Global configuration and policy settings

The Corelight-update utility uses a configuration database to track and maintain the sensor inventory, the global service configuration and interval, the policy assignments, and the integrations. Use the global configuration and policy settings to modify the Corelight-update web service, and establish integrations and policies at a global level.

Changes can be made to the global policy using either:

  • A config file.

  • The Corelight-update CLI command --global-settings switch.

The Corelight-update CLI command supports updating the Global Configuration directly using the --global-settings switch.
  • Multiple settings can be updated using a single command.

  • Update nested settings by using a “.” or “_”. For example, webserver.enable=true or webserver_enable=true.

  • Other than remote_global_conf_files, any setting can be updated using a key=value pair.

For example:

corelight-update update --global-settings verbose=false interval_minutes=30

Note

Making changes to a policy using the CLI bypasses the configuration files. To maintain a copy of the current Global Configuration as a config file, export it to a file. See “Show Options” in the CLI commands.

See the Complete Global Settings below for a list of fields that can be updated directly.

When using a config file, additions or changes to a policy are made to a configuration file first before being loaded into Corelight-update to take effect.

To update the global configuration:

  1. Output the current global configuration as a file. For example, to create a global config file in yaml format:

    corelight-update show -global -yaml -file /etc/corelight-update/global/config.yaml
    
  2. Change the settings in the config file.

  3. Update the global configuration. For example:

    corelight-update update -global --path /etc/corelight-update/global/config.yaml
    

Warning

When making changes to a policy, the configuration file section being modified must also incude any previously defined, non-zero fields. Any fields left undefined will be automatically configured to their zero value.

After a configuration has been updated, it’s always recommended to verify the global configuration on the console. For example:

corelight-update show -global

Global configuration settings

The Corelight-update service provides local web access to the documentation, and all of the content created and managed by Corelight-update. The web service is enabled by default, and is optional.

Modify the web service

webserver:
  enable:   true
  tls:      true
  tls_cert: "/etc/corelight-update/global/cert.crt"
  tls_key:  "/etc/corelight-update/global/cert.key"
  port:     8443

Note

Updating the default certificate is recommended.

Update the processing service and interval

In some cases it is useful to disable the processing feeds and only have the web service enabled, or modify the default interval for processing data feeds.

process_feeds:    true
interval_minutes: "60"

When this interval is triggered, the individual state history for each enabled integration is checked.

  • If the integration interval time has lapsed, it processes the integration.

  • If the interval has not lapsed, the integration is skipped until the next cycle.

  • If the interval is set to 0, the integrations will be processed each cycle.

Additional logging options

If additional logging detail is desired, enable verbose logging. This setting is in addition to the CLI debugging option.

verbose: false

Global policy settings

Note

Starting in v1.0.0, enabling integrations and setting their interval is separate from the integration configuration.

Enable downloads of the current Maxmind GeoIP database. The default interval is 1 week. See Maxmind GeoIP for details.

geoip:
  enable_maxmind: false
  interval_hours: 168
  account_id: 0
  license_key: ""
  database_directory: "/var/corelight-update/files/all/geoip"

Global Suricata settings

If you maintain a centralized set of Suricata configuration files for ruleset tuning and management, you can configure Corelight-update to automatically download the files from a remote source, and apply them to the Corelight-update connected sensors.

The Suricata configuration files disable.conf, enable.conf and modify.conf can be applied at a global, and at a policy level. If a disable.conf, enable.conf or modify.conf exist in the global config directory, they will automatically be processed for each policy.

Each time the Corelight-update service runs, the Suricata rulesets can be processed up to three times for each policy:

  1. Process any enabled Corelight recommended configs,

  2. Process any enabled Global configs,

  3. Process the Suricata policy configs.

For example, to pull a modify.conf file from GitHub:

remote_conf_files:
 - name: modify.conf
   url: https://raw.githubusercontent.com/fakeuser/conf/main/modify.conf
   auth_type: basic
   auth_token: ""
   auth_token_header:
   username: fakeuser
   encrypted_pass: 8946af417b8c3a13358ac42e6f6fbb3f256e2f5cc778a08...
   ignore_tls: false

The supported authentication types are no auth, basic, or token. When using the no auth option, leave the auth_type field empty.

Complete global settings

verbose: false
exp_features: false
webserver:
    enable: true
    tls: true
    tls_cert: /etc/corelight-update/global/cert.crt
    tls_key: /etc/corelight-update/global/cert.key
    port: 8443
process_feeds: true
interval_minutes: 60
geoip:
    enabled: false
    interval_hours: 168
    account_id: 0
    license_key: ""
    database_directory: /var/corelight-update/files/all/geoip
remote_global_conf_files:
    - name:
      url:
      auth_type:
      auth_token:
      auth_token_header:
      username:
      encrypted_pass:
      ignore_tls: