Upgrading to 7.0
Upgrading to 7.0
Upgrading to 7.0 should be straightforward for most users as the breaking changes are limited to a few specific features.
Here's a high level overview of when you need to make any changes:
- If you are using AWS VPC Flogs logs, you will need to rename some config options (see below).
- If you are using RiskIQ for threat enrichment, we will automatically move you over to NetIntel threat enrichment (see below for steps and requirements).
- If you are using our community version, you might want to consider switching over to a free basic license to continue to collect up to 4000 flow records per organization.
- If you are upgrading from 5.x, please make sure to follow the 6.x upgrade steps first.
Naming Changes
In order to align our new product offerings, we have established new product names with the release of 7.0:
| Previous name | New name |
|---|---|
| Unified Flow Collector | NetObserv Flow |
| Unified SNMP Collector | NetObserv SNMP |
We will refer to NetObserv when talking about both Flow & SNMP.
Licensing Options
| License | Field | 6.x | Notes for 7.0 |
|---|---|---|---|
| Basic | Supported flow fields | 1020 | All (7400+) |
| Community | Supported flow records per second | 4000 | 500 |
RiskIQ is reaching end of life on June 30th 2024
In NetObserv 7.0 RiskIQ is no longer supported for threat enrichment. Instead, ElastiFlow NetIntel is enabled by default in 7.0 to provide threat enrichment for the Threats dashboards. No configuration changes are required when upgrading to 7.0. Click here for more information on how to set up NetIntel enrichment. The following table shows all configuration options added/removed as part of this change. The RiskIQ related options can be safely removed from your flowcoll.yml config file. They are ignored in 7.0.
| 6.x Option | Status | Notes for 7.0 |
|---|---|---|
| EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_ENABLE | Removed | --- |
| EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_ENDPOINT | Removed | --- |
| EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_REFRESH_INTERVAL | Removed | --- |
| EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_INCLEXCL_PATH | Removed | --- |
| EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_INCLEXCL_REFRESH_RATE | Removed | --- |
| EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_API_USER | Removed | --- |
| EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_API_KEY | Removed | --- |
| EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_API_TIMEOUT | Removed | --- |
| EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_API_TIMEOUT | Removed | --- |
| --- | Added | EF_PROCESSOR_ENRICH_IPADDR_NETINTEL_ENABLE |
AWS VPC Flow log configuration
In order to support more options to retrieve AWS VPC Flow logs and Transit Gateway logs, we made the following naming changes to the configuration options related to VPC Flow logs:
| 6.x Option | Status | Notes for 7.0 |
|---|---|---|
| EF_AWS_VPC_FLOW_LOG_ENABLE | Renamed | EF_AWS_VPC_FLOW_LOG_S3_ENABLE |
| EF_AWS_VPC_FLOW_LOG_PREFIX | Renamed | EF_AWS_VPC_FLOW_LOG_S3_PREFIX |
| EF_AWS_VPC_FLOW_LOG_POOL_SIZE | Renamed | EF_AWS_VPC_FLOW_LOG_S3_POOL_SIZE |
| EF_AWS_VPC_FLOW_LOG_TLS_ENABLE | Renamed | EF_AWS_VPC_FLOW_LOG_S3_TLS_ENABLE |
| EF_AWS_VPC_FLOW_LOG_TLS_SKIP_VERIFICATION | Renamed | EF_AWS_VPC_FLOW_LOG_S3_TLS_SKIP_VERIFICATION |
| EF_AWS_VPC_FLOW_LOG_TLS_CA_CERT_FILEPATH | Renamed | EF_AWS_VPC_FLOW_LOG_S3_TLS_CA_CERT_FILEPATH |
| EF_AWS_VPC_FLOW_LOG_TLS_MIN_VERSION | Renamed | EF_AWS_VPC_FLOW_LOG_S3_TLS_MIN_VERSION |
| --- | Added | EF_AWS_VPC_FLOW_LOG_FIREHOSE_S3_ENABLE |
| --- | Added | EF_AWS_VPC_FLOW_LOG_FIREHOSE_S3_LOG_FORMAT |
Configuration Changes
To keep our configuration options uniform and organized, we changed one config option that was not following our naming schema:
| 6.x Option | Status | Notes for 7.0 |
|---|---|---|
| EF_INPUT_FLOW_BENCHMARK_PACKET_FILE_PATH | RENAMED | EF_INPUT_FLOW_BENCHMARK_PACKET_FILEPATH |