Upgrades¶
You can check the current version using the API command:
curl -u $USER:$PASSWORD -X GET http://localhost:9200/license
Upgrade from version 7.0.1¶
General note¶
- Update the
kibana
role to include index-pattern.kibana*
- Update the
alert
role to include index-pattern.alertrules*
andalert_status*
- Install
python36
which is required for the Alerting engine on client-node:
yum install python3
- AD users should move their saved objects from the
adrole
. - Indicators of compromise (IOCs auto-update) require access to the software provider’s servers.
- GeoIP Databases (auto-update) require access to the software provider’s servers.
Upgrade steps¶
- Stop services
systemctl stop elasticsearch alert kibana
- Upgrade client-node (includes alert engine)
yum update ./itrs-log-analytics-client-node-7.0.2-1.el7.x86_64.rpm
- Login in the GUI ITRS Log Analytics and go to the
Alert List
on theAlerts
tab and clickSAVE
button
- Start
alert
andkibana
service
systemctl start alert kibana
- Upgrade data-node
yum update ./itrs-log-analytics-data-node-7.0.2-1.el7.x86_64.rpm
- Start services
systemctl start elasticsearch
Extra note
If the Elasticsearch service has been started on the client-node, then it is necessary to update the client.rpm and data.rpm packages on the client node.
After update, you need to edit:
/etc/elasticsearch/elasticsearch.yml
and change:
node.data: false
Additionally, check the file:
elasticsearch.yml.rpmnew
and complete the configuration in elasticsearch.yml
with additional lines.
Changing OpenJDK version¶
Logstash¶
OpenJDK 11 is supported by Logstash from version 6.8 so if you have an older version of Logstash you must update it.
To update Logstash, follow the steps below:
- Back up the following files
- /etc/logstash/logstash.yml
- /etc/logstash/piplines.yml
- /etc/logstash/conf.d
Use the command to check custom Logstash plugins:
/usr/share/bin/logstash-plugin list --verbose
and note the result
Install a newer version of Logstash according to the instructions:
https://www.elastic.co/guide/en/logstash/6.8/upgrading-logstash.html
or
https://www.elastic.co/guide/en/logstash/current/upgrading-logstash.html
Verify installed plugins:
/usr/share/bin/logstash-plugin list --verbose
Install the missing plugins if necessary:
/usr/share/bin/logstash-plugin install plugin_name
Run Logstash using the command:
systemctl start logstash
Elasticearch¶
ITRS Log Analytics can use OpenJDK version 10 or later. If you want to use OpenJSK version 10 or later, configure the Elasticsearch service as follows:
After installing OpenJDK, select the correct version that Elasticsearch will use:
alternative --config java
Open the
/etc/elasticsearch/jvm.options
file in a text editor:vi /etc/elasticsearch/jvm.options
Disable the OpenJDK version 8 section:
## JDK 8 GC logging #8:-XX:+PrintGCDetails #8:-XX:+PrintGCDateStamps #8:-XX:+PrintTenuringDistribution #8:-XX:+PrintGCApplicationStoppedTime #8:-Xloggc:/var/log/elasticsearch/gc.log #8:-XX:+UseGCLogFileRotation #8:-XX:NumberOfGCLogFiles=32 #8:-XX:GCLogFileSize=64m
Enable the OpenJDK version 11 section
## G1GC Configuration # NOTE: G1GC is only supported on JDK version 10 or later. # To use G1GC uncomment the lines below. 10-:-XX:-UseConcMarkSweepGC 10-:-XX:-UseCMSInitiatingOccupancyOnly 10-:-XX:+UseG1GC 10-:-XX:InitiatingHeapOccupancyPercent=75
Restart the Elasticsearch service
systemctl restart elasticsearch