QuickStart - upgrade¶
The release of Corelight-update 1.0 makes a significant change to the configuration management system.
The Corelight-update utility now utilizes a configuration database to track and maintain a policy with sensor inventory, the global service configuration and interval, the policy assignments, and integrations.
Attention
On completion of the upgrade, if you have pre-1.0 release policy files, they must be manually imported into the configuration database. See CLI commands for details on the import
command.
System requirements¶
The minimum system requirements are:
An x86_64 or ARM64 processor.
2 GB memory.
A host running a Linux operating system (OS).
Network connectivity to the Internet, or an internal-facing threat intelligence data repository.
To push content to your sensors, or to Fleet Manager, network connectivity to the management interface is required.
Upgrade overview¶
Set up the Corelight package repository on the host OS if required. See QuickStart - new install for instructions.
Upgrade corelight-update.
(Optional) Add additional user credentials to the
corelight-update
group. See Add users to the corelight-update group (optional) for instructions.(Optional) For customers upgrading from a version prior to 1.0, manually import your existing configurations. See CLI commands for instructions.
Upgrade corelight-update¶
sudo apt update
sudo apt install corelight-update
sudo yum install corelight-update
Import Corelight-update configurations¶
When Corelight-update runs for the first time, it will automatically create the database with a default Global configuration. When the corelight-update.db
is created, there are no default policies generated. The Corelight-update utility will not run until policies are imported or created.
The global config can be updated with either a YAML or JSON config file. Use the examples provided in the global config directory, along with the CLI command corelight-update update -global
to update the global config. See CLI commands for details.
There are two policy configuration sample files provided: /etc/corelight-update/configs/defaultPolicy/db-config.json
and /etc/corelight-update/configs/defaultPolicy/db-config.yaml
. They contain identical configuration examples defined in different structured text formats.
For information on configuring the sensor inventory, and the use of encrypted passwords, see Policy inventory settings.
For information on the default interval settings for data downloading and processing, enabling global integrations or enabling the web service, see Global configuration and policy settings.
For information on policy configuration settings, including enabling pushing content to sensors, enabling integrations and their settings, how to process, optimize, and test Suricata rulesets, and historical file retention, see Policy configuration and settings.
For additional
corelight-update
command options, see CLI commands.For details on specific integrations and their settings, see Third-party integrations settings.
Policy files from older versions¶
The Corelight-update utility now utilizes a configuration database to track and maintain a policy with sensor inventory, the global service configuration and interval, the policy assignments, and integrations.
If you have pre-1.0 release policy files, they must be manually imported into the configuration database.
You can import your pre-1.0 policies using corelight-update import
with the -v0.23
flag to indicate you are importing from a version 0.23 policy. After importing a pre-v1.0 policy, use the update
command to add the inventory details to the policy. For example, corelight-update update -policy defaultPolicy -path /etc/corelight-update/configs/defaultPolicy/inventory.yaml
Once the pre-v1.0 policy is imported, review the imported configuration using the corelight-update show
command. For example: corelight-update show -policy defaultPolicy -yaml
Note
The -v0.23
flag can be used with policies from older versions of corelight-update, but you should always review the imported configuration using the show
command.
Once a policy has been imported, you will switch to using the new policy configuration to update those policies. The pre-1.0 policy files cannot be used to update a policy, they can only be used as an import.
When updating policies, you can either supply an entire policy configuration or only the sections you want to update.
Warning
When updating from a full or partial configuration, any config section provided must have all none-zero fields provided. Any missing fields will be automatically configured to their zero value.
Attention
If the database is deleted, an empty database will automatically be recreated the next time Corelight-update runs. The db is located: /etc/corelight-update/corelight_update.db