This guide assumes you are upgrading an existing installation of Graylog Illuminate version 2.0.0 or later; if you are performing a fresh installation of Illuminate, refer to the Installing Graylog Illuminate guide. It also does not cover upgrading Illuminate from versions 1.x to 2.0.0. Please refer to Upgrading to Illuminate 2.0.x before starting this guide.
Prerequisites
-
A Graylog server running at least version 5.0.0.
-
A valid Operations or Security license.
-
Administrator access to the Graylog server.
-
The Graylog server backend must be able to communicate with
https://contenthub.graylog.cloudon port 443 in order to use in-app Illuminate download functionality. -
Illuminate 2.0.0 or greater installed and activated.
Upgrade Illuminate
There are currently two methods of upgrading Graylog Illuminate. The following section will describe upgrading directly via the Graylog interface, which is the preferred method as of Graylog 5.1; however, if your Graylog server cannot access the public internet, then you will need to complete a manual upgrade using a release file obtained from your sales representative.
Upgrading Illuminate In Graylog
1. When a new Illuminate version is available, you will receive a notification in your Graylog interface.
2. Navigate to the Illuminate page by selecting Enterprise > Illuminate.
3. You will see a notification at the top right of the screen indicating that a new Illuminate bundle is ready to install. You may select Install from this menu, or you can navigate to the Install Another Bundle link located beneath the Illuminate Bundle Version drop-down menu. (If you do not wish to upgrade at this time, you may select Skip Version. This will also remove the notification from your top menu.)
4. On this menu select the Illuminate version you wish to install and click the Download & Install button. (You may also wish to preview the available versions by selecting them from the side navigation and reviewing the attached changelogs.)
5. Confirm your installation by selecting Confirm on the pop-up menu to begin the installation process.
6. Once complete you will receive a notification that Illuminate has been successfully installed.
Activating Illuminate Packs
As of Graylog 5.1 all Illuminate packs will be delivered within the initial installation bundle and will be updated upon upgrading your core Illuminate version as described above. To select additional Illuminate packs for activation after upgrading Illuminate:
1. Navigate to Enterprise > Illuminate.
2. Browse through the list of packs provided by Illuminate using the controls near the bottom of the page, selecting any packs you wish to activate.
3. When you have selected all of your chosen packs, click Enable Selected on the upper right of the Illuminate packs list window.
Core Extension Packs Updates Notice
About the Anomaly Detection Add-on Pack
Upon upgrading please note that active anomaly detectors from an older version of the Anomaly Detection Add-on Pack will need to be reenabled once the new version of the pack has been enabled.
About the Geolocation and Autonomous System (AS) Packs
Two technology packs support geolocation and ASN enrichment: one supporting MaxMind city and AS databases and another supporting IPinfo city and AS databases.
Illuminate Geolocation and AS Deprecation Notice
The Graylog Illuminate Geolocation and AS enrichment processing packs are deprecated and will be removed from a future version of Graylog Illuminate. The functionality of these packs is replaced by the Geolocation Processor. Instead of using the Illuminate Geolocation Processor packs, please instead configure the Geolocation Processor, making sure to verify the Enforce default Graylog schema option is selected.
Spotlight Updates Notice
As of Graylog Illuminate 3.3.0, all Spotlight content is now contained in the Illuminate bundle. Any Spotlight content packs that were previously installed will now be detected and upgraded automatically when the new bundle is activated. There are two Spotlight packs to note when upgrading from a version prior to Graylog Illuminate 3.3.0, which did not contain Spotlight pack entries:
"Message Summary Updates rev. 2" (Security Customers Only)
This pack updates an existing content pack that is installed in Graylog by default. All customers with a Security license should enable this Spotlight pack the first time they install Graylog Illuminate 3.3.0 or greater. Any future upgrades to this Spotlight pack will be automatic after it has been enabled initially.
"Event Definitions Rollup"
This Spotlight pack contains a collection of previously released event definitions. Those who have previously installed the Illuminate event definitions Spotlights do not need to install this. This Spotlight pack contains a set of event definitions developed by Graylog. After enabling the "Event Definitions Rollup" Spotlight pack:
-
Events are installed and on the system but are disabled by default. Review the installed event definitions by navigating to the Alerts page, then selecting Event Definitions.
-
Review the list of event definitions and identify the events that are applicable to your alerting requirements.
Hint: Graylog recommends that you make a copy of the event definitions provided in the events content packs, then use the copy instead of modifying and enabling the event definitions installed by the content pack. Making a copy of the event definition will prevent the loss of the event definition configuration if the events content pack is ever uninstalled. -
To make a copy of an event definition, select the More button associated with the event definition to be copied, then select Duplicate and Confirm. A copy of the event definition will be made, identifiable by the fact that a new event definition will appear with the same name but having the prefix
COPY-inserted in the event definition name.
Event definitions can be enabled by clicking on the More button to the right of the event definition to enable, then select Enable.
