QuickStart - New Install

The Corelight-update utility is a service that runs at a scheduled interval to check for updates to the configured threat intelligence feeds, and distribute updated content to the configured sensors.

System requirements

The minimum system requirements are:

  • An x86_64 or ARM64 processor.

  • 2GB memory.

  • A host running a Linux OS.

  • Network connectivity to the Internet, or to an internal-facing threat intelligence data repository.

  • To push content to your sensors, or to Fleet Manager, network connectivity to the management interface is required.

Installation Overview

  1. Select a host to install the Corelight-update utility. If you have a Corelight Fleet Manager installation, Corelight-update can be run on the same host.

  2. Set up the Corelight package repository on the host OS.

  3. Install Corelight Update.

  4. (Optional) Add additional user credentials to the corelight-update group. See (Optional) Add users to the corelight-update group for instructions.

  5. (Optional) Change the Corelight-update policy.

  6. Configure your inventory, content, integrations, and the Corelight-update service using a configuration file.

  7. Update the Corelight-update policy using the configuration file.

  8. Start the corelight-update service

Set up the Corelight Stable package repository

  1. Run the script using:

    curl -s https://packages.corelight.com/install/repositories/corelight/stable/script.deb.sh | sudo bash
    

    (Optional) To download the script before running it:

    curl -O https://packages.corelight.com/install/repositories/corelight/stable/script.deb.sh
    sudo chmod +x script.deb.sh
    sudo ./script.deb.sh
    
  1. Run the script using:

    curl -s https://packages.corelight.com/install/repositories/corelight/stable/script.rpm.sh | sudo bash
    

    (Optional) To download the script before running it:

    curl -O https://packages.corelight.com/install/repositories/corelight/stable/script.rpm.sh
    sudo chmod +x script.rpm.sh
    sudo ./script.rpm.sh
    
  1. Refresh the package cache:

    sudo apt-get update
    
  2. If you are running Debian, install debian-archive-keyring so that official Debian repositories are verified. Ubuntu installations can skip this step.

    sudo apt-get install debian-archive-keyring
    
  3. Ensure the required tools (curl, gpg, apt-transport-https) are installed before proceeding:

    sudo apt-get install curl gnupg apt-transport-https
    
  4. In order to install a deb repo, first you need to install the GPG key that is used to sign repository metadata. You do that using a utility called apt-key.

    curl -L https://packages.corelight.com/corelight/stable/gpgkey | sudo apt-key add -
    
  5. Verify the file named /etc/apt/sources.list.d/corelight_stable.list contains the repository configuration below.

    In the example below, check that the strings ubuntu and trusty represent your Linux distribution and version:

    deb https://packages.corelight.com/corelight/stable/ubuntu/ trusty main
    deb-src https://packages.corelight.com/corelight/stable/ubuntu/ trusty main
    

    Valid options for os and dist parameters can be found in Packagecloud’s supported OS list.

  6. Update the local APT cache:

    sudo apt-get update
    
  1. Install pygpgme, a package that allows yum to handle gpg signatures, and a package called yum-utils that contains the tools you need for installing source RPMs.

    sudo yum install pygpgme yum-utils
    

    You might need to install the EPEL repository for your system to install these packages. If you do not install pygpgme, GPG verification will not work.

  2. Create a file named /etc/yum.repos.d/corelight_stable.repo that contains the repository configuration below. Replace el and 6 in the baseurl= path with your Linux distribution and version. Valid options for os and dist parameters can be found in the supported OS list in the docs.

    [corelight_stable]
    name=corelight_stable
    baseurl=https://packages.corelight.com/corelight/stable/el/6/$basearch
    repo_gpgcheck=1
    gpgcheck=0
    enabled=1
    gpgkey=https://packages.corelight.com/corelight/stable/gpgkey
    sslverify=1
    sslcacert=/etc/pki/tls/certs/ca-bundle.crt
    metadata_expire=300
    
    [corelight_stable-source]
    name=corelight_stable-source
    baseurl=https://packages.corelight.com/corelight/stable/el/6/SRPMS
    repo_gpgcheck=1
    gpgcheck=0
    enabled=1
    gpgkey=https://packages.corelight.com/corelight/stable/gpgkey
    sslverify=1
    sslcacert=/etc/pki/tls/certs/ca-bundle.crt
    metadata_expire=300
    
  3. Update the local yum cache:

    sudo yum -q makecache -y --disablerepo='*' --enablerepo='corelight_stable'
    

Install Corelight-update

sudo apt install corelight-update
sudo yum install corelight-update

(Optional) Add users to the corelight-update group

As part of the installation, a system user and group are added to the OS to manage the Corelight-update service. All files and directories that are created for Corelight-update will belong to the user corelight-update and the group corelight-update.

To avoid using sudo to run corelight-update commands, you can add your user to the corelight-update group. For example, use this command to append the corelight-update group to the users assigned groups:

sudo usermod -aG corelight-update <username>

Tip

Changes made with the usermod command do not take effect in the current session. Logging out and in again will apply the changes.

Configure Corelight-update

The Corelight-update utility uses a configuration database to track and maintain the sensor inventory, the global service configuration and interval, the policy assignments, and the integrations.

To configure Corelight-update, start with the sample file as a template, and fill-in the various configuration options. Once you’ve completed filling in your configuration file, use the file to update the policy defined in the Corelight-update configuration database.

A default policy named defaultPolicy is created automatically as part of the installation process. The default policy is functional, but also optional, and can be replaced with custom named policies. There are two configuration sample files provided with the default policy: /etc/corelight-update/configs/defaultPolicy/db-config.json and /etc/corelight-update/configs/defaultPolicy/db-config.yaml. They contain identical configuration examples defined in different structured text formats.

Attention

If you have Fleet-managed sensors that utilize a Fleet policy, the Corelight-update policy name must match the Fleet policy name.

1. Change the policy (Optional)

If you have a Fleet-managed sensor policy, remove the default policy in Corelight-update, and create a new policy that matches the Fleet policy name.

For example, to remove the default policy, and create a new policy named “myFleetPolicy”:

  1. Remove the default policy:
    corelight-update remove -policies defaultPolicy
    
  2. Add a new policy named “myFleetPolicy”:
    corelight-update add -policies "myFleetPolicy"
    
  3. Verify the policy is defined:
    corelight-update show -policies
    

Once the new policy is created, two configuration sample files are created, and placed into a folder with the policy name. For example: /etc/corelight-update/configs/myFleetPolicy/db-config.json and /etc/corelight-update/configs/myFleetPolicy/db-config.yaml.

2. Configure a policy

Use a configuration example file to create a customized configuration for Corelight-update that defines the sensor inventory, the Corelight-update service configuration, the content assignments, and integrations.

  • For information on configuring the sensor inventory, and the use of encrypted passwords, see Policy Inventory Settings.

  • For information on the default interval settings for data downloading and processing, enabling global integrations, modifying the web service, or deploying global Suricata configuration files, see Global Configuration and Policy Settings.

  • For information on policy configuration settings, including enabling pushing content to sensors, enabling integrations and their settings, historical file retention, and how to process, optimize, and test Suricata rulesets see Policy configuration and settings.

  • For information on the integrations available, and their settings, see Third-party Integrations Settings.

3. Update a policy

Once you have a configuration file that defines your sensor inventory and the various configuration options, use the file to update the policy in the Corelight-update configuration database.

For example, to update a Corelight-update policy named “myFleetPolicy” using a configuration file:
corelight-update update -policy "myFleetPolicy" --path /etc/corelight-update/configs/myFleetPolicy/db-config.yaml

Any additions, changes, or updates to a policy are made in a configuration file before being loaded into Corelight-update to take effect.

Warning

When making changes to a policy, the configuration file section being modified must also incude any previously defined, non-zero fields. Any fields left undefined will be automatically configured to their zero value.

You can display the existing policy configuration on the console, or write the configuration to a backup file before making changes.

For example:

To write out an existing policy to the console:
corelight-update show -policy "defaultPolicy" -yaml
To write out an existing policy in Corelight-update to a file:
corelight-update show -policy "defaultPolicy" -yaml -file /etc/corelight-update/configs/defaultPolicy/db-config-backup.yaml

4. Run Corelight-update

Run corelight-update using the CLI commands, or enable the service. See |cu| Service.

  • For additional corelight-update command options, see CLI Commands