QuickStart - upgrade

The Corelight-update utility can run as a service at a scheduled intervals, if enabled, to check for updates to the configured data sources, and distribute updated content to the Fleet Manager policies and sensors.

Attention

On completion of the upgrade, if you have pre-1.0 release policy files, they must be manually imported into the configuration database. See CLI commands for details on the import command.

System requirements

For the latest system requirements, see System requirements in the references.

Upgrade overview

Set up the Corelight package repository on the host OS if required. See QuickStart - new install for instructions.

Upgrade corelight-update

sudo apt update
sudo apt install corelight-update
sudo yum install corelight-update

Configure new Corelight-update features (optional)

When Corelight-update gets upgraded, any existing database will automatically be upgraded.

Use the CLI command corelight-update show -policy <policy name> to identify new configuration options or corelight-update show -policy <policy name> -file /etc/corelight-update/config/<policy name>/db-config.yaml to replace the existing file with the new format. Then modify as necessary.

Once you’ve completed filling in your configuration file, use the file to update the policy defined in the Corelight-update configuration database.

When updating policies, you can either supply an entire policy configuration or only the sections you want to update.

Warning

When updating from a full or partial configuration, any config section provided must have all none-zero fields provided. Any missing fields will be automatically configured to their zero value.

Import policy files from versions prior to v1.0 (optional)

The Corelight-update utility uses a configuration database to track and maintain the sensor inventory, the global service configuration and interval, the policy assignments, and any integrations.

If you have pre-1.0 release policy files, they must be manually imported into the configuration database.

You can import your pre-1.0 policies using corelight-update import with the -v0.23 flag to indicate you are importing from a version 0.23 policy. After importing a pre-v1.0 policy, use the update command to add the inventory details to the policy. For example, corelight-update update -policy defaultPolicy -file /etc/corelight-update/configs/defaultPolicy/inventory.yaml

Once the pre-v1.0 policy is imported, review the imported configuration using the corelight-update show command. For example: corelight-update show -policy defaultPolicy -yaml

Note

The -v0.23 flag can be used with policies from older versions of corelight-update, but you should always review the imported configuration using the show command.

Once a policy has been imported, you will switch to using the new policy configuration to update those policies. The pre-1.0 policy files cannot be used to update a policy, they can only be used as an import.

Attention

When Corelight-update gets installed for the first time, it will automatically create the database, a default Global configuration, and a default policy named “defaultPolicy”.

If the corelight-update.db is deleted, a new corelight-update.db will be created the next time the service runs, with a default Global configuration. However, no default policies are created.