Policy inventory settings

Push content settings

You can use Corelight-update to push content to Corelight Sensors. It supports both Fleet-managed and stand-alone sensors. To push content to sensors, the push_content settings must be enabled in a policy. Pushing content is disabled by default.

Once pushing content is enabled at the policy level, it can be overridden for non-Fleet-managed sensors in the inventory for that policy. See Inventory settings below for details.

The policy settings for pushing content are:

# Push Content to Sensors
push_content:
    intel:            false
    input:            false
    package_bundle:   false
    suricata:         false
    suricata_configs: false
    yara_source:      false

Force pushing all content

By default, Corelight-update will only push new content to sensors. When you add a sensor to the policy, no content is pushed to the sensor until new content is generated. You can use the CLI to force push existing content to sensors. See CLI commands for details.

The policy inventory can include Fleet Manager details and/or a list of the Corelight sensors to deploy content to using Corelight-update. The sensors can be a combination of appliances, such as the hardware, virtual, software, and microsensors.

Sensors that are Fleet managed do not need to be listed individually in the Corelight-update inventory. Corelight-update will utilize Fleet Manager to deploy content to those sensors. For sensors that are not Fleet managed, you can push content directly to them by listing their details in the inventory.

Overview of adding Fleet Manager and sensor details to the inventory

  1. Prepare a list of the sensors that Corelight-update will deploy to.

    • For Fleet-managed sensors, the sensor inventory will be collected from Fleet Manager.

    • For all standalone appliance sensors: collect the IP address or FQDN, and the sensor username and password.

    • For all microsensors (version 1.x software sensors): collect the IP address or FQDN, and the host ssh key, or the sensor username and password.

  2. If you have Fleet-managed sensors, configure the connection to your Fleet Manager instance under the fleet: section of the Corelight-update db-config file.

  3. Configure the inventory settings under the sensors: portion of the Corelight-update configuration file, adding a new -name inventory section and associated fields for each standalone,non-Fleet managed sensor type in your inventory.

  4. Use the configuration file to update the policy in Corelight-update.

Inventory settings

The following fields are available for configuring the inventory:

fleet:
  ip:                     # fleet address or fqdn
  username:               # fleet username
  password:               # fleet password, leave blank to use encrypted password
  encrypted_pass:         # use the 'encrypt' CLI command to encrypt a password before it's stored here
  ignore_tls:             true
  sensor_policy:          # the name of the sensor policy in Fleet Manager (required if different from the Corelight-update policy)
  suricata_policy:        # the name of the suricata policy in Fleet Manager (required if different from the Corelight-update policy)
  intel_policy:           # the name of the intel policy in Fleet Manager (required if different from the Corelight-update policy)
  yara_source_namespace:  # the namespace of the YARA source in Fleet Manager
sensors:
  - name:                 # sensor name
    type:                 # physical, virtual, micro or localhost
    fleet:                false # true or false
    ip:                   # address or fqdn
    username:             # sensor username
    password:             # set to "ssh-key" to use ssh keys with softsensor, leave blank to use encrypted password
    encrypted_pass:       # use the 'encrypt' CLI command to encrypt a password before it's stored here
    ignore_tls:           true  # physical and virtual sensors ONLY
    suricata:             true  # push suricata rulesets to this sensor
    intel:                true  # push intel files to this sensor
    input:                true  # push input files to this sensor
    bundle:               true  # push package bundle to this sensor
    intel_path:           "/etc/corelight/intel/intel.dat"      # microsensors and localhost ONLY
    input_path:           "/etc/corelight/input_files/"         # microsensors and localhost ONLY
    suricata_path:        "/etc/corelight/rules/suricata.rules" # microsensors and localhost ONLY
    suricata_config_path: "/etc/corelight/suricata/"            # microsensors and localhost ONLY
    bundle_path:          "/etc/corelight/corelight.bundle"     # microsensors ONLY

Warning

The suricata_config_path /etc/corelight/suricata/ does not exist by default on Microsensors and must be created before Suricata config files can be pushed. The folder must be writable for the username listed for that sensor.

Encrypted Passwords

Fleet and individual sensor passwords should be encrypted before they are stored in inventory. Using the encrypted_pass field allows you to replace the use of plain text passwords in your Corelight-update configuration file. See Administering encrypted passwords.