Update USM Appliance Online

Applies to Product: USM Appliance™ LevelBlue OSSIM®

You need to update USM Appliance manually after a release becomes available. You can perform the update either from the USM Appliance web UI or the LevelBlue Setup menu.

In USM Appliance version 5.4 and later, you can configure threat intelligence and plugin updates to run automatically, but you still need to run the product updates manually.

Important: To ensure performance, based on the USM Appliance data sheet, the update process terminates when you have more than 200 million events in the database.

To download the latest packages, make sure USM Appliance can connect to data.alienvault.com through port 80.

The easiest way to find out the version of your USM Appliance is from the web UI.

To find out the version of your USM Appliance instance

  1. Log into the USM Appliance web UI using an account with administrative privileges.

  2. Go to Configuration > Deployment.

    The LevelBlue Components Information page displays.

  3. Click the AlienVault Center > System Detail icon icon of the USM Appliance instance.

  4. On the resulting page, click the Software Updates link.

    System Detail > Software Updates

    The LevelBlue Package Information page displays

    AlienVault Package information page showing current version

    The pages shows the current version of your system, threat intelligence, and plugins, as well as the date and time of your latest system update.

    Note: If your USM Appliance is already on the latest version, the list of LevelBlue packages will be empty. You will see "System Updated" instead. If you are not on the latest version, however, the web UI displays the list of packages you can update to.

You can update USM Appliance from the USM Appliance web UI or the LevelBlue Setup menu. LevelBlue recommends the web UI for its ease of use.

To update USM Appliance from the web UI

  1. Log into the USM Appliance web UI using an account with administrative privileges.

  2. Go to Configuration > Deployment.

    The LevelBlue Components Information page displays.

  3. Check the New Updates column for the USM Appliance component of interest. If an update is available, a downward-pointing arrow icon displays:

    AlienVault Components Information section.

  4. To retrieve information about the update, click the arrow.

  5. Review the target update packages.

  6. Update the software:

    • To update threat intelligence or plugin feeds, click Update Feed Only.
    • To upgrade to a new product release, click Update All.

    The process can take several minutes. The system displays a success message when the update process completes without issues.

You can also update USM Appliance from the LevelBlue Setup menu. Some updates, especially those that require a system restart, must be run from the LevelBlue Setup menu, because the system loses connection to the web UI during a restart. LevelBlue will specify, in the release notes, if you need to run the update from the LevelBlue Setup menu.

To update USM Appliance from the LevelBlue Setup menu

  1. Log in to USM Appliance.

    Although login via SSH is supported, LevelBlue recommends using a physically connected monitor and keyboard, or a direct connection via the VMWare or Hyper-V virtual console. If your SSH connection is interrupted during the update, your USM Appliance may become irreparably corrupted.

    An update pre-check will display a warning if it detects an SSH connection before you apply your update.

    2. Note: LevelBlue recommends using a direct console connection via the VMWare or Hyper-V management interface, or directly connected keyboard and monitor instead of an SSH connection, though both are supported. If your SSH connection is interrupted during the update, your USM Appliance may become irreparably corrupted.

    An update pre-check will show a warning if it detects an SSH connection before you apply your update.

    The LevelBlue Setup menu appears with System Preferences as the default selection.

  2. To update the appliance, press Enter (<OK>).

  3. Tab to Update LevelBlue System and press Enter.

  4. Update the software:

    • To update to a new product release, tab to Update System and press Enter.
    • To update threat intelligence or plugin feeds only, tab to Update Threat Intelligence and press Enter.

  5. Confirm your selection by pressing Enter.

    The process can take several minutes. The system displays a success message when the update process completes without issues.

When connecting to the USM Appliance instance through a console (not using SSH), a reboot is needed after an update. The console then displays a splash screen after the post message and through the boot process. If you wish to see boot messages, you can press the up arrow key to display them, or the down arrow key to return to the splash screen.

In USM Appliance version 5.4 and later, you can configure threat intelligence and plugin updates to run at a certain hour every day. USM Appliance will execute the update as it becomes available. You will see a message in the Message Center to confirm the success or failure of the update.

Important: Do not schedule the update to run when a vulnerability scan is in progress, because the update may change the rule the scan uses, causing the scan to fail.

To configure automatic updates

  1. Log into the USM Appliance web UI using an account with administrative privileges.
  2. Go to Configuration > Administration > Main.
  3. Click Automatic Updates.
  4. Change Automatically run Plugin updates and Threat Intelligence updates to Yes.

  5. In Schedule automatic updates to run, select the hour for USM Appliance to check (daily) and run the update when available.

    The schedule is based on the time zone you have configured for this USM Appliance instance.