Upgrading Device Sensors to Stellar Cyber 4.3.7009/Ubuntu 22.04

This topic describes how to upgrade Stellar Cyber device sensors to the 4.3.7009 release. As part of this release, the operating system for the sensor is upgraded from Ubuntu 16.04 to Ubuntu 22.04 and the Stellar Cyber software is updated.

Refer to the following sections for details:

• Before You Begin – Important Upgrade Notes

• Upgrading Device Sensors to 4.3.7009

• Verifying the Upgrade

Before You Begin – Important Upgrade Notes

Before you begin upgrading, pay careful attention to the important notes below:

Upgrade the DP to 5.1.1 First

Start by upgrading the DP to 5.1.1 using the standard upgrade procedure. This ensures that the 4.3.7009 sensor software is available for selection in the DP user interface when you go to upgrade sensors.

Expected Downtime

The upgrade procedure takes between 10-25 minutes and requires 4-5 reboots. During this time, all features are stopped. This includes traffic processing, log forwarding, log/metadata buffering, and aggregator features. Plan for the upgrade accordingly and consider performing it during off-peak hours.

Sensors Supported for Upgrade

Stellar Cyber has tested upgrades for device sensors running either of the following Stellar Cyber releases with Ubuntu 16.04 to 4.3.7009 with Ubuntu 22.04:

• 4.3.6 (4.3.6_1999dab)

• 4.3.7 (4.3.7_12c2f39)

Both physical (Photon) and virtual device sensors running these versions with Ubuntu 16.04 are supported for upgrade, including those deployed in VMware ESXi, KVM, Azure, AWS, GCP, and OCI.

Stellar Cyber recommends upgrading from the tested versions listed above. Upgrades from other versions are not prevented in software and will likely work but have not been tested by Stellar Cyber.

Checking the Software and OS Versions in the Sensors Page

You can see both the Stellar Cyber software version for your sensors and the platform OS version in the System | Sensors page. Make sure both the Software Version and OS columns are displayed. For example:

In addition to the user interface, you can also use the show version CLI command to verify that Platform OS: ubuntu-16.04 before performing the upgrade.

Upgrading Device Sensors Shipped New with Ubuntu 22.04

Starting with the 4.3.7 release, Stellar Cyber began to ship new device sensors with Ubuntu 22.04. If you have one of these device sensors, the OS will display as 22.04 in the Sensor page, but the Software Version will not be 4.3.7_1879469. Stellar Cyber recommends upgrading these device sensors, too.

Once a device sensor has been successfully upgraded to 4.3.7009, further attempts to upgrade the sensor with the same image are rejected by the sensor.

4.3.7009 is NOT for Server Sensors or Purpose-Built Aggregators

The 4.3.7009 release is a special upgrade for device sensors only:

• 4.3.7009 does not support upgrades of Server Sensors (agents). Attempts to upgrade Server Sensors are rejected by the Server Sensor.

• 4.3.7009 does not support upgrades of legacy, purpose-built aggregators listed in the Aggregator (deprecated) tab of the System | Sensors page. Attempts to upgrade legacy, purpose-built aggregators are rejected by the aggregator.

  Stellar Cyber strongly recommends that any legacy, purpose-built aggregators in your deployment be migrated to Modular Sensors with the Aggregator feature enabled in their Modular Sensor profiles.

Take a Snapshot, If Possible

For all target sensors running in an environment that supports snapshots (for example, VMware ESXi), Stellar Cyber strongly recommends that you take a snapshot of the sensor virtual machine before starting the upgrade. This way, you can easily revert to the previous version, if necessary.

Start Small Before Moving to Batches of 2-3

Stellar Cyber strongly recommends that you start by upgrading a single sensor and verifying success. Then, you can proceed in batches of 2-3 sensors, verifying success each time before moving on to the next batch.

Upgrade Primary and Secondary Aggregators Separately

If your sensor uses an aggregator (a modular sensor with the aggregator feature enabled in its sensor profile) to send traffic to the DP, Stellar Cyber strongly recommends the following:

• Configure both a primary and secondary aggregator for the sensor.

• Upgrade the sensor before upgrading its aggregators.

• Upgrade the primary and secondary aggregators separately. This minimizes the amount of time sensors using the aggregator will be unable to communicate with the DP.

Upgrading Device Sensors to 4.3.7009

Upgrade device sensors to 4.3.7009 as follows:

1. Log in to the DP and navigate to the System | Data Processor | Data Lake page.

   

2. Click the File Sync button to download the 4.3.7009 sensor upgrade packages to your DP.

   

3. Click Yes on the confirmation prompt that appears to begin the File Sync.

   When the File Sync completes, the Status LED in the Data Lake page returns to green.

4. Navigate to the System | Collection | Sensors page and select the Manage | Software Upgrade option, as illustrated in the figure below:

   

   The Sensor Software Upgrade window appears with the 4.3.7009 upgrade package listed under Available Software, as illustrated below:

   

5. Select the entry for the aellads_4.3.7009_20240509_21eebea upgrade package in the Available Software list, as illustrated above.

   If multiple 4.3.7009 upgrade packages are listed, make sure you choose the aellads_4.3.7009_20240509_21eebea version, as illustrated above.

6. Next, select the target device sensor for the upgrade in the Target Sensors list. Note the following:

   • Select only a single device sensor for the first upgrade.

   • Make sure the device sensor you select is running one of the tested versions and that the Platform OS is Ubuntu 16.04. The tested versions are 4.3.6 (4.3.6_1999dab) or 4.3.7 (4.3.7_12c2f39). Other 4.3.6 and 4.3.7 versions will likely work, but these are the tested versions.

     You can verify both of these items in the System | Sensors page, as described in Sensors Supported for Upgrade.

   • Once you have successfully upgraded a single sensor, you can select as many as 2-3 device sensors for batch upgrades.

   Pay careful attention to the guidelines in Before You Begin – Important Upgrade Notes and make sure you start with one device sensor before moving to batches, upgrade sensors before aggregators, and upgrade primary and secondary aggregators separately.

7. Once you have selected the target sensor(s), click Submit to begin the upgrade.

   

   The upgrade begins.

   As described in Expected Downtime, you should plan on 4-5 reboots and between 10-25 minutes of downtime, depending on Internet speed and the target environment, as estimated below. No data is collected or processed during the upgrade.

   • Photon Sensors: 20-25 minutes.

   • Virtual Sensors in VMware or Clouds: ~10 minutes.

Verifying the Upgrade

When the upgrade completes, verify the version number shows 4.3.7_1879469 in the System | Sensor page. For example:

Similarly, the sensor's show version output displays 4.3.7_1879469 for the AOS Version and ubuntu-22.04 for the Platform OS, as illustrated below:

DataSensor> show version

AOS Version           : 4.3.7_1879469
 - Log Forwarder      : 1.0
License Status        : Valid-unlimited-APT-IDS
Product Model         : Data_Sensor
Product EngineID      : ad56005056893550
Internal ID           : df98085bc515c098
Platform Type         : vmware
Platform OS           : ubuntu-22.04
Hostname              : sds-n10-16-8h116
<snipped>

Reverting the Device Sensor OS Upgrade

Reverting the sensor OS upgrade is not currently supported. Because of this, Stellar Cyber strongly recommends that you take a snapshot of the target sensors before starting the upgrade, as described in Before You Begin – Important Upgrade Notes.

In the rare situation where the device sensor does not boot after the OS upgrade, contact the Customer Success team. Note that Customer Success will require access to the device sensor's hard disk for a manual restore.