cancel
Showing results for 
Search instead for 
Did you mean: 

SIEM Foundations: Updating SIEM Software

SIEM Foundations: Updating SIEM Software

Contents

Preparing for a SIEM Software Update

Once all subordinate SIEM devices have been keyed to the ESM, consider the requirement to perform any updates to the platform codebase.  Refer to the Product Download pages on the McAfee website to determine the latest code version available for the SIEM.

NOTE: Important information relating to the SIEM update process can always be found in the version release notes.  Make certain to carefully read the published documentation prior to initiating the update process.

Code updates are made available as a single compressed TAR file (.tgz, sometimes called a tarball), along with a corresponding hash file that can be used to confirm the validity and consistency of the file downloaded and each discreet platform in the McAfee SIEM suite has a unique code update path.  Since ALL appliances connecting to the SIEM solution must be running the same version of code, it is important to obtain any/all .tgz files necessary to perform an update to each of the appliances used in your environment.

NOTE: Update files MUST have a .tgz extension to install properly.  Some browsers have a nasty habit of re-writing the .tgz extension to .gz.  If this happens, simply rename the file to have a .tgz extension before uploading the file to your ESM.

The following table describes the SIEM appliance and corresponding upgrade file requirements.

Platform

Update Filename

Recommended Order

ESM

ESS_Update_X.x.x.signed.tgz

1

ESM/REC/ELM

ESSREC_Update_X.x.x.signed.tgz

1

REC

RECEIVER_Update_X.x.x.signed.tgz

2

ELM

RECEIVER_Update_X.x.x.signed.tgz

2

ACE

RECEIVER_Update_X.x.x.signed.tgz

2

ADM

APM_Update_X.x.x.signed.tgz

3

DEM

DBM_Update_X.x.x.signed.tgz

3

The McAfee ESM maintains a file repository into which all code update .tgz files can be uploaded.  Once uploaded, each .tgz update can be applied to the appropriate device from within the SIEM user interface either individually or, in the case of multiple devices of the same type, en masse.

The order in which SIEM appliances are updated must be determined by reviewing the release notes published with each update.  In most circumstances, when multiple appliances in a SIEM hierarchy are to be updated, it will be necessary to start with the ESM (or ESM/REC/ELM).  Once complete, any Event Receiver appliances should be updated to the new version including any ELM or ACE appliances since they share the same Receiver codebase. Lastly, any additional subordinate appliances such as ADM or DEM should be updated.

During most major (and some minor) updates, it will be necessary for the master ESM database to be rebuilt as part of the automated code update process.  Depending upon the amount of data residing in the ESM database, this process can take anywhere from 30 minutes to several hours.  In POC environments where the event volume will likely be minimal, the database rebuild process should complete in under an hour.

The following steps must be completed to perform a code update on one or more SIEM appliance.

  1. Determine which update files will be required and download from the McAfee product download site.
    pic1.png
    Example: This SIEM environment consists of a standalone ESM and a standalone REC.  Both the ESS_Update and the RECEIVER_Update update files would be required.
  2. Click the System Properties button in the upper right of the interface.pic1.5.png
  3. Click File Maintenance.
  4. From the File Type dropdown menu, select Software Update Files.
  5. Click the Upload button.  The File Upload window will open.
    pic2.PNG
  6. Browse to the location of the .tgz update file. Select a single file and click Upload.
  7. Repeat for each update file until all required .tgz images have been uploaded to the repository.
    pic3.png

Performing a SIEM Software Update – ESM

  1. Click on ESM Management.
  2. Click the Update ESM button.
  3. Select the ESS_Update_X.x.x signed update file.
    NOTE: If the POC is being performed on an ESM/REC/ELM ‘combo,’ select the ESSREC_Update_X.x.x signed .tgz file.
    update-esm.png
  4. Click OK.
  5. A dialog box will open warning that the ESM will reboot during the update process and all active connections will be dropped. Click Yes to proceed.
    pic5.png
  6. A dialog box will open indicating that the update process has been initiated and instructing you to close the browser window.
    pic6.png
  7. Click OK.
  8. Close the browser window.
  9. The ESM will reboot multiple times to perform the update process.  Once the update is complete, open a web browser on your client computer.
  10. Connect to the IP address of the ESM.
  11. Click the Login link on the page that opens.
  12. You will likely be prompted with a dialog box indicating that you must clear your browser cache.  Press CTRL-SHIFT-DEL and clear the most recent browser cache.
    pic7.png
  13. Click the Login link once again.  The McAfee ESM application will load and prompt you for a username and password.
    pic8.png
  14. If the ESM is still performing any portion of the code update, you may be presented with an error indicating that the system is ‘not ready.’  Simply wait another minute and attempt once again to log into the SIEM.
  15. Once the server is ready and your credentials are accepted, you will likely see a dialog box indicating that you have recently performed an upgrade and instructing you to read the necessary release notes to determine if additional actions are required.
    pic9.png
  16. Continue with the update process on each of the remaining SIEM appliances, starting with any Event Receiver devices (REC, ACE, ELM), then continuing with any remaining device (ADM, DEM).
    NOTE:  If the POC is being performed on an ESM/REC/ELM ‘combo’ you can proceed to Step 12 as the ESSREC_Update file provides both the ESM as well as REC feature update.

Performing a SIEM Software Update – REC, ELM, ACE, ADM, DEM

The following steps must be performed to update any subordinate SIEM appliances.

  1. From the System Tree, select the appliance to be updated.
    pic10.PNG
    NOTE:  A yellow flag icon shown beside an appliance is an indication that the device is ‘out of sync’ until it has been updated.
  2. Click the Device Properties button from the Actions Toolbar.  The device properties window will open.
  3. Click Receiver Management.
  4. Click the Update Device button.  The Select Software Update File window will open.
  5. Select the appropriate update file.
  6. Click OK.
    pic11.PNG
  7. A dialog box will open indicating that the device will reboot when the update process begins.
    pic12.png
  8. Click YES.
  9. The device will restart.  A dialog box will open, counting down from 3 minutes while the device update is applied.
    pic13.png
    NOTE:  If the device has not completely updated after 3 minutes, the counter will restart.  You must wait until the device has fully updated and communication has been restored to continue.
  10. A dialog box will indicate the successful restart of the device once connectivity has been restored.
    pic14.png
  11. Click OK.
  12. After the successful update of an Event Receiver appliance, it is necessary to perform additional configuration updates.
  13. Click on Data Sources.
  14. Click the Write button.
    pic15.PNG
  15. After successfully writing the Data Source configuration, a dialog box will open indicating the Command Executed Completely.
  16. Click the Close button.
  17. Click OK.

Repeat these steps to apply all necessary update files to remaining subordinate devices.

« previousoutline »

Comments
vagner.silva

Easy update.

vbueno

Hi, I'm getting this message:  the version could not be determined for the selected update file and after reboot it remains in 9.4.0

i´m trying to upgrade from 9.4.0 to 9.5.0

sha256sum it's ok

all of the ESMUpgradeChecklist-RevB.pdf checkings done and ok

Thanks in advance

The version could not be determined for the selected update file.jpg

vbueno

downloaded 9.5.1 and the same mesaage about the version or the update path path remains

will download tonight  the esm 9.5.1  and wil try tomorrow

9.5.1 The version could not be determined for the selected update file.png

mariajohn14

We face the same issue and e followed the below knowledge base to fix.

Run the following command to check the version from the command line

dmidecode | less

Please refer the

https://kc.mcafee.com/corporate/index?page=content&id=KB77140&actp=LIST

vbueno

Thank you Maria, but in our case

System Information

        Manufacturer: McAfee, Inc.

        Product Name: ENM6000

        Version: ENMELM-6000

---------------------------------------------------

it's a little bit confusing we know EnterpriseLogManager but haven't found what ENM stands for

we have tried

McAfee Enterprise Security Manager 9.51 and then McAfee Event Receiver 9.51

today we shall try

d- McAfee Enterprise Security Manager, Event Receiver & Log Manager 9.51

we'll share results :-)

pepelepuu

vbueno,

Before running the update, open an ssh session and watch messages:

1. Open Putty

2. ssh root@ipaddressofdevice

3.type :tailf /var/log/messages Look for obvious errors.

Side note:

I've had this a couple of times and fixed it differently each time. If you can inbox me your message log.

I just upgraded to 9.51 an on one of my VM receivers I actually had to change the extension of my update file. The error log will usually tell you everything. The caveat is, its hard to decipher at times.

pepelepuu

I will update a combo box from 9.5mr7 to 9.51 and see what I come up with.

pepelepuu

I have been able to successfully recreate your issue.

Solution:

1. Download update

2. Change extension from *.gz to *.tgz

3. Reboot device

4. Update, then verify.

Let me know if you run into any problems.

mariajohn14

Physically shutdown then wait for 5 mins. Then run the command dmidecode | less. If you find the correct Product Name & Version in both(cmd & GUI) then start the upgrade.

vbueno

Hi friends,

today to upgrade our ENMELM-6000

McAfee Enterprise Security Manager, Event Receiver & Log Manager to  9.51   we downloaded ESSREC_Update_9.5.1.signed.gz


and uploaded to our appliance

physical Display >> Properties >> File Maintenance >> combo box software update files >> upload

and navigate to find the folder where we downloaded


below it is on the appliance now



image001.png

then Physical Display>>Properies>> ESM Management >> update ESM and selected it

and received a warning about the required reboot

image003.png

image004.png

the ssh connection is closed

image005.png

we were impatient but have to wait

image006.png

we were welcomed with this message and fortunately have downloaded the 9.5.1 release notes

image007.png

and it was upgraded to 9.5.1

image0081.png

every body was happy until this message

image010.png

and tomorrow will try to add local storage device

McAfee-ENMELM-6000 ~ # df -h

Filesystem            Size  Used Avail Use% Mounted on

/dev/sdb3             1.9T   13G  1.8T   1% /

/dev/sdb1             976M   67M  859M   8% /boot

/dev/sdc1              13T  115M   13T   1% /data_hd

shm                    48G     0   48G   0% /dev/shm

/dev/sda              445G  448M  445G   1% /index_hd

--------------------

-----------------

McAfee-ENMELM-6000 ~ # checkraid

Ok

/etc/iscsi/initiatorname.iscsi = InitiatorName=iqn.2005-03.org.open-iscsi:1fb482e89b4

InitiatorName=iqn.2005-03.org.open-iscsi:1fb482e89b4

-------------------------------

McAfee-ENMELM-6000 ~ # lsscsi -t

[0:0:0:0]    disk    sata:                           /dev/sda

[6:2:0:0]    disk                                    /dev/sdb

[6:2:1:0]    disk                                    /dev/sdc

--------------

11.jpg

kind regards  mariajohn14 and   pepelepuu

Version history
Revision #:
1 of 1
Last update:
‎08-10-2014 09:17 PM
Updated by: