Global configuration and policy settings¶
The Corelight-update utility uses a configuration database to track and maintain the sensor inventory, the global service configuration and interval, the policy assignments, and the integrations. Use the global configuration and policy settings to modify the Corelight-update web service, and establish integrations and policies at a global level.
Changes can be made to the global policy using either:
A config file.
The Corelight-update CLI command
--global-settings
switch.
The Corelight-update CLI command supports updating the Global Configuration directly using the--global-settings
switch.
Multiple settings can be updated using a single command.
Update nested settings by using a “.” or “_”. For example,
webserver.enable=true
orwebserver_enable=true
.Other than
remote_global_conf_files
, any setting can be updated using a key=value pair.
For example:
corelight-update update --global-settings verbose=false interval_minutes=30
Note
Making changes to a policy using the CLI bypasses the configuration files. To maintain a copy of the current Global Configuration as a config file, export it to a file. See “Show Options” in the CLI commands.
See the Complete Global Settings below for a list of fields that can be updated directly.
When using a config file, additions or changes to a policy are made to a configuration file first before being loaded into Corelight-update to take effect.
To update the global configuration:
Output the current global configuration as a file. For example, to create a global config file in yaml format:
corelight-update show -global -file /etc/corelight-update/global/config.yaml
Change the settings in the config file.
Update the global configuration. For example:
corelight-update update -global --file /etc/corelight-update/global/config.yaml
Warning
When making changes to a policy, the configuration file section being modified must also incude any previously defined, non-zero fields. Any fields left undefined will be automatically configured to their zero value.
After a configuration has been updated, it’s always recommended to verify the global configuration on the console. For example:
corelight-update show -global
Global configuration settings¶
The Corelight-update service provides local web access to the documentation, and all of the content created and managed by Corelight-update. The web service is enabled by default, and is optional.
Modify the web service¶
webserver: enable: true tls: true tls_cert: "/etc/corelight-update/global/cert.crt" tls_key: "/etc/corelight-update/global/cert.key" port: 8443
Note
Updating the default certificate is recommended.
Update the processing service and interval¶
In some cases it is useful to disable the processing feeds and only have the web service enabled, or modify the default interval for processing data feeds.
process_feeds: true interval_minutes: "60"
When this interval is triggered, the individual state history for each enabled integration is checked.
If the integration interval time has lapsed, it processes the integration.
If the interval has not lapsed, the integration is skipped until the next cycle.
If the interval is set to
0
, the integrations will be processed each cycle.
Auto-updating policy settings¶
You can configure Corelight-update to automatically update a policy using a configuration file referenced in a directory. When auto_updating_policies
is enabled, Corelight-update monitors the directory path /etc/corelight-update/configs/<policy_name>/
for a config.yaml
file.
On each service interval, Corelight-update checks each path for a policy configuration file, and applies that configuration to the policy. This setting is disabled by default.
auto_update_policies: enable: false filename: config.yaml
Note
When auto_updating_policies
is enabled, a configuration file matching the filename setting is required in each policy directory: /etc/corelight-update/configs/<policy_name>/
Pushing content to sensors in parallel¶
By default, Corelight-update will deploy content updates to the sensors concurrently. Corelight-update will open a connection to multiple sensors in a policy, push updated content, and cycle to the next sensor, up to the parallel_push_limit
setting.
Content updates are performed in a specified order. To review the order of operations, see Push content for policies. The default for parallel_push_limit
is 10 sensors.
parallel_push_limit: 10
Additional logging options¶
If additional logging detail is desired, enable verbose logging. This setting is in addition to the CLI debugging option.
verbose: false
Global policy settings¶
Enable downloads of the current Maxmind GeoIP database. The default interval is 1 week. See Maxmind GeoIP for details.
geoip: enable_maxmind: false interval_hours: 168 account_id: 0 license_key: "" database_directory: "/var/corelight-update/files/all/geoip"
Global Suricata settings¶
If you maintain a centralized set of Suricata configuration files for ruleset tuning and management, you can configure Corelight-update to automatically download the files from a remote source, and apply them to the Corelight-update connected sensors.
The Suricata configuration files disable.conf
, enable.conf
and modify.conf
can be applied at a global, and at a policy level. If a disable.conf
, enable.conf
or modify.conf
exist in the global config directory, they will automatically be processed for each policy.
To learn about the processing order, see Order of operations.
For information about setting Suricata configuration files at the Policy level, see Suricata policy settings.
Each time the Corelight-update service runs, the Suricata rulesets can be processed up to three times for each policy:
Process any enabled Corelight recommended configs,
Process any enabled Global configs,
Process the Suricata policy configs.
For example, to pull a modify.conf
file from GitHub:
remote_conf_files:
- name: modify.conf
url: https://raw.githubusercontent.com/fakeuser/conf/main/modify.conf
auth_type: basic
auth_token: ""
auth_token_header:
username: fakeuser
encrypted_pass: 8946af417b8c3a13358ac42e6f6fbb3f256e2f5cc778a08...
ignore_tls: false
The supported authentication types are no auth, basic
, or token
. When using the no auth option, leave the auth_type
field empty.
See Using a proxy with Corelight-update for details about using a proxy to download remote sources.
Complete global settings¶
verbose: false
exp_features: false
webserver:
enable: true
tls: true
tls_cert: /etc/corelight-update/global/cert.crt
tls_key: /etc/corelight-update/global/cert.key
port: 8443
process_feeds: true
interval_minutes: 60
geoip:
enabled: false
interval_hours: 168
account_id: 0
license_key: ""
database_directory: /var/corelight-update/files/all/geoip
remote_global_conf_files:
- name:
url:
auth_type:
auth_token:
auth_token_header:
username:
encrypted_pass:
ignore_tls:
parallel_push_limit: 10
auto_update_policies:
enable: false
filename: config.yaml