Add microsensors¶
When Corelight-update is deploying content to Microsensor, it uses SCP to push content to a local folder path on the sensor.
To configure a Microsensor in Corelight-update, you’ll require:
Network connectivity from the Corelight-update host to the Microsensor.
The IP address or FQDN of the Microsensor.
A sensor username, and the password or host ssh key.
The sensor user needs read/write access to the content folders.
Note
The command used to reload the Suricata rules requires sudo
access. If you’re deploying Suricata rulesets to a microsensor, the host username will also require passwordless sudo
access to apply new rulesets.
The Corelight-update sensor inventory requires one entry for each Microsensor. You can remove any setting that’s not required for a specific sensor’s configuration.
sensors:
- name: # sensor name
type: micro
ip: # address or fqdn
username: # host username
password: # set to "ssh-key" to use ssh keys on microsensors, leave blank to use encrypted password
encrypted_pass: # use the 'encrypt' CLI command to encrypt a password before it's stored here
suricata: true # push suricata rulesets to this sensor
intel: true # push intel files to this sensor
input: true # push input files to this sensor
bundle: true # push package bundle to this sensor
intel_path: "/etc/corelight/intel/intel.dat" # microsensors and localhost ONLY
input_path: "/etc/corelight/input_files/" # microsensors and localhost ONLY
suricata_path: "/etc/corelight/rules/suricata.rules" # microsensors and localhost ONLY
bundle_path: "/etc/corelight/corelight.bundle" # microsensors ONLY