Phantom Upgrade Notes

IMPORTANT NOTE: During the migiration to GovCloud, we had to use the limited offline rpms. This changes the upgrade process. The notes below may be outdated. Reference https://docs.splunk.com/Documentation/Phantom/4.9/Install/UpgradeOffline

Recommend you see the installation notes in Phantom Notes.md

General Notes

Use the Splunk Phantom repo not the msoc repo. BE SURE TO HAVE AT MOST 55% FREE space ( 45% used space)

backup docs https://docs.splunk.com/Documentation/Phantom/4.10.2/Admin/Restorefromabackup

4.10

05/2021

Follow Splunk Docs! Switched XDR from offline RPM install to Phantom repo install I had to upgrade to latest version in 4.9 before upgrading to 4.10 Use tmux to avoid SSH timeout during upgrade

4.9

08/2020

Prep Work

See Splunk docs!

Silence Phantom sensu checks

Stop Phantom /opt/phantom/bin/stop_phantom.sh

Clean yum yum clean all

Take an AWS snapshot in addition to the automatic snapshots! should be for a 60 GB volume Naming Scheme: phantom-pre-upgrade-backup-

Run a backup! sudo phenv python ibackup.pyc --backup

Update OS & reboot (only if kernel updated) yum update --exclude=nginx

Start Phantom /opt/phantom/bin/start_phantom.sh

Disable WAL sed -i -e 's/archive_mode = on/archive_mode = off/i' /opt/phantom/data/db/postgresql.phantom.conf

restart postgres

# 2021-04-12: While troubleshooting a problem, noticed we're on postgres11 now.
/opt/phantom/bin/phsvc restart postgresql-11

Install new repo and keys rpm -Uvh https://repo.phantom.us/phantom/4.9/base/7Server/x86_64/phantom_repo-4.9.35731-1.x86_64.rpm

Centos7 (Caasp) rpm -Uvh https://repo.phantom.us/phantom/4.10/base/7/x86_64/phantom_repo-4.10.3.51237-1.x86_64.rpm

Troubleshooting Error: Error - Phantom requires that the user 'phantom' has access to cron. Solution: vim /etc/cron.allow and add phantom

Error! It looks like you don't have enough space in your /tmp directory Your /tmp directory must have a capacity of at least 5GB If you would like to ignore this check, please re-run with the option --no-space-check

Upgrade

Upgrade script /opt/phantom/bin/phantom_setup.sh upgrade

Post Upgrade (Run IF the upgrade script produces the message!) su - postgres -c '/usr/pgsql-11/bin/vacuumdb -h /tmp --all --analyze-in-stages'

Run this to re-setup or backups phenv python3 /opt/phantom/bin/ibackup.pyc --setup

Verify postgres version su - postgres -c '/usr/pgsql-11/bin/postgres --version'

Administration > Product Settings > Telemetry > OFF

Post Upgrade Steps

Review System Health
1. Administration -> System Health -> System Health

Have Phantom Administrator verify that email is working properly.

Clear Silence Done!

4.8

Vagrant VM Upgrade

vagrant phantom creds admin/password Password1 ssh use the brad user and ssh key

Test Upgrade

TEST

Make snapshot

Prod Upgrade

PROD

stop phantom take snapshot of drive clean yum cache install RPM for repo upgrade phantom

Phantom Upgrade Steps Do not skip versions. Upgrade incrementally.

Take a snapshot of the server
Stop all services 2.1 /opt/phantom/bin/stop_phantom.sh
Clear yum caches 3.1 yum clean all
update the OS 4.1 yum update --exclude=nginx
reboot if kernel was upgraded 5.1 reboot
after reboot login and installed the phantom repo for the correct version of the software. 6.1 https://docs.splunk.com/Documentation/Phantom/4.8/Install/PhantomReposAndSigningKeys 6.2 rpm -Uvh https://repo.phantom.us/phantom/4.6/base/7Server/x86_64/phantom_repo-4.6.19142-1.x86_64.rpm 6.3 /opt/phantom/bin/phantom_setup.sh upgrade