I just upgraded from 9.4.2 MR6 to 9.5.0 MR1 last night. It took ~3 hours for an ESM, an ACE, 4 Receivers, and 3 ELMs. The upgrade went smoothly, and so far, I haven't encountered any issues. The upgrade DID address our issue with Alarms not firing.
For those who upgraded:
I understand the FTI is "gone", with the functionality being embedded with the ELM itself, without the need for an additional storage allocation.
However, I had a chat with McAfee today and one of their guys mentioned some serious changes to the way the ELM backend stores files? Including rumour the files are no long the terrible binary blobs that could never be read from outside the ELM.
Can someone using the ELM with NFS storage confirm if the files (specially syslog data sources) can now be read from outside the ELM interface itself?
Sorry rhino ... still in the same format. I don't see how they are going to make them readable without the underlying tools from mcafee as you would not want just anyone accessing the data if they get a hold of it.
I know they use openssl in some fashion to encrypt the data so I'm sure you'd need to know where the key is to decrypt. We have a weekly meeting and I remember them saying there is a way to get to the data underneath but I'm sure you'd have to escalate with fury to get that process. I will also ask about what you mention this week and see what they say.
BTW -- we've upgraded all but one of our environments to 9.5.0 MR1. Yesterday upgrade we did was a pair of redundant ESM's, a pair of redundant ELM's, 3 HA receiver pairs, and two Ace's one being a spare for standby. Other than needed to crash cart the ESM's and ELM due to the flaky 3ware ( that is my guess ) it fails fsck check but a power cycles brings them back up without issue.
Oh... yeah FTI has been replaced with "bloom" indexer(new and improved written from scratch) which is checked on by default now. I have not had to time to exercise searches yet but I hope that is helps. The initial indexing was consuming quite a bit of CPU on one machine which was a combo box that was getting spammed by the LDAP server.
Dear all thank you for contributing to this post.
We recentyl upgraded to 9.5.0 20150305 we have 1 ESM / 1 ACE / 1 ELM / 1 ERC and so far everything went fine.on nearly all boxes.
Does anyone have an explanation or encounter such errors/notifications on the ELM:
McAfee elm: get_logfile - Exception = "Did not find log" - DSID = '5' or LogID = '<LOGID>'
McAfee elmftiinsd: Failed to get logfile for <ID of ...>-<LOGID>, marking as ignored for bloom purposes
From what I can see the .elm files are still unreadable blob file so far.
Just finished upgrade to 9.5.0 on combo box yesterday with no issue , i do the following below
1. Check processor type (cat /proc/cpuinfo)
2. Check ngcp.dfl database with DBCheck
3. Perform Backup ELM config, ESM setting
4. Perform Fullbackup (2 days)
5. Upgrade from 9.4.2 to 9.5.0 (2 hours)
6. Update rule manually
7. ESM successfull upgrade to 9.5.0 Build 20150305183150, Database: OK, Policy: OK