Global Configuration and Policy Settings¶
The Corelight-update utility uses a configuration database to track and maintain the sensor inventory, the global service configuration and interval, the policy assignments, and the integrations. Use the global configuration and policy settings to modify the Corelight-update web service, and establish integrations and policies at a global level.
Changes can be made to the global policy using either:
A config file.
The Corelight-update CLI command
--global-settings
switch.
The Corelight-update CLI command supports updating the Global Configuration directly using the--global-settings
switch.
Multiple settings can be updated using a single command.
Update nested settings by using a “.” or “_”. For example,
webserver.enable=true
orwebserver_enable=true
.Other than
remote_global_conf_files
, any setting can be updated using a key=value pair.
For example:
corelight-update update --global-settings verbose=false interval_minutes=30
Note
Making changes to a policy using the CLI bypasses the configuration files. To maintain a copy of the current Global Configuration as a config file, export it to a file. See “Show Options” in the CLI Commands.
See the Complete Global Settings below for a list of fields that can be updated directly.
When using a config file, additions or changes to a policy are made to a configuration file first before being loaded into Corelight-update to take effect.
To update the global configuration:
Output the current global configuration as a file. For example, to create a global config file in yaml format:
corelight-update show -global -yaml -file /etc/corelight-update/global/config.yaml
Change the settings in the config file.
Update the global configuration. For example:
corelight-update update -global --path /etc/corelight-update/global/config.yaml
Warning
When making changes to a policy, the configuration file section being modified must also incude any previously defined, non-zero fields. Any fields left undefined will be automatically configured to their zero value.
After a configuration has been updated, it’s always recommended to verify the global configuration on the console. For example:
corelight-update show -global
Global Configuration Settings¶
The Corelight-update service provides local web access to the documentation, and all of the content created and managed by Corelight-update. The web service is enabled by default, and is optional.
Modify the web service¶
webserver: enable: true tls: true tls_cert: "/etc/corelight-update/global/cert.crt" tls_key: "/etc/corelight-update/global/cert.key" port: 8443
Note
Updating the default certificate is recommended.
Update the processing service and interval¶
In some cases it is useful to disable the processing feeds and only have the web service enabled, or modify the default interval for processing data feeds.
process_feeds: true interval_minutes: "60"
When this interval is triggered, the individual state history for each enabled integration is checked.
If the integration interval time has lapsed, it processes the integration.
If the interval has not lapsed, the integration is skipped until the next cycle.
If the interval is set to
0
, the integrations will be processed each cycle.
Additional logging options¶
If additional logging detail is desired, enable verbose logging. This setting is in addition to the CLI debugging option.
verbose: false
Global Policy Settings¶
Note
Starting in v1.0.0, enabling integrations and setting their interval is separate from the integration configuration.
Enable downloads of the current Maxmind GeoIP database. The default interval is 1 week. See Maxmind GeoIP for details.
geoip: enable_maxmind: false interval_hours: 168 account_id: 0 license_key: "" database_directory: "/var/corelight-update/files/all/geoip"
Global Suricata Settings¶
If you maintain a centralized set of Suricata configuration files for ruleset tuning and management, you can configure Corelight-update to automatically download the files from a remote source, and apply them to the Corelight-update connected sensors.
The Suricata configuration files disable.conf
, enable.conf
and modify.conf
can be applied at a global, and at a policy level. If a disable.conf
, enable.conf
or modify.conf
exist in the global config directory, they will automatically be processed for each policy.
To learn about the processing order, see Order of Operations.
For information about setting Suricata configuration files at the Policy level, see Suricata policy settings.
Each time the Corelight-update service runs, the Suricata rulesets can be processed up to three times for each policy:
Process any enabled Corelight recommended configs,
Process any enabled Global configs,
Process the Suricata policy configs.
For example, to pull a modify.conf
file from GitHub:
remote_conf_files:
- name: modify.conf
url: https://raw.githubusercontent.com/fakeuser/conf/main/modify.conf
auth_type: basic
auth_token: ""
auth_token_header:
username: fakeuser
encrypted_pass: 8946af417b8c3a13358ac42e6f6fbb3f256e2f5cc778a08...
ignore_tls: false
The supported authentication types are no auth, basic
, or token
. When using the no auth option, leave the auth_type
field empty.
Complete Global Settings¶
verbose: false
exp_features: false
webserver:
enable: true
tls: true
tls_cert: /etc/corelight-update/global/cert.crt
tls_key: /etc/corelight-update/global/cert.key
port: 8443
process_feeds: true
interval_minutes: 60
geoip:
enabled: false
interval_hours: 168
account_id: 0
license_key: ""
database_directory: /var/corelight-update/files/all/geoip
remote_global_conf_files:
- name:
url:
auth_type:
auth_token:
auth_token_header:
username:
encrypted_pass:
ignore_tls: