f4ed-9863-488f-a0c1-fe2818588257", "start_time": "2023-06-01T20:00:49.494112", "install_mode": "install", "installed_version": "6.0.1.123902", "proposed_version": "6.0.1.123902", "deployment_type": "unpriv", "continue_from": "StartPhantom", "time_elapsed_since_start": 2.762006, "pretty_exc_info": ["Traceback (most recent call last):", " File \"/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/console.py\", line 207, in run", " proc = subprocess.run(normalized_cmd, **cmd_args) # noqa: PHANTOM112", " File \"/home/splunksoar-adm/Splunk-SOAR/splunk-soar/usr/python39/lib/python3.9/subprocess.py\", line 528, in run", " raise CalledProcessError(retcode, process.args,", "subprocess.CalledProcessError: Command '['/opt/splunk-soar/bin/start_phantom.sh']' returned non-zero exit status 1.", "", "During handling of the above exception, another exception occurred:", "", "Traceback (most recent call last):", " File \"/home/splunksoar-adm/Splunk-SOAR/splunk-soar/./soar-install\", line 72, in main", " deployment.run()", " File \"/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/deployments/deployment.py\", line 132, in run", " self.run_deploy()", " File \"/home/splunksoar-adm/Splunk-SOAR/splunk-soar/usr/python39/lib/python3.9/contextlib.py\", line 79, in inner", " return func(*args, **kwds)", " File \"/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/deployments/deployment.py\", line 193, in run_deploy", " operation.run()", " File \"/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/operations/deployment_operation.py\", line 135, in run", " self.install()", " File \"/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/operations/tasks/start_phantom.py\", line 18, in install", " self.shell.start_phantom()", " File \"/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/console.py\", line 302, in start_phantom", " self.run(", " File \"/home/splunksoar-adm/Splunk-SOAR/splunk-soar/install/console.py\", line 224, in run", " raise InstallError(", "install.install_common.InstallError: Failed to start Splunk SOAR"]}

No idea what's causing it to fail and can't find anything online. Let me know if you need more info, any help will be appreciated.

Cheers

Rob

Labels (2)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...