Splunk SOAR

Splunk SOAR Shared Services

andrew_burnett
Path Finder

When I try to create a Shared Services server (for a development environment), it prompts me for the password for the "user" account. I have tried a variety of things, using the default password that comes with SOAR, adding a user called "user" and trying that password. None of it works, and after 5 attempts it ruins the installation and I have to scuttle the VM and start over. Anyone run into this issue?

Labels (1)
1 Solution

phanTom
SplunkTrust
SplunkTrust

Is this the 1st shared service node you are creating? If so what are you setting it to? DB/FS/Proxy/Splunk?

The only advice I can offer before curiosity gets the better of me and I try the install out myself :), is to decompile the make_server_node.pyc and see what it's actually trying to do? uncompyl6 is one i use to decompyle pyc files. 

Do you have a support entitlement? If so I would make sure you have a ticket with them as they would have seen this before, I would hope 😄

 

View solution in original post

0 Karma

phanTom
SplunkTrust
SplunkTrust

@andrew_burnett the "user" account usually refers to the "root" account and is created upon initial install to allow SSH to a "root-like" account. 

What version of SOAR are you running? I only built a cluster with 4.10.x and the user account has the same password as the 'root' account which was set at initial build. Newer versions of SOAR use the 'phantom' account for most of its capabilities so maybe the docs need updating?

If you have a support entitlement it's definitely worth getting something raised to assist you and also make sure that any associated documentation is made correct and simpler to follow and understand. 

Hope this helps. 

andrew_burnett
Path Finder

It's weird because even using the root password, it says it fails to pass validation

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @andrew_burnett my apologies i understand your question only partially, so one question... may we know the SOAR tool name please.. 

the default password  - you meant for the Splunk tool or the SOAR tool?

 

as per my understanding, this task will require us to contact the SOAR tools support and get help from them. 

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

andrew_burnett
Path Finder

It's for SOAR 5.1, and when I go to run make_server_node.pyc it asks for password for "user". And it fails to pass validation whatever I enter in

0 Karma

phanTom
SplunkTrust
SplunkTrust

@andrew_burnett is this the 1st thing it asks or are you seeing stuff happen 1st and then it asks for the account? E.G. Do you get to put cert info in, set pgbouncer password and subnet info and then it fails?

Are you able to screenshot the point you get to and the error?

I take it you are using: https://docs.splunk.com/Documentation/SOARonprem/5.1.0/Install/makeservernode 

AFAIK 5.1 doesn't have a "user" account as it's unpriv by default now so have you tried the 'phantom' user password? 

0 Karma

andrew_burnett
Path Finder

I set the phantom user password myself using "passwd" and made it root as well, and I also tried using the password that is the default "admin" one in SOAR. Screenshot(50).PNG

 

0 Karma

phanTom
SplunkTrust
SplunkTrust

Is this the 1st shared service node you are creating? If so what are you setting it to? DB/FS/Proxy/Splunk?

The only advice I can offer before curiosity gets the better of me and I try the install out myself :), is to decompile the make_server_node.pyc and see what it's actually trying to do? uncompyl6 is one i use to decompyle pyc files. 

Do you have a support entitlement? If so I would make sure you have a ticket with them as they would have seen this before, I would hope 😄

 

0 Karma

andrew_burnett
Path Finder

This is the community edition, so I don't have a Support entitlement unfortunately. And to answer your question, this is for the Shared Services server, not a specific function which is how you would do it in a prod environment. I will try decompiling it and see, thank you.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...