Release notes 2.10.5#
18 May 2022
Time to upgrade
~18 minutes to upgrade an instance with 4 million entities.
Additional ~6 minutes to run pre-upgrade scripts for upgrading from 2.8.x and earlier.
Time to migrate
Data retention mechanisms are being worked on to allow you to more effectively manage how long data should be kept on your IC.
This release adds:
Policy run improvements
Data retention policy runs are more stable.
Delete observable actions are skipped by default on this release.
There is a known issue with observable removal in retention policies that is being worked on. Meanwhile, Delete observable actions are skipped by default for all policies in this release. This improves the reliability of policy runs, and allows existing policies to run without modification.
(Not recommended) You can re-enable Delete observable actions with the
platform_settings.py. See Update platform_settings.py.
Schedule removal of old records in raw data tables
You now configure the IC to automatically delete old records in the
content_blocktables from the PostgreSQL database.
blobtable stores raw data downloaded by running incoming feeds, and the
content_blocktable stores data prepared for consumption through outgoing feeds.
You can set the number of days to retain records in these tables with the
platform_settings.py. See Update platform_settings.py.
To see a detailed list of security issues and their mitigations, go to All security issues and mitigations.
In the IC UI, drop-down menus that render user-defined item names are vulnerable to stored XSS attacks. Addressed in EIQ-2022-0003. These drop-down menus now correctly sanitize item names.
Elasticsearch 7 encounters “Data too large” errors: See Known issue with Elasticsearch 7: “Data too large”.
Entity incorrectly warns it is outdated: When viewing an entity, the entity may warn that it is not the latest version when it actually is. This is related to an issue where with attachments that have been depulicated multiple times, causing issues in the final state of the entity.
When you configure the platform databases during a platform installation or upgrade, you must specify passwords for the databases.
Systemd splits log lines exceeding 2048 characters into 2 or more lines.
As a result, log lines exceeding 2048 characters become invalid JSON, causing Logstash to be unable to parse them correctly.
When more than 1000 entities are loaded on the graph, you cannot load related entities and observables by selecting Load entities, Load observables, or Load entities by observable from the context menu.
When creating groups in the graph, it is not possible to merge multiple groups into one.
If an ingestion process crashes while ingestion is still ongoing, data may not always sync to Elasticsearch.
Users can leverage rules to access groups that act as data sources, even if those users are not members of the groups they access through rules.
Running multiple outgoing feed tasks may cause the platform to consume a large amount of memory over time, because certain outgoing feeds such as HTTP download must load the data into memory in order to make it available to feed consumers.
Since release 2.9.0, the platform comes bundled with
Elasticsearch (ES) 7.9.1. ES 7 adds a new
real memory circuit breaker
that causes ES nodes to respond with a
circuit_breaking_exception error when it detects that
memory use has reached 95% of the totally available JVM
Because of this change, you may encounter issues related to available memory where previously at the same workloads, ES would appear to run smoothly.
If your plaform is encountering issues related to
Elasticsearch responding with a
circuit_breaking_exception error, you can do the
following to mitigate:
circuit_breaking_exception error occurs only when ES
detects that you are about to go over a memory use threshold
that would cause it to fail.
Increase the amount of memory available to ES, or move it to its own host where it does not compete with the platform for resources to keep your ES nodes running.
This may allow ES to reach an out of memory state and fail.
(Not recommended) To disable the “real memory circuit breaker”, set the
parameter in your ES
This allows ES to use the ES 6 parent circuit breaker instead, but disables the safety guarantees that the real memory circuit breaker provides.
For more information about setting up repositories, refer to the installation documentation for your target operating system.
EclecticIQ Intelligence Center and dependencies for CentOS and RHEL
The Intelligence Center dependencies URL for versions 2.9 and later is
EclecticIQ Intelligence Center extensions
The following diagram describes the upgrade path you should take depending on the Intelligence Center version you are upgrading from.
You can upgrade from version 2.9.1 of the Intelligence Center to 2.10.0 directly,
To upgrade from 2.4.0 to 2.10.0, you must first upgrade to 2.5.0, then upgrade from 2.5.0 to 2.10.0.
When upgrading from 2.8.x and earlier to 2.9.x and later:
You must run the pre-upgrade script to allow it to work with Elasticsearch 7.9.1.
You must run the pre-upgrade script on the Intelligence Center version you are upgrading from.
For example, when upgrading from 2.8.0 to 2.10.1, you must run the pre-upgrade script on the Intelligence Center while it is running version 2.8.0.
From 2.5.0, the upgrades paths have been tested using the EclecticIQ Intelligence Center install script compiled by Rundoc.
The script only supports:
Single machine installs.
Instances installed using the Intelligence Center install script.
and does not support Intelligence Center instances installed in distributed environments.