Hi.
I don't understand how to fix it.
App: Phantom -> Phantom Server Configuration:Error loading Phantom Server Configurations: You must have phantom_read, phantom_write and admin_all_objects permissions.
@sebeling3
Hi, I fixed it already.
If you have problem like my.
Try in Splunk via GUI:
Settings > Access controls > Roles > Admin > Capabilities
And move phantom_read
, phantom_write
from Available capabilities to Selected capabilities
If you will have problem with HTTPS certificate verification.
Try:
%splunk_home%/etc/apps/phantom/local/phantom
[verify_certs]
value = true (change to false)
Hi,
Thanks for documenting this, I was miles away and looking at the Capabilities on the Phantom side rather than Splunk's.
If I can participate, note that you can enable HTTPS with these steps:
from your browser (or any other method you like), export the certificate of the phantom. machine as X.509 Certificate (PEM).
For instance, with Firefox: Click the padlock icon on the left of the URL > Click the arrow next to the IP address (if you're using the IP as I am) > More information (at the bottom) > Security tab > View Certificate > in the next open that opens > Details > Export
Copy this to your Splunk ,machine in $SPLUNK_HOME/etc/apps/phantom/local/cert_bundle.pem
Now return to Splunk's Web UI and save your "Phantom Server Configuration" again. This should be accepted. No restart required.
One other thing that tripped me up: add your Splunk server IPs to the Allowed IPs list of the Phantom user you copied the token from.
@sebeling3
Hi, I fixed it already.
If you have problem like my.
Try in Splunk via GUI:
Settings > Access controls > Roles > Admin > Capabilities
And move phantom_read
, phantom_write
from Available capabilities to Selected capabilities
If you will have problem with HTTPS certificate verification.
Try:
%splunk_home%/etc/apps/phantom/local/phantom
[verify_certs]
value = true (change to false)
for clarity, the path is:
%splunk_home%/etc/apps/phantom/local/phantom.conf
i don have local folder all i see is default and i made the change there and i still get the error "AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/nobody/phantom/configs/conf-phantom?count=-1&output_mode=json"
can anyone help
I'm seeing the same thing. I am new to Splunk and Phantom and wanted to setup a POC using the free versions. I've installed both Splunk (win 2016) and Phantom on Centos 7.4 on Azure on the same subnet.
Connectivity seems to be fine from both servers.
I am simply trying to setup via the Splunk Enterprise "app" under this screen by following the directions on the Phantom Configuration Page.