SIEM Foundations: Updating SIEM Software

Version 4

    Contents

     

    Preparing for a SIEM Software Update

     

    Once all subordinate SIEM devices have been keyed to the ESM, consider the requirement to perform any updates to the platform codebase.  Refer to the Product Download pages on the McAfee website to determine the latest code version available for the SIEM.

     

    NOTE: Important information relating to the SIEM update process can always be found in the version release notes.  Make certain to carefully read the published documentation prior to initiating the update process.

     

    Code updates are made available as a single compressed TAR file (.tgz, sometimes called a tarball), along with a corresponding hash file that can be used to confirm the validity and consistency of the file downloaded and each discreet platform in the McAfee SIEM suite has a unique code update path.  Since ALL appliances connecting to the SIEM solution must be running the same version of code, it is important to obtain any/all .tgz files necessary to perform an update to each of the appliances used in your environment.

     

    NOTE: Update files MUST have a .tgz extension to install properly.  Some browsers have a nasty habit of re-writing the .tgz extension to .gz.  If this happens, simply rename the file to have a .tgz extension before uploading the file to your ESM.

     

    The following table describes the SIEM appliance and corresponding upgrade file requirements.

     

    Platform

    Update Filename

    Recommended Order

    ESM

    ESS_Update_X.x.x.signed.tgz

    1

    ESM/REC/ELM

    ESSREC_Update_X.x.x.signed.tgz

    1

    REC

    RECEIVER_Update_X.x.x.signed.tgz

    2

    ELM

    RECEIVER_Update_X.x.x.signed.tgz

    2

    ACE

    RECEIVER_Update_X.x.x.signed.tgz

    2

    ADM

    APM_Update_X.x.x.signed.tgz

    3

    DEM

    DBM_Update_X.x.x.signed.tgz

    3

     

    The McAfee ESM maintains a file repository into which all code update .tgz files can be uploaded.  Once uploaded, each .tgz update can be applied to the appropriate device from within the SIEM user interface either individually or, in the case of multiple devices of the same type, en masse.

     

    The order in which SIEM appliances are updated must be determined by reviewing the release notes published with each update.  In most circumstances, when multiple appliances in a SIEM hierarchy are to be updated, it will be necessary to start with the ESM (or ESM/REC/ELM).  Once complete, any Event Receiver appliances should be updated to the new version including any ELM or ACE appliances since they share the same Receiver codebase. Lastly, any additional subordinate appliances such as ADM or DEM should be updated.

     

    During most major (and some minor) updates, it will be necessary for the master ESM database to be rebuilt as part of the automated code update process.  Depending upon the amount of data residing in the ESM database, this process can take anywhere from 30 minutes to several hours.  In POC environments where the event volume will likely be minimal, the database rebuild process should complete in under an hour.

     

    The following steps must be completed to perform a code update on one or more SIEM appliance.

    1. Determine which update files will be required and download from the McAfee product download site.
      pic1.png
      Example: This SIEM environment consists of a standalone ESM and a standalone REC.  Both the ESS_Update and the RECEIVER_Update update files would be required.
    2. Click the System Properties button in the upper right of the interface.pic1.5.png
    3. Click File Maintenance.
    4. From the File Type dropdown menu, select Software Update Files.
    5. Click the Upload button.  The File Upload window will open.
      pic2.PNG
    6. Browse to the location of the .tgz update file. Select a single file and click Upload.
    7. Repeat for each update file until all required .tgz images have been uploaded to the repository.
      pic3.png

     

     

    Performing a SIEM Software Update – ESM

     

    1. Click on ESM Management.
    2. Click the Update ESM button.
    3. Select the ESS_Update_X.x.x signed update file.
      NOTE: If the POC is being performed on an ESM/REC/ELM ‘combo,’ select the ESSREC_Update_X.x.x signed .tgz file.
      update-esm.png
    4. Click OK.
    5. A dialog box will open warning that the ESM will reboot during the update process and all active connections will be dropped. Click Yes to proceed.
      pic5.png
    6. A dialog box will open indicating that the update process has been initiated and instructing you to close the browser window.
      pic6.png
    7. Click OK.
    8. Close the browser window.
    9. The ESM will reboot multiple times to perform the update process.  Once the update is complete, open a web browser on your client computer.
    10. Connect to the IP address of the ESM.
    11. Click the Login link on the page that opens.
    12. You will likely be prompted with a dialog box indicating that you must clear your browser cache.  Press CTRL-SHIFT-DEL and clear the most recent browser cache.
      pic7.png
    13. Click the Login link once again.  The McAfee ESM application will load and prompt you for a username and password.
      pic8.png
    14. If the ESM is still performing any portion of the code update, you may be presented with an error indicating that the system is ‘not ready.’  Simply wait another minute and attempt once again to log into the SIEM.
    15. Once the server is ready and your credentials are accepted, you will likely see a dialog box indicating that you have recently performed an upgrade and instructing you to read the necessary release notes to determine if additional actions are required.
      pic9.png
    16. Continue with the update process on each of the remaining SIEM appliances, starting with any Event Receiver devices (REC, ACE, ELM), then continuing with any remaining device (ADM, DEM).
      NOTE:  If the POC is being performed on an ESM/REC/ELM ‘combo’ you can proceed to Step 12 as the ESSREC_Update file provides both the ESM as well as REC feature update.

     

     

    Performing a SIEM Software Update – REC, ELM, ACE, ADM, DEM

     

    The following steps must be performed to update any subordinate SIEM appliances.

    1. From the System Tree, select the appliance to be updated.
      pic10.PNG
      NOTE:  A yellow flag icon shown beside an appliance is an indication that the device is ‘out of sync’ until it has been updated.
    2. Click the Device Properties button from the Actions Toolbar.  The device properties window will open.
    3. Click Receiver Management.
    4. Click the Update Device button.  The Select Software Update File window will open.
    5. Select the appropriate update file.
    6. Click OK.
      pic11.PNG
    7. A dialog box will open indicating that the device will reboot when the update process begins.
      pic12.png
    8. Click YES.
    9. The device will restart.  A dialog box will open, counting down from 3 minutes while the device update is applied.
      pic13.png
      NOTE:  If the device has not completely updated after 3 minutes, the counter will restart.  You must wait until the device has fully updated and communication has been restored to continue.
    10. A dialog box will indicate the successful restart of the device once connectivity has been restored.
      pic14.png
    11. Click OK.
    12. After the successful update of an Event Receiver appliance, it is necessary to perform additional configuration updates.
    13. Click on Data Sources.
    14. Click the Write button.
      pic15.PNG
    15. After successfully writing the Data Source configuration, a dialog box will open indicating the Command Executed Completely.
    16. Click the Close button.
    17. Click OK.

     

    Repeat these steps to apply all necessary update files to remaining subordinate devices.

     

     

    « previousoutline »