Splunk SOAR

Splunk Phantom Underprivileged Installation

zubairaizatron
Explorer

Hi guys 

I tried installing Splunk Phantom as an underprivileged user as per the documentation:

https://docs.splunk.com/Documentation/SOARonprem/5.0.1/Install/InstallUnprivileged

Although I pretty much get through the process without problems, when I get to the last step i get warnings about storage

zubairaizatron_0-1642605084136.png

The installation does continue and then completes (i think)

zubairaizatron_1-1642605163078.png

I then navigate to the ./bin directory and run the ./start_phantom.sh script but it gives me a connection to postgres error

zubairaizatron_3-1642605326846.png

Postgres is installed so i dont know what the issue could be. Note this is a standalone instance of phantom

Has anyone experienced something similar?

Also I cannot access the frontend but I assume this is because phantom is not running 

 

Labels (2)
0 Karma
1 Solution

phanTom
SplunkTrust
SplunkTrust

@zubairaizatron I have not had to install the unpriv install in this way before so I am afraid I am not sure what else I can offer. 

All of the requirements should have been installed and no additional configuration, outside of the installation instructions, should need to be performed to get the system up and running. 

I think you need to start again and be sure you didn't miss or misunderstand a step.  

View solution in original post

0 Karma

phanTom
SplunkTrust
SplunkTrust

@zubairaizatron 

I am not sure what is going on with your install without checking some of the logs around the postgres startup. 

However, the instructions you are following are if you want to use any other account than the default. 5.x is unprivileged by default and now runs under the phantom user rather than the root user as it did previously. 

I suspect you will have more luck simply installing the latest version on SOAR either via OVA or RPM.  

As per the 1st paragraph on the OVA install: https://docs.splunk.com/Documentation/SOARonprem/5.0.1/Install/InstallOVA 

"The virtual machine image of Splunk SOAR (On-premises) is for an unprivileged installation, meaning the the application runs under the phantom user account, not as the root user."

If this is just for personal use then I would just go with the above. If it's for professional/licensed use then I would raise a support case under your customer entitlement. 

0 Karma

zubairaizatron
Explorer

Hi 

Thank you very much for your reply. This is for professional use however is is not an actual deployment, more of a poc and requires this kind of installation according to the needs of the customer.

That being said it seems the problem was the lack of a postgres "phantom" database.

zubairaizatron_0-1642629283268.png

 

I then created on and that got rid of that error. however now I am still getting the error for a supervisord.

zubairaizatron_2-1642629456266.png

 

This is the start of the installation but then it gives this error

zubairaizatron_3-1642629489757.png

 

on the installation logs i found the following errors 

zubairaizatron_4-1642629575394.png

This one i assume i fixed by creating the phantom database in postgres

zubairaizatron_5-1642629675453.png

zubairaizatron_6-1642629741811.png

zubairaizatron_7-1642629779068.png

zubairaizatron_8-1642629824626.png

 

Any suggestions?

 

0 Karma

phanTom
SplunkTrust
SplunkTrust

@zubairaizatron I have not had to install the unpriv install in this way before so I am afraid I am not sure what else I can offer. 

All of the requirements should have been installed and no additional configuration, outside of the installation instructions, should need to be performed to get the system up and running. 

I think you need to start again and be sure you didn't miss or misunderstand a step.  

0 Karma

zubairaizatron
Explorer

Hey @phanTom 

Thanks a lot man

I tried a earlier install of phantom and it worked.

 

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...