QuickStart - New Install¶
The Corelight-update utility is a service that runs at a scheduled interval to check for updates to the configured threat intelligence feeds, and distribute updated content to the configured sensors.
System requirements¶
The minimum system requirements are:
An x86_64 or ARM64 processor.
2GB memory.
A host running a Linux OS.
Network connectivity to the Internet, or to an internal-facing threat intelligence data repository.
To push content to your sensors, or to Fleet Manager, network connectivity to the management interface is required.
Installation Overview¶
Select a host to install the Corelight-update utility. If you have a Corelight Fleet Manager installation, Corelight-update can be run on the same host.
Set up the Corelight package repository on the host OS.
Install Corelight Update.
(Optional) Add additional user credentials to the
corelight-update
group. See (Optional) Add users to the corelight-update group for instructions.(Optional) Change the Corelight-update policy.
Configure your inventory, content, integrations, and the Corelight-update service using a configuration file.
Update the Corelight-update policy using the configuration file.
Start the corelight-update service
Set up the Corelight Stable package repository¶
Run the script using:
curl -s https://packages.corelight.com/install/repositories/corelight/stable/script.deb.sh | sudo bash
(Optional) To download the script before running it:
curl -O https://packages.corelight.com/install/repositories/corelight/stable/script.deb.sh sudo chmod +x script.deb.sh sudo ./script.deb.sh
Run the script using:
curl -s https://packages.corelight.com/install/repositories/corelight/stable/script.rpm.sh | sudo bash
(Optional) To download the script before running it:
curl -O https://packages.corelight.com/install/repositories/corelight/stable/script.rpm.sh sudo chmod +x script.rpm.sh sudo ./script.rpm.sh
Refresh the package cache:
sudo apt-get update
If you are running Debian, install
debian-archive-keyring
so that official Debian repositories are verified. Ubuntu installations can skip this step.sudo apt-get install debian-archive-keyring
Ensure the required tools (curl, gpg, apt-transport-https) are installed before proceeding:
sudo apt-get install curl gnupg apt-transport-https
In order to install a deb repo, first you need to install the GPG key that is used to sign repository metadata. You do that using a utility called apt-key.
curl -L https://packages.corelight.com/corelight/stable/gpgkey | sudo apt-key add -
Verify the file named
/etc/apt/sources.list.d/corelight_stable.list
contains the repository configuration below.In the example below, check that the strings ubuntu and trusty represent your Linux distribution and version:
deb https://packages.corelight.com/corelight/stable/ubuntu/ trusty main deb-src https://packages.corelight.com/corelight/stable/ubuntu/ trusty main
Valid options for os and dist parameters can be found in Packagecloud’s supported OS list.
Update the local APT cache:
sudo apt-get update
Install
pygpgme
, a package that allows yum to handle gpg signatures, and a package calledyum-utils
that contains the tools you need for installing source RPMs.sudo yum install pygpgme yum-utils
You might need to install the EPEL repository for your system to install these packages. If you do not install
pygpgme
, GPG verification will not work.Create a file named
/etc/yum.repos.d/corelight_stable.repo
that contains the repository configuration below. Replace el and 6 in thebaseurl=
path with your Linux distribution and version. Valid options for os and dist parameters can be found in the supported OS list in the docs.[corelight_stable] name=corelight_stable baseurl=https://packages.corelight.com/corelight/stable/el/6/$basearch repo_gpgcheck=1 gpgcheck=0 enabled=1 gpgkey=https://packages.corelight.com/corelight/stable/gpgkey sslverify=1 sslcacert=/etc/pki/tls/certs/ca-bundle.crt metadata_expire=300 [corelight_stable-source] name=corelight_stable-source baseurl=https://packages.corelight.com/corelight/stable/el/6/SRPMS repo_gpgcheck=1 gpgcheck=0 enabled=1 gpgkey=https://packages.corelight.com/corelight/stable/gpgkey sslverify=1 sslcacert=/etc/pki/tls/certs/ca-bundle.crt metadata_expire=300
Update the local yum cache:
sudo yum -q makecache -y --disablerepo='*' --enablerepo='corelight_stable'
Install Corelight-update¶
sudo apt install corelight-update
sudo yum install corelight-update
(Optional) Add users to the corelight-update group¶
As part of the installation, a system user and group are added to the OS to manage the Corelight-update service. All files and directories that are created for Corelight-update will belong to the user corelight-update
and the group corelight-update
.
To avoid using sudo
to run corelight-update
commands, you can add your user to the corelight-update group. For example, use this command to append the corelight-update
group to the users assigned groups:
sudo usermod -aG corelight-update <username>
Tip
Changes made with the usermod
command do not take effect in the current session. Logging out and in again will apply the changes.
Configure Corelight-update¶
The Corelight-update utility uses a configuration database to track and maintain the sensor inventory, the global service configuration and interval, the policy assignments, and the integrations.
To configure Corelight-update, start with the sample file as a template, and fill-in the various configuration options. Once you’ve completed filling in your configuration file, use the file to update the policy defined in the Corelight-update configuration database.
A default policy named defaultPolicy is created automatically as part of the installation process. The default policy is functional, but also optional, and can be replaced with custom named policies. There are two configuration sample files provided with the default policy: /etc/corelight-update/configs/defaultPolicy/db-config.json
and /etc/corelight-update/configs/defaultPolicy/db-config.yaml
. They contain identical configuration examples defined in different structured text formats.
Attention
If you have Fleet-managed sensors that utilize a Fleet policy, the Corelight-update policy name must match the Fleet policy name.
1. Change the policy (Optional)¶
If you have a Fleet-managed sensor policy, remove the default policy in Corelight-update, and create a new policy that matches the Fleet policy name.
For example, to remove the default policy, and create a new policy named “myFleetPolicy”:
- Remove the default policy:
corelight-update remove -policies defaultPolicy
- Add a new policy named “myFleetPolicy”:
corelight-update add -policies "myFleetPolicy"
- Verify the policy is defined:
corelight-update show -policies
Once the new policy is created, two configuration sample files are created, and placed into a folder with the policy name. For example: /etc/corelight-update/configs/myFleetPolicy/db-config.json
and /etc/corelight-update/configs/myFleetPolicy/db-config.yaml
.
2. Configure a policy¶
Use a configuration example file to create a customized configuration for Corelight-update that defines the sensor inventory, the Corelight-update service configuration, the content assignments, and integrations.
For information on configuring the sensor inventory, and the use of encrypted passwords, see Policy Inventory Settings.
For information on the default interval settings for data downloading and processing, enabling global integrations, modifying the web service, or deploying global Suricata configuration files, see Global Configuration and Policy Settings.
For information on policy configuration settings, including enabling pushing content to sensors, enabling integrations and their settings, historical file retention, and how to process, optimize, and test Suricata rulesets see Policy configuration and settings.
For information on the integrations available, and their settings, see Third-party Integrations Settings.
3. Update a policy¶
Once you have a configuration file that defines your sensor inventory and the various configuration options, use the file to update the policy in the Corelight-update configuration database.
- For example, to update a Corelight-update policy named “myFleetPolicy” using a configuration file:
corelight-update update -policy "myFleetPolicy" --path /etc/corelight-update/configs/myFleetPolicy/db-config.yaml
Any additions, changes, or updates to a policy are made in a configuration file before being loaded into Corelight-update to take effect.
Warning
When making changes to a policy, the configuration file section being modified must also incude any previously defined, non-zero fields. Any fields left undefined will be automatically configured to their zero value.
You can display the existing policy configuration on the console, or write the configuration to a backup file before making changes.
For example:
- To write out an existing policy to the console:
corelight-update show -policy "defaultPolicy" -yaml
- To write out an existing policy in Corelight-update to a file:
corelight-update show -policy "defaultPolicy" -yaml -file /etc/corelight-update/configs/defaultPolicy/db-config-backup.yaml
4. Run Corelight-update¶
Run corelight-update
using the CLI commands, or enable the service. See |cu| Service.
For additional
corelight-update
command options, see CLI Commands