Splunk SOAR

Keeping accurate time on your Splunk Phantom virtual machine

kevinh_splunk
Splunk Employee
Splunk Employee
In some cases, the Splunk Phantom virtual appliance can lose its time synchronization with the system time. For example, some virtual machine management functions can be run that would revert the Splunk Phantom virtual appliance an older snapshot that is still running, thus pausing the virtual appliance and losing synchronization with the system time.
 

You can use any of the strategies on this page to work around this issue.

Install VMWare Tools on the virtual appliance

You can install the VMWare Tools configuration utility on the virtual appliance and synchronize it with the ESX host. In this scenario, the time is automatically synchronized whenever the host is resumed or reverted.

Manually update the time on the host

You can use the ntpdate command to force the date to be updated. Access the command line of the virtual appliance as root, then run the ntpdate command. For example:

ntpdate -v -u 0.centos.pool.ntp.org​

Replace the NTP host or pool as desired.

Install the VMWare Tools on your Splunk Phantom virtual machine

In VMWare environments, you can install VMWare Tools configuration utility on your Splunk Phantom virtual machine. This causes the virtual machine to automatically synchronize the time with the physical host, assuming the physical host as NTP configured.

Perform the following steps:

    1. Make sure NTP is properly configured on the physical host.
    2. In the VMWare management environment, install the VMWare Tools configuration utility on the virtual machine. This "inserts" a CD containing VMWare Tools into the virtual CD-ROM drive.
    3. Access the command line of virtual machine as the root user.
    4. Run the following command:
      mount /dev/cdrom /mnt
    5. Untar the file from the /mnt directory into the root user's home directory:
      [root@localhost]# cd ~
      [root@localhost]# tar -xvf /mnt/VMWareTools-9.4.5-1598834.tar.gz
      [root@localhost]# cd vmware-tools-distrib/
    6. Run the following command to start the installer, and follow the prompts to complete the installation:
      [root@localhost]# ./vmware-install.pl
Labels (2)
Tags (3)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...