The following article describes how to upgrade an existing Illuminate instance using an externally provided bundle obtained from your sales representative. For information on how to upgrade Illuminate via the Graylog interface, which is the preferred method of installation, see the related documentation.
It is recommended that you use this article for upgrading Illuminate if your Graylog server cannot access the public internet or if you are operating Graylog with a free Operations license.
server.conf file to turn off Illuminate version notifications: illuminate_hub_new_version_check_interval=0s.
Prerequisites
The following is required prior to installing Graylog Illuminate:
-
A Graylog server running at least version 5.0.0.
-
A valid Operations or Security license.
-
Administrator access to the Graylog server.
Download the Illuminate Bundle
Once you have obtained the Illuminate bundle, download the file to a system that can be used to access the Graylog server web interface where Illuminate will be installed.
Illuminate Installation With The Graylog Web Interface
-
Log into your Graylog web interface using an account that has administrative privileges.
-
Click on the Enterprise menu and select Illuminate.
Upgrading An Existing Illuminate Deployment
When navigating to the Illuminate page, you will see a list of the current Illuminate packs and their activation status. To upgrade this installation of Illuminate, locate the link titled Install Another Bundle in the upper right corner of the Illuminate page.
This will take you to the bundle upload page.
Upload the Illuminate Bundle
Upload the bundle using one of two methods:
-
Manual
-
You can click on the box to open a file browser window on your local system, browse to the directory where the Illuminate bundle zip file was downloaded, select the Illuminate bundle zip file, and then click Open.
-
-
Drag and Drop
-
You can drag and drop the bundle zip file from a file explorer window on your operating system to the drag & drop section of the installer page.
-
After the bundle has uploaded, you will see a message informing you that the bundle was uploaded successfully but that the previous version is still active until you activate the upgraded bundle.
Click on the Continue to Packs Manager link. This will return you to the Illuminate Processing Packs page.
Activating the New Illuminate Bundle
Activating the upgraded bundle will disable the active (currently running) version of Illuminate then enable the upgraded version. Message processing will be temporarily paused for this activity ensuring that Illuminate will not skip any messages during the Illuminate upgrade process. All currently enabled packs will be automatically enabled in the upgraded version of Illuminate.
1. To activate the upgraded version of Illuminate, click on the Illuminate version selection drop-down.
2. Then select the version that was just uploaded at the bottom of the drop-down list.
3. Here, select the Activate button to the right of the version selection drop-down, and then click on the Confirm button on the confirmation dialog that appears.
4. After the upgraded version of Illuminate has been activated, you will be returned to the Illuminate Processing Packs page. If you want to enable any additional Illuminate packs, that can be done on this page as well.
Core Extension Packs Updates Notice
About the Anomaly Detection Add-on Pack
Upon upgrading please note that active anomaly detectors from an older version of the Anomaly Detection Add-on Pack will need to be reenabled once the new version of the pack has been enabled.
About the Geolocation and Autonomous System (AS) Packs
Two technology packs support geolocation and ASN enrichment: one supporting MaxMind city and AS databases and another supporting IPinfo city and AS databases.
Illuminate Geolocation and AS Deprecation Notice
The Graylog Illuminate Geolocation and AS enrichment processing packs are deprecated and will be removed from a future version of Graylog Illuminate. The functionality of these packs is replaced by the Geolocation Processor. Instead of using the Illuminate Geolocation Processor packs, please instead configure the Geolocation Processor, making sure to verify the Enforce default Graylog schema option is selected.
Spotlight Updates Notice
As of Graylog Illuminate 3.3.0, all Spotlight content is now contained in the Illuminate bundle. Any Spotlight content packs that were previously installed will now be detected and upgraded automatically when the new bundle is activated. There are two Spotlight packs to note when upgrading from a version prior to Graylog Illuminate 3.3.0, which did not contain Spotlight pack entries:
"Message Summary Updates rev. 2" (Security Customers Only)
This pack updates an existing content pack that is installed in Graylog by default. All customers with a Security license should enable this Spotlight pack the first time they install Graylog Illuminate 3.3.0 or greater. Any future upgrades to this Spotlight pack will be automatic after it has been enabled initially.
"Event Definitions Rollup"
This Spotlight pack contains a collection of previously released event definitions. Those who have previously installed the Illuminate event definitions Spotlights do not need to install this. This Spotlight pack contains a set of event definitions developed by Graylog. After enabling the "Event Definitions Rollup" Spotlight pack:
-
Events are installed and on the system but are disabled by default. Review the installed event definitions by navigating to the Alerts page, then selecting Event Definitions.
-
Review the list of event definitions and identify the events that are applicable to your alerting requirements.
Hint: Graylog recommends that you make a copy of the event definitions provided in the events content packs, then use the copy instead of modifying and enabling the event definitions installed by the content pack. Making a copy of the event definition will prevent the loss of the event definition configuration if the events content pack is ever uninstalled. -
To make a copy of an event definition, select the More button associated with the event definition to be copied, then select Duplicate and Confirm. A copy of the event definition will be made, identifiable by the fact that a new event definition will appear with the same name but having the prefix
COPY-inserted in the event definition name.
Event definitions can be enabled by clicking on the More button to the right of the event definition to enable, then select Enable.
