Skip to main content

Upgrading to 5.2

Due to the changes made to improve IP address enrichment, it may be necessary modify your collector's configuration when upgrading from 5.1 to 5.2. The following configuration changes should be reviewed and the relevant guidance followed.

Hostname Options#

OptionStatusNotes for 5.2
EF_FLOW_DECODER_ENRICH_DNS_ENABLEโœ“Functions as in 5.1
EF_FLOW_DECODER_ENRICH_DNS_NAMESERVER_IPโœ“Functions as in 5.1
EF_FLOW_DECODER_ENRICH_DNS_NAMESERVER_TIMEOUTโœ“Functions as in 5.1
EF_FLOW_DECODER_ENRICH_DNS_CACHE_SIZEโœ•REMOVED. 5.2 uses time-to-live (TTL) to prune items from the cache.
EF_FLOW_DECODER_ENRICH_DNS_RESOLVE_EXPORTERโœ•REMOVED. Disabling exporter IPs can be achieved via the new include/exclude feature.
EF_FLOW_DECODER_ENRICH_DNS_RESOLVE_PRIVATEโœ“Functions as in 5.1
EF_FLOW_DECODER_ENRICH_DNS_RESOLVE_PUBLICโœ“Functions as in 5.1
EF_FLOW_DECODER_ENRICH_DNS_USERDEF_ENABLEโœ•REMOVED. If the path below is set, the feature is enabled. If empty, it will be disabled.
EF_FLOW_DECODER_ENRICH_DNS_USERDEF_PATHโš Functions similar to 5.1. While it is not necessary to change the location and name of this file from 5.1 (the default location was settings/hostnames_user_defined.yml), the recommended location for a clean installations of 5.2 is hostname/user_defined.yml.
EF_FLOW_DECODER_ENRICH_DNS_USERDEF_REFRESH_RATENEWAdded in 5.2
EF_FLOW_DECODER_ENRICH_DNS_INCLEXCL_PATHNEWAdded in 5.2
EF_FLOW_DECODER_ENRICH_DNS_INCLEXCL_REFRESH_RATENEWAdded in 5.2

Maxmind Options#

OptionStatusNotes for 5.2
EF_FLOW_DECODER_ENRICH_MAXMIND_ASN_ENABLEโœ“Functions as in 5.1
EF_FLOW_DECODER_ENRICH_MAXMIND_ASN_CACHE_SIZEโœ•REMOVED. 5.2 uses time-to-live (TTL) prune items from the cache.
EF_FLOW_DECODER_ENRICH_MAXMIND_ASN_PATHโœ“Functions as in 5.1
EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_ENABLEโœ“Functions as in 5.1
EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_CACHE_SIZEโœ•REMOVED. 5.2 uses time-to-live (TTL) prune items from the cache.
EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_PATHโœ“Functions as in 5.1
EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_VALUESโœ“Functions as in 5.1
EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_LANGโœ“Functions as in 5.1
EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_INCLEXCL_PATHNEWAdded in 5.2
EF_FLOW_DECODER_ENRICH_MAXMIND_GEOIP_INCLEXCL_REFRESH_RATENEWAdded in 5.2

RiskIQ Options#

OptionStatusNotes for 5.2
EF_FLOW_DECODER_ENRICH_RISKIQ_ASN_ENABLEโœ“Functions as in 5.1
EF_FLOW_DECODER_ENRICH_RISKIQ_ASN_ENDPOINTโœ“Functions as in 5.1
EF_FLOW_DECODER_ENRICH_RISKIQ_ASN_REFRESH_INTERVALโœ“Functions as in 5.1
EF_FLOW_DECODER_ENRICH_RISKIQ_THREAT_ENABLEโœ“Functions as in 5.1
EF_FLOW_DECODER_ENRICH_RISKIQ_THREAT_ENDPOINTโœ“Functions as in 5.1
EF_FLOW_DECODER_ENRICH_RISKIQ_THREAT_REFRESH_INTERVALโœ“Functions as in 5.1
EF_FLOW_DECODER_ENRICH_RISKIQ_API_USERโœ“Functions as in 5.1
EF_FLOW_DECODER_ENRICH_RISKIQ_API_KEYโœ“Functions as in 5.1
EF_FLOW_DECODER_ENRICH_RISKIQ_API_TIMEOUTโœ“Functions as in 5.1
EF_FLOW_DECODER_ENRICH_RISKIQ_THREAT_INCLEXCL_PATHNEWAdded in 5.2
EF_FLOW_DECODER_ENRICH_RISKIQ_THREAT_INCLEXCL_REFRESH_RATENEWAdded in 5.2