Upgrading to 5.2
Due to the changes made to improve IP address enrichment, it may be necessary modify your collector's configuration when upgrading from 5.1 to 5.2. The following configuration changes should be reviewed and the relevant guidance followed.
Hostname Options
| Option | Status | Notes for 5.2 |
|---|---|---|
| EF_FLOW_DECODER_ENRICH_DNS_ENABLE | ✓ | Functions as in 5.1 |
| EF_FLOW_DECODER_ENRICH_DNS_NAMESERVER_IP | ✓ | Functions as in 5.1 |
| EF_FLOW_DECODER_ENRICH_DNS_NAMESERVER_TIMEOUT | ✓ | Functions as in 5.1 |
| EF_FLOW_DECODER_ENRICH_DNS_CACHE_SIZE | ✕ | REMOVED. 5.2 uses time-to-live (TTL) to prune items from the cache. |
| EF_FLOW_DECODER_ENRICH_DNS_RESOLVE_EXPORTER | ✕ | REMOVED. Disabling exporter IPs can be achieved via the new include/exclude feature. |
| EF_FLOW_DECODER_ENRICH_DNS_RESOLVE_PRIVATE | ✓ | Functions as in 5.1 |
| EF_FLOW_DECODER_ENRICH_DNS_RESOLVE_PUBLIC | ✓ | Functions as in 5.1 |
| EF_FLOW_DECODER_ENRICH_DNS_USERDEF_ENABLE | ✕ | REMOVED. If the path below is set, the feature is enabled. If empty, it will be disabled. |
| EF_FLOW_DECODER_ENRICH_DNS_USERDEF_PATH | ⚠ | Functions similar to 5.1. While it is not necessary to change the location and name of this file from 5.1 (the default location was settings/hostnames_user_defined.yml), the recommended location for a clean installations of 5.2 is hostname/user_defined.yml. |
| EF_FLOW_DECODER_ENRICH_DNS_USERDEF_REFRESH_RATE | NEW | Added in 5.2 |
| EF_FLOW_DECODER_ENRICH_DNS_INCLEXCL_PATH | NEW | Added in 5.2 |
| EF_FLOW_DECODER_ENRICH_DNS_INCLEXCL_REFRESH_RATE | NEW | Added in 5.2 |
Maxmind Options
| Option | Status | Notes for 5.2 |
|---|---|---|
| EF_FLOW_DECODER_ENRICH_MAXMIND_ASN_ENABLE | ✓ | Functions as in 5.1 |
| EF_FLOW_DECODER_ENRICH_MAXMIND_ASN_CACHE_SIZE | ✕ | REMOVED. 5.2 uses time-to-live (TTL) prune items from the cache. |
| EF_FLOW_DECODER_ENRICH_MAXMIND_ASN_PATH | ✓ | Functions as in 5.1 |
| EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_ENABLE | ✓ | Functions as in 5.1 |
| EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_CACHE_SIZE | ✕ | REMOVED. 5.2 uses time-to-live (TTL) prune items from the cache. |
| EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_PATH | ✓ | Functions as in 5.1 |
| EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_VALUES | ✓ | Functions as in 5.1 |
| EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_LANG | ✓ | Functions as in 5.1 |
| EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_INCLEXCL_PATH | NEW | Added in 5.2 |
| EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_INCLEXCL_REFRESH_RATE | NEW | Added in 5.2 |
RiskIQ Options
| Option | Status | Notes for 5.2 |
|---|---|---|
| EF_FLOW_DECODER_ENRICH_RISKIQ_ASN_ENABLE | ✓ | Functions as in 5.1 |
| EF_FLOW_DECODER_ENRICH_RISKIQ_ASN_ENDPOINT | ✓ | Functions as in 5.1 |
| EF_FLOW_DECODER_ENRICH_RISKIQ_ASN_REFRESH_INTERVAL | ✓ | Functions as in 5.1 |
| EF_FLOW_DECODER_ENRICH_RISKIQ_THREAT_ENABLE | ✓ | Functions as in 5.1 |
| EF_FLOW_DECODER_ENRICH_RISKIQ_THREAT_ENDPOINT | ✓ | Functions as in 5.1 |
| EF_FLOW_DECODER_ENRICH_RISKIQ_THREAT_REFRESH_INTERVAL | ✓ | Functions as in 5.1 |
| EF_FLOW_DECODER_ENRICH_RISKIQ_API_USER | ✓ | Functions as in 5.1 |
| EF_FLOW_DECODER_ENRICH_RISKIQ_API_KEY | ✓ | Functions as in 5.1 |
| EF_FLOW_DECODER_ENRICH_RISKIQ_API_TIMEOUT | ✓ | Functions as in 5.1 |
| EF_FLOW_DECODER_ENRICH_RISKIQ_THREAT_INCLEXCL_PATH | NEW | Added in 5.2 |
| EF_FLOW_DECODER_ENRICH_RISKIQ_THREAT_INCLEXCL_REFRESH_RATE | NEW | Added in 5.2 |