After upgrading RHEL#

About proxy settings#

If the platform is configured to access the Internet through a proxy, make sure that the platform proxy configuration always bypasses local hosts localhost and 127.0.0.1.

If you cannot access the platform proxy settings, and if terminal commands acting on platform resources fail to execute correctly, bypass the proxy server on the fly.

To do so, prepend NO_PROXY='127.0.0.1,localhost' to the platform commands you execute in the terminal.

Example

NO_PROXY='127.0.0.1,localhost' /opt/eclecticiq-platform-backend/bin/eiq-platform graph upgrade

About Elasticsearch indices#

If you need to prioritize migrating Elasticsearch indices, process at least the following ones:

  • stix: indexes entities

  • extracts: indexes observables

Index name

Description

audit*

Records audit trail events related to entities, datasets, enrichers, incoming and outgoing feeds, rules, tasks, and user account authentication attempts.

documents

Records log information related to ingestion, tasks, and task scheduling.

draft-entities*

Indexes draft entity data, that is, entities that are currently saved as drafts, and that have not yet been published to the platform.

These entities are not searchable in the platform.

extracts*

Indexes all observable data.

logstash*

Indexes log aggregation and logging information such as host, HTTP request types, HTTP response status codes, platform component, and path to the log directories where log entries are saved to.

statsite*

Collects metrics about received packets and detected invalid or not well-formed lines in ingested packets.

This index works with both StatsD and Statsite.

stix*

Indexes published entity data, that is, entities that are published to the platform.

These entities are searchable in the platform.

Run a final check#

As a last step before launching the platform, it is good practice to check the following points:

  • Core processes and services

  • Search, indexing and graph

  • Availability

Check core processes and services#

  • To check if a core service is enabled to start at system bootup:

    systemctl is-enabled ${service_name}

  • To check if a core service is running:

    systemctl status ${service_name}

  • To start a core service:

    systemctl start ${service_name}

Nginx#

Verify that Nginx is up and running by checking the web server status:

systemctl status nginx

PostgreSQL#

Verify that PostgreSQL is up and running by checking its status:

systemctl status postgresql-11

# Or:
systemctl list-units | grep -i postgre

Check search indexing and graph#

Elasticsearch#

Verify that Elasticsearch is up and running by checking its status:

systemctl status elasticsearch

Check search indexing and graph availability#

Make sure that Elasticsearch is available by sending cURL requests to the Elasticsearch service. On the EclecticIQ Intelligence Center host, run from the terminal:

# Check Elasticsearch availability
curl <elasticsearch_host_url>:9200

Re-enable and run the rules#

Before starting the ingestion processes, enable again the rules you previously disabled.

Run the re-enabled rules after completing the data migration, so that they can filter out any observables marked to be ignored.

Enable all existing platform rules: entity, observable, enrichment, and discovery rules.

You can enable rules in one of the following ways:

In the rule detail pane

  1. Click Data configuration > Rules > Observable; or: Data configuration > Rules > Entity; or: Data configuration > Rules > Enrichment; or: Data configuration > Rules > Discovery to display the observable, entity, enrichment, or discovery rule overview.

  2. In the rule overview click anywhere in the row corresponding to the rule you want to enable.

  3. In the rule detail panel:

    1. Click More More > Enable to enable the rule.

    Alternatively:

    1. In the Details tab click enable.

A notification message is displayed to confirm the change.

In the rule overview

  1. Click Data configuration > Rules > Observable; or: Data configuration > Rules > Entity; or: Data configuration > Rules > Enrichment; or: Data configuration > Rules > Discovery to display the observable, entity, enrichment, or discovery rule overview.

  1. In the row corresponding to the rule you want to enable, click More More > Enable.

A notification message is displayed to confirm the change.

Bulk enable

  1. Click Data configuration > Rules > Observable; or: Data configuration > Rules > Entity; or: Data configuration > Rules > Enrichment; or: Data configuration > Rules > Discovery to display the observable, entity, enrichment, or discovery rule overview.

  1. In the top-left corner click the quick filter icon Filter to display the available rule quick filters.

  2. Click Show, select Enabled, and then click OK to display only enabled rules. To select all the rules on the view, click the checkbox in the top-left corner of the table.

  3. To enable all the selected rules in bulk, in the quick filter horizontal bar click More More > Enable.

A notification message is displayed to confirm the change.

Restart EclecticIQ Intelligence Center services#

After editing or updating systemd-managed unit configuration files, you must restart all systemd-managed EclecticIQ Intelligence Center services.

It enables systemd to reload all configurations, and to apply any changes to make them effective.

To restart systemd-managed EclecticIQ Intelligence Center services through the command line:

systemctl restart eclecticiq-platform-backend-services

Check the platform health#

To inspect the overall health of the instance after completing an upgrade, run eiq-platform diagnose run.

eiq-platform diagnose run is a diagnostic command to run basic tests on the EclecticIQ Intelligence Center for troubleshooting purposes.