Splunk SOAR
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Phantom Underprivileged Installation

zubairaizatron
Explorer
‎01-19-2022 07:18 AM

Hi guys 

I tried installing Splunk Phantom as an underprivileged user as per the documentation:

https://docs.splunk.com/Documentation/SOARonprem/5.0.1/Install/InstallUnprivileged

Although I pretty much get through the process without problems, when I get to the last step i get warnings about storage

zubairaizatron_0-1642605084136.png

The installation does continue and then completes (i think)

zubairaizatron_1-1642605163078.png

I then navigate to the ./bin directory and run the ./start_phantom.sh script but it gives me a connection to postgres error

zubairaizatron_3-1642605326846.png

Postgres is installed so i dont know what the issue could be. Note this is a standalone instance of phantom

Has anyone experienced something similar?

Also I cannot access the frontend but I assume this is because phantom is not running 

 

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎01-20-2022 01:02 AM

@zubairaizatron I have not had to install the unpriv install in this way before so I am afraid I am not sure what else I can offer. 

All of the requirements should have been installed and no additional configuration, outside of the installation instructions, should need to be performed to get the system up and running. 

I think you need to start again and be sure you didn't miss or misunderstand a step.  

View solution in original post

0 Karma
Reply
Solved! Jump to solution

phanTom
SplunkTrust
SplunkTrust
‎01-19-2022 07:27 AM

@zubairaizatron 

I am not sure what is going on with your install without checking some of the logs around the postgres startup. 

However, the instructions you are following are if you want to use any other account than the default. 5.x is unprivileged by default and now runs under the phantom user rather than the root user as it did previously. 

I suspect you will have more luck simply installing the latest version on SOAR either via OVA or RPM.  

As per the 1st paragraph on the OVA install: https://docs.splunk.com/Documentation/SOARonprem/5.0.1/Install/InstallOVA 

"The virtual machine image of Splunk SOAR (On-premises) is for an unprivileged installation, meaning the the application runs under the phantom user account, not as the root user."

If this is just for personal use then I would just go with the above. If it's for professional/licensed use then I would raise a support case under your customer entitlement. 

0 Karma
Reply
Solved! Jump to solution

zubairaizatron
Explorer
‎01-19-2022 02:03 PM

Hi 

Thank you very much for your reply. This is for professional use however is is not an actual deployment, more of a poc and requires this kind of installation according to the needs of the customer.

That being said it seems the problem was the lack of a postgres "phantom" database.

zubairaizatron_0-1642629283268.png

 

I then created on and that got rid of that error. however now I am still getting the error for a supervisord.

zubairaizatron_2-1642629456266.png

 

This is the start of the installation but then it gives this error

zubairaizatron_3-1642629489757.png

 

on the installation logs i found the following errors 

zubairaizatron_4-1642629575394.png

This one i assume i fixed by creating the phantom database in postgres

zubairaizatron_5-1642629675453.png

zubairaizatron_6-1642629741811.png

zubairaizatron_7-1642629779068.png

zubairaizatron_8-1642629824626.png

 

Any suggestions?

 

0 Karma
Reply
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎01-20-2022 01:02 AM

@zubairaizatron I have not had to install the unpriv install in this way before so I am afraid I am not sure what else I can offer. 

All of the requirements should have been installed and no additional configuration, outside of the installation instructions, should need to be performed to get the system up and running. 

I think you need to start again and be sure you didn't miss or misunderstand a step.  

0 Karma
Reply
Solved! Jump to solution

zubairaizatron
Explorer
‎01-23-2022 12:22 PM

Hey @phanTom 

Thanks a lot man

I tried a earlier install of phantom and it worked.

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...