![]() Splunk product compatibility requirements In your on-premises deployment, verify that you have the necessary network availability among all devices.Splunk Phantom must have TCP ports 4 open to and from Splunk Enterprise Security (ES) search heads.The Splunk Phantom App for Splunk requires the admin user to run the phantom_retry.py script every 60 seconds to try to send any events that could not be sent earlier. In situations where events can't be sent from the Splunk platform to Splunk Phantom or Splunk SOAR using alert actions, adaptive response actions, or event forwarding, the events are stored in the phantom_retry KV Store collection. The Splunk Phantom App for Splunk requires that a user with administrative privileges installs both the Splunk Phantom App for Splunk and Splunk software.Verify the following user privileges and ports: Verify that your environment is ready to use the Splunk Phantom App for Splunk to integrate Splunk Phantom or Splunk SOAR with your Splunk Enterprise deployment. Universal forwarders that you installed in Step 1.What you need to install the Splunk Phantom App for Splunk on Splunk Enterprise.The Splunk IT Service Intelligence (ITSI) search head, if you are using ITSI.Install the Splunk Add-on for Phantom to the following locations: Install the Splunk Add-on for Splunk Phantom For more information about creating indexes, see Create custom indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual. On your Indexer tier, create an index called phantom. You must create Splunk indexes for Splunk Phantom data before the universal forwarder can send data to them. See About forwarding and receiving in the Splunk Enterprise Forwarding Data manual to learn how to install and configure universal forwarders. For more information, see Configure forwarding with nf. Configure forwarding on each Phantom server with nf.The server's splunkd port has been changed. Checking prerequisites.ĮRROR: mgmt port - port is already bound. The alternate port is stored in $SPLUNK_HOME/etc/system/local/web.conf. When you install manually, you're prompted to enter an alternate port. This can adversely affect automated installation scripts. For instructions, see Install the universal forwarder software.īecause each Phantom server already includes an embedded copy of Splunk Enterprise, the universal forwarder detects a port conflict during the initial startup. ![]() Install a universal forwarder on each Splunk Phantom server you plan to monitor.You must install a universal forwarder on each Phantom server you plan to monitor. The universal forwarder collects data from a data source or another forwarder and sends it to a forwarder or a Splunk deployment. Install a universal forwarder on each Splunk Phantom server ![]() Perform the following tasks before you install the Splunk Add-on for Splunk Phantom. Prepare to install the Splunk Add-on for Splunk Phantom Review the supported product combination in a Splunk Enterprise environment. ![]() ![]() Verify that you have a support combination of products before installing the Splunk Add-on for Splunk Phantom. The add-on allows ITSI and Splunk Enterprise to get various Splunk Phantom log data with commonly used field names. The Splunk Add-on for Splunk Phantom is required to use the Content pack for Monitoring Phantom as a Service. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |