Splunk SOAR

Splunk SOAR Shared Services

andrew_burnett
Path Finder

When I try to create a Shared Services server (for a development environment), it prompts me for the password for the "user" account. I have tried a variety of things, using the default password that comes with SOAR, adding a user called "user" and trying that password. None of it works, and after 5 attempts it ruins the installation and I have to scuttle the VM and start over. Anyone run into this issue?

Labels (1)
1 Solution

phanTom
SplunkTrust
SplunkTrust

Is this the 1st shared service node you are creating? If so what are you setting it to? DB/FS/Proxy/Splunk?

The only advice I can offer before curiosity gets the better of me and I try the install out myself :), is to decompile the make_server_node.pyc and see what it's actually trying to do? uncompyl6 is one i use to decompyle pyc files. 

Do you have a support entitlement? If so I would make sure you have a ticket with them as they would have seen this before, I would hope 😄

 

View solution in original post

0 Karma

phanTom
SplunkTrust
SplunkTrust

@andrew_burnett the "user" account usually refers to the "root" account and is created upon initial install to allow SSH to a "root-like" account. 

What version of SOAR are you running? I only built a cluster with 4.10.x and the user account has the same password as the 'root' account which was set at initial build. Newer versions of SOAR use the 'phantom' account for most of its capabilities so maybe the docs need updating?

If you have a support entitlement it's definitely worth getting something raised to assist you and also make sure that any associated documentation is made correct and simpler to follow and understand. 

Hope this helps. 

andrew_burnett
Path Finder

It's weird because even using the root password, it says it fails to pass validation

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @andrew_burnett my apologies i understand your question only partially, so one question... may we know the SOAR tool name please.. 

the default password  - you meant for the Splunk tool or the SOAR tool?

 

as per my understanding, this task will require us to contact the SOAR tools support and get help from them. 

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

andrew_burnett
Path Finder

It's for SOAR 5.1, and when I go to run make_server_node.pyc it asks for password for "user". And it fails to pass validation whatever I enter in

0 Karma

phanTom
SplunkTrust
SplunkTrust

@andrew_burnett is this the 1st thing it asks or are you seeing stuff happen 1st and then it asks for the account? E.G. Do you get to put cert info in, set pgbouncer password and subnet info and then it fails?

Are you able to screenshot the point you get to and the error?

I take it you are using: https://docs.splunk.com/Documentation/SOARonprem/5.1.0/Install/makeservernode 

AFAIK 5.1 doesn't have a "user" account as it's unpriv by default now so have you tried the 'phantom' user password? 

0 Karma

andrew_burnett
Path Finder

I set the phantom user password myself using "passwd" and made it root as well, and I also tried using the password that is the default "admin" one in SOAR. Screenshot(50).PNG

 

0 Karma

phanTom
SplunkTrust
SplunkTrust

Is this the 1st shared service node you are creating? If so what are you setting it to? DB/FS/Proxy/Splunk?

The only advice I can offer before curiosity gets the better of me and I try the install out myself :), is to decompile the make_server_node.pyc and see what it's actually trying to do? uncompyl6 is one i use to decompyle pyc files. 

Do you have a support entitlement? If so I would make sure you have a ticket with them as they would have seen this before, I would hope 😄

 

0 Karma

andrew_burnett
Path Finder

This is the community edition, so I don't have a Support entitlement unfortunately. And to answer your question, this is for the Shared Services server, not a specific function which is how you would do it in a prod environment. I will try decompiling it and see, thank you.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...