Upgrading Device Sensors to Stellar Cyber 5.2.2009/Ubuntu 22.04

This topic describes how to upgrade Stellar Cyber device sensors to the 5.2.2009 release. As part of this release, the operating system for the sensor is upgraded from Ubuntu 16.04 to Ubuntu 22.04 and the Stellar Cyber software is updated.

Refer to the following sections for details:

Before You Begin – Important Upgrade Notes

Before you begin upgrading, pay careful attention to the important notes below:

Expected Downtime

The upgrade procedure takes between 15-35 minutes and requires 4-5 reboots. During this time, all features are stopped. This includes traffic processing, log forwarding, log/metadata buffering, and aggregator features. Plan for the upgrade accordingly and consider performing it during off-peak hours.

Supported Upgrade Paths

The upgrade to Stellar Cyber 5.2.2009 on Ubuntu 22.04 is only supported for Modular Sensors running the 5.2.0 GA release (5.2.0_00fd33d)

In general:

  • Start by upgrading a sensor running either 4.3.7 or 5.1.1 to 5.2.0 GA (5.2.0_00fd33d) before upgrading to the special 5.2.2009 release that includes Ubuntu 22.04.

    If your sensor is running a version older than 4.3.7, you must first upgrade it to either 4.3.7 or 5.1.1.

  • To upgrade a Security Data Sensor or Network Data Sensor, upgrade them to 5.2.0 GA (5.2.0_00fd33d) and then convert them to Modular Sensors, followed by the upgrade to 5.2.2009.

The table below lists some common upgrade paths:

Sensor Type

Starting Version

Upgrade Path

MDS in Ubuntu/KVM

4.3.7 or 5.1.1

 Upgrade to 5.2.0 GA build (5.2.0_00fd33d), followed by OS and application upgrade via 5.2.2009

MDS in VMware (OVA)

4.3.6

 Upgrade to 4.3.7. Then, upgrade to 5.2.0 GA build (5.2.0_00fd33d), followed by OS and application upgrade via 5.2.2009

MDS in AWS

4.3.7 or 5.1.1

 Upgrade to 5.2.0 GA build (5.2.0_00fd33d), followed by OS and application upgrade via 5.2.2009

MDS in GCP

4.3.7 or 5.1.1

 Upgrade to 5.2.0 GA build (5.2.0_00fd33d), followed by OS and application upgrade via 5.2.2009

MDS in OCI

4.3.7 or 5.1.1

 Upgrade to 5.2.0 GA build (5.2.0_00fd33d), followed by OS and application upgrade via 5.2.2009

MDS in Azure

4.3.7 or 5.1.1

 Upgrade to 5.2.0 GA build (5.2.0_00fd33d), followed by OS and application upgrade via 5.2.2009

Photon 250 SDS

4.3.7 or 5.1.1

 Upgrade to 5.2.0 GA build (5.2.0_00fd33d), convert the sensor to a Modular sensor, followed by an OS and application upgrade via 5.2.2009

Photon 400 MDS

4.3.7 or 5.1.1

 Upgrade to 5.2.0 GA build (5.2.0_00fd33d), followed by OS and application upgrade via 5.2.2009

Both physical (Photon) and virtual device sensors running these versions with Ubuntu 16.04 are supported for upgrade, including those deployed in VMware ESXi, KVM, Azure, AWS, GCP, and OCI.

Stellar Cyber recommends upgrading from the tested versions listed above. Upgrades from other versions are not prevented in software and will likely work but have not been tested by Stellar Cyber.

Checking the Software and OS Versions in the Sensors Page

You can see both the Stellar Cyber software version for your sensors and the platform OS version in the System | Sensors page. Make sure both the Software Version and OS columns are displayed. For example:

In addition to the user interface, you can also use the show version CLI command to verify that Platform OS: ubuntu-16.04 before performing the upgrade.

5.2.2009 is NOT for Server Sensors

The 5.2.2009 release is a special upgrade for Modular Device Sensors only. 5.2.2009 does not support upgrades of Server Sensors (agents). Attempts to upgrade Server Sensors are rejected by the Server Sensor.

Take a Snapshot, If Possible

For all target sensors running in an environment that supports snapshots (for example, VMware ESXi), Stellar Cyber strongly recommends that you take a snapshot of the sensor virtual machine before starting the upgrade. This way, you can easily revert to the previous version, if necessary.

Start Small Before Moving to Batches of 2-3

Stellar Cyber strongly recommends that you start by upgrading a single sensor and verifying success. Then, you can proceed in batches of 2-3 sensors, verifying success each time before moving on to the next batch.

Upgrade Primary and Secondary Aggregators Separately

If your sensor uses an aggregator (a modular sensor with the aggregator feature enabled in its sensor profile) to send traffic to the DP, Stellar Cyber strongly recommends the following:

  • Configure both a primary and secondary aggregator for the sensor.

  • Upgrade the sensor before upgrading its aggregators.

  • Upgrade the primary and secondary aggregators separately. This minimizes the amount of time sensors using the aggregator will be unable to communicate with the DP.

Converting an SDS/NDS to a Modular Data Sensor

The 5.2.2009 upgrade is not supported for Security Data Sensors or Network Data Sensors. To upgrade these sensors to 5.2.2009, you must first convert them to Modular Data Sensors. Use the following procedure:

  1. Upgrade the SDS/NDS to the 5.2.0 GA build (5.2.0_00fd33d) using the standard sensor upgrade procedure.

  2. Open a terminal window with the sensor to be converted.

  3. Log in with your administrator credentials. If this is your first time logging in to the sensor, the default username and password are aella and changeme.

    The prompt appears as DataSensor>

  4. Use the following command to convert the sensor to a Modular Data Sensor:

    DataSensor> set feature modular

  5. The system informs you that it will be restarted with a new Engine ID and asks you to confirm the change. Press y to confirm the change.

    The system applies changes and restarts the sensor. If you were connected via SSH, the connection is lost when the change is applied. Wait a few minutes and reconnect to the sensor.

    When you reconnect, the show ver command now reports Running Feature as mds. You can see the new Engine ID applied as part of the conversion with the show engid_encoding command.

  6. Navigate to the System | Sensors list in the Stellar Cyber platform.

  7. At this point, there will be two entries for the sensor you just converted, with one still shown as a Security or Network Data Sensor in the Feature column and the other as a Modular Data Sensor. Use the trash icon at the far right of the table to delete the entry for the Security or Network Data Sensor and keep the one for the Security or Network Data Sensor. For example:

  8. The new Modular sensor is not authorized by default, as you can see in the image above. Click the Manage button and use the Authorization option to authorize the new Modular sensor.

  9. Click the Edit button for your new Modular sensor and use the Edit Sensor Parameters dialog to assign a Modular Sensor Profile to the new Modular sensor.

At this point, your NDS/SDS has been converted to an MDS and is authorized with a Modular Sensor Profile applied. You're ready for the OS upgrade using 5.2.2009.

Preparing for the Upgrade

To prepare for the upgrade:

  1. Locate the one-time password (OTP) for your data processor. You can retrieve the OTP using either of following techniques:

    • Use the show otp command from the DP console.

    • Open the System | Licensing page in the user interface and locate the OTP Key field at the bottom of the page.

    You will need to provide this OTP to the Stellar Cyber Customer Success team so that they can make the 5.2.2009 upgrade package available to your account.

  2. Verify that your DP is connected to the Stellar Cyber upgrade server at acps.stellarcyber.ai with the following command from the DP console:

    Copy 
    DataProcessor(AIO)> show aps
    acps.stellarcyber.ai

    If the output of this command does not show acps.stellarcyber.ai, contact Customer Success before proceeding.

  3. Make sure the sensors are up and running and that their Status LEDs show green in the System | Sensor page

Upgrading Device Sensors to 5.2.2009

Upgrade device sensors to 5.2.2009 as follows:

  1. Log in to the DP and navigate to the System | Data Lake page.

  2. Click the File Sync button to download the 5.2.2009 sensor upgrade packages to your DP.

  3. Click Yes on the confirmation prompt that appears to begin the File Sync.

    When the File Sync completes, the Status LED in the Data Lake page returns to green.

  4. Navigate to the System | Sensors page and select the Manage | Software Upgrade option, as illustrated in the figure below:

    The Sensor Software Upgrade window appears with the 5.2.2009 upgrade package listed under Available Software, as illustrated below:

  5. Select the entry for the aellads_5.2.2009_20241006_23e13a7 upgrade package in the Available Software list, as illustrated above.

    If multiple 5.2.2009 upgrade packages are listed, make sure you choose the aellads_5.2.2009_20241006_23e13a7 version, as illustrated above.

  6. Next, select the target device sensor for the upgrade in the Target Sensors list. Note the following:

    • Select only a single device sensor for the first upgrade.

    • Make sure the device sensor you select is running 5.2.0_00fd33d (the 5.2.0 GA release) and that the Platform OS is Ubuntu 16.04. Other 5.2.0 versions will likely work, but this is the tested version.

      You can verify both of these items in the System | Sensors page, as described in Supported Upgrade Paths.

    • Once you have successfully upgraded a single sensor, you can select as many as 2-3 device sensors for batch upgrades.

    Pay careful attention to the guidelines in Before You Begin – Important Upgrade Notes and make sure you start with one device sensor before moving to batches, upgrade sensors before aggregators, and upgrade primary and secondary aggregators separately.

  7. Once you have selected the target sensor(s), click Submit to begin the upgrade.

    As described in Expected Downtime, you should plan on 4-5 reboots and between 15-35 minutes of downtime, depending on Internet speed and the target environment, as estimated below. No data is collected or processed during the upgrade.

    • Photon Sensors: 15-35 minutes.

    • Virtual Sensors in VMware or Clouds: ~15 minutes.

Verifying the Upgrade

When the upgrade completes, verify the version number shows 5.2.2002_038a3af in the System | Sensor page. For example:

Similarly, the sensor's show version output displays 5.2.2002_038a3af for the AOS Version and ubuntu-22.04 for the Platform OS, as illustrated below:

Copy 
DataSensor> show version

AOS Version           : 5.2.2002_038a3af
 - Log Forwarder      : 1.0_20240911_08dbf4a
Product Model         : Data_Sensor
Product EngineID      : 3367e255228d0d22
Internal ID           : 3367e255228d0d22
Platform Type         : Photon-300D
Platform OS           : ubuntu-22.04
Hostname              : P300D-n13h30
<snipped>

Reverting the Device Sensor OS Upgrade

Reverting the sensor OS upgrade is not currently supported. Because of this, Stellar Cyber strongly recommends that you take a snapshot of the target sensors before starting the upgrade, as described in Before You Begin – Important Upgrade Notes.

In the rare situation where the device sensor does not boot after the OS upgrade, contact the Customer Success team. Note that Customer Success will require access to the device sensor's hard disk for a manual restore.