QuickStart - new install

The Corelight-update utility can run as a service at a scheduled intervals, if enabled, to check for updates to the configured data sources, and distribute updated content to the Fleet Manager policies and sensors.

System requirements

The minimum system requirements are:

  • An x86_64 or ARM64 processor.

  • 4 GB memory.

  • A host running a Linux OS.

  • Network connectivity to the Internet, or to an internal-facing threat intelligence data repository.

  • To push content to your sensors, or to Fleet Manager, network connectivity to the management interface is required.

Installation overview

Select a host to install the Corelight-update utility. If you have a Corelight Fleet Manager installation, Corelight-update can be run on the same host.

1. Set up the Corelight stable package repository

  1. Run the script using:

    curl -s https://packages.corelight.com/install/repositories/corelight/stable/script.deb.sh | sudo bash
    

    (Optional) To download the script before running it:

    curl -O https://packages.corelight.com/install/repositories/corelight/stable/script.deb.sh
    sudo chmod +x script.deb.sh
    sudo ./script.deb.sh
    
  1. Run the script using:

    curl -s https://packages.corelight.com/install/repositories/corelight/stable/script.rpm.sh | sudo bash
    

    (Optional) To download the script before running it:

    curl -O https://packages.corelight.com/install/repositories/corelight/stable/script.rpm.sh
    sudo chmod +x script.rpm.sh
    sudo ./script.rpm.sh
    
  1. Refresh the package cache:

    sudo apt-get update
    
  2. If you are running Debian, install debian-archive-keyring so that official Debian repositories are verified. Ubuntu installations can skip this step.

    sudo apt-get install debian-archive-keyring
    
  3. Ensure the required tools (curl, gpg, apt-transport-https) are installed before proceeding:

    sudo apt-get install curl gnupg apt-transport-https
    
  4. To install a deb repo, you need to install the GPG key that is used to sign repository metadata. Use a utility called apt-key.

    curl -L https://packages.corelight.com/corelight/stable/gpgkey | sudo apt-key add -
    
  5. Verify the file named /etc/apt/sources.list.d/corelight_stable.list contains the repository configuration below.

    In the example below, check that the strings ubuntu and trusty represent your Linux distribution and version:

    deb https://packages.corelight.com/corelight/stable/ubuntu/ trusty main
    deb-src https://packages.corelight.com/corelight/stable/ubuntu/ trusty main
    

    Valid options for os and dist parameters can be found in Packagecloud’s supported OS list.

  6. Update the local APT cache:

    sudo apt-get update
    
  1. Install pygpgme, a package that allows yum to handle gpg signatures, and a package called yum-utils that contains the tools you need for installing source RPMs.

    sudo yum install pygpgme yum-utils
    

    You might need to install the EPEL repository for your system to install these packages. If you do not install pygpgme, GPG verification will not work.

  2. Create a file named /etc/yum.repos.d/corelight_stable.repo that contains the repository configuration below.

    Replace el and 6 in the baseurl= path with your Linux distribution and version. Valid options for os and dist parameters can be found in the supported OS list in the docs.

    [corelight_stable]
    name=corelight_stable
    baseurl=https://packages.corelight.com/corelight/stable/el/6/$basearch
    repo_gpgcheck=1
    gpgcheck=0
    enabled=1
    gpgkey=https://packages.corelight.com/corelight/stable/gpgkey
    sslverify=1
    sslcacert=/etc/pki/tls/certs/ca-bundle.crt
    metadata_expire=300
    
    [corelight_stable-source]
    name=corelight_stable-source
    baseurl=https://packages.corelight.com/corelight/stable/el/6/SRPMS
    repo_gpgcheck=1
    gpgcheck=0
    enabled=1
    gpgkey=https://packages.corelight.com/corelight/stable/gpgkey
    sslverify=1
    sslcacert=/etc/pki/tls/certs/ca-bundle.crt
    metadata_expire=300
    
  3. Update the local yum cache:

    sudo yum -q makecache -y --disablerepo='*' --enablerepo='corelight_stable'
    

2. Install Corelight-update

 sudo apt install corelight-update
 sudo yum install corelight-update

3. Add the corelight-update group to existing users (optional)

As part of the installation, a system user and group are added to the OS to manage the Corelight-update service. All files and directories that are created for Corelight-update will belong to the user corelight-update, and the group corelight-update.

To avoid using sudo when running corelight-update commands, you can add your user to the corelight-update group. For example, use this command to append the corelight-update group to the users assigned groups:

sudo usermod -aG corelight-update <username>

Tip

Changes made with the usermod command do not take effect in the current session. Logging out and in again will apply the changes.

4. Configure Corelight-update

The Corelight-update utility uses a configuration database to track and maintain the sensor inventory, the global service configuration and interval, the policy assignments, and the integrations.

To configure Corelight-update, start with the sample file as a template, and fill-in the various configuration options. Once you’ve completed filling in your configuration file, use the file to update the policy defined in the Corelight-update configuration database.

A default policy named defaultPolicy is created automatically as part of the installation process. The default policy is functional, but also optional, and can be replaced with custom named policies.

There is a configuration sample file provided with the default policy:

/etc/corelight-update/configs/defaultPolicy/db-config.yaml

Attention

To use Corelight-update for Fleet-managed sensors, you must associate the Fleet Manager sensor policy or suricata policy name with the Corelight-update policy name. See 4.1. Change the policy name (optional) below for the options available.

4.1 Change the policy name (optional)

For Fleet-managed sensors, Corelight-update will use the Fleet Manager sensor policy name to collect a group of sensors that it should deploy “Intel” and “Input” content to. Suricata rulesets and package bundles are uploaded to Fleet Manager policies directly.

As of Fleet Manager v27.8, Fleet Manager uses separate policies for sensors and Suricata rulesets.

Corelight-update provides a couple options to associate the Corelight-update policy to a Fleet Manager policies:

  1. Use the same name for the Corelight-update policy, the Fleet Manager sensor policy and Fleet Manager suricata policy.

  2. When adding your Fleet Manager details to the Corelight-update policy inventory, provide the Fleet Manager sensor policy name in the Corelight-update sensor_policy: field, and the Fleet Manager suricata policy name in the Corelight-update suricata_policy: field. See 4.2 Customize a policy (optional) below.

  3. Change the Corelight-update policy name to match the existing Fleet Manager sensor and suricata policy name (assuming they have the same name).

    For example, to remove the default Corelight-update policy, and create a new policy named “myFleetPolicy”:

    1. Remove the default policy:

    corelight-update remove -policies defaultPolicy
    
    1. Add a new policy named “myFleetPolicy”:

    corelight-update add -policies "myFleetPolicy"
    
    1. Verify the policy is defined:

    corelight-update show -policies
    

    Once the new policy is created, a configuration sample file is created, and placed into a folder with the policy name. For example: /etc/corelight-update/configs/myFleetPolicy/db-config.yaml.

Note

If the sensor_policy field is left blank or the suricata_policy field is left blank, it will use the name of the Corelight-update policy for the empty field.

4.2 Customize a policy (optional)

Use a configuration example file to create a customized configuration for Corelight-update that defines the Fleet Manager details, sensor inventory, the Corelight-update service configuration, the content assignments, and integrations.

To view a sample policy configuration yaml that enables and pushes the default ETOpen and Corelight suricata rulesets to a single, unmanaged sensor, see Default policy sources.

  1. Add your sensors to the Corelight-update policy inventory. For information on configuring the sensor inventory, and the use of encrypted passwords, see Policy inventory settings.

  2. Configure the content you want to deploy to your sensors in the Corelight-update policy configuration. This content can include threat intel, Zeek input files and package bundles, and Suricata rulesets. See Policy sources.

  3. Configure a custom third-party integration that provides support for a vendor-specific threat source, including source-based customizations and authentication. See Third-party integrations settings.

4.3 Customize global settings (optional)

  1. Customize the default interval settings for data downloading and processing, enabling global integrations, modifying the web service, or deploying global Suricata configuration files. See General settings.

  2. Customize the default network communication between Corelight-update and Fleet Manager or sensors, including how much time to wait for a status of a file upload. See Network communication settings.

5. Add proxy configuration (optional)

See Using a proxy with Corelight-update for instructions.

6. Run Corelight-update

Run corelight-update using the CLI commands, or enable the service. See Corelight-update Service.

For additional corelight-update command options, see CLI commands.