Skip to content

Updating SEAL Elastic Stack

The update consists of a server an a client part which you have to update separately.

  1. Server:

    The server part includes Elasticsearch and Kibana. You have to update it on the management server.

  2. Client:

    The client part contains Filebeat. You have to update it on the PLOSSYS 5 server.

Management Server

Caution - SEAL Elastic Stack incompatible to seal-elk

SEAL Elastic Stack contains the new version of Elasticsearch and Kibana and replaces seal-elk. Before installing SEAL Elastic Stack, you have to uninstall seal-elk:

  • RHEL:

    sudo yum --assumeyes remove seal-elk

  • SLES:

    sudo zypper --non-interactive remove seal-elk

  1. In a browser, log on to the SEAL Systems delivery platform with your logon data:

    https://delivery.sealsystems.de

    Hint - logon data

    You receive the logon data from your Technical Project Manager at SEAL Systems.

  2. Download the SEAL Elastic Stack - 7.16.1.79 - rpm folder. It is saved as SEAL Elastic Stack - 7.16.1.79 - rpm.zip.

  3. Extract SEAL Elastic Stack - 7.16.1.79 - rpm.zip:

    unzip "SEAL Elastic Stack - 7.16.1.79 - rpm.zip"

  4. Change to the SEAL Elastic Stack - 7.16.1.79 - rpm/server directory and start installing the packages:

    cd "SEAL Elastic Stack - 7.16.1.79 - rpm/server"

    sudo sh install.sh

  5. Open the required firewall ports for necessary services:

    sudo sh firewall.sh

  6. Start Elasticsearch:

    sudo systemctl start elasticsearch

  7. Start Kibana:

    sudo systemctl start seal-kibana

PLOSSYS 5 Server

Caution - SEAL Elastic Stack incompatible to seal-elk

SEAL Elastic Stack contains the new version of Elasticsearch and Kibana and replaces seal-elk. Before installing SEAL Elastic Stack, you have to uninstall seal-elk:

  • RHEL:

    sudo yum --assumeyes remove seal-elk

  • SLES:

    sudo zypper --non-interactive remove seal-elk

  1. In a browser, log on to the SEAL Systems delivery platform with your logon data:

    https://delivery.sealsystems.de

    Hint - logon data

    You receive the logon data from your Technical Project Manager at SEAL Systems.

  2. Download the SEAL Elastic Stack - 7.16.1.79 - rpm folder. It is saved as SEAL Elastic Stack - 7.16.1.79 - rpm.zip.

  3. Extract SEAL Elastic Stack - 7.16.1.79 - rpm.zip:

    unzip "SEAL Elastic Stack - 7.16.1.79 - rpm.zip"

  4. Change to the SEAL Elastic Stack - 7.16.1.79 - rpm/client directory and install the packages:

    cd "SEAL Elastic Stack - 7.16.1.79 - rpm/client"

    sudo sh install.sh

  5. Start SEAL Filebeat:

    sudo systemctl start seal-filebeat

Manual Steps After Updating the PLOSSYS 5 Server to PLOSSYS 5.3.3

With PLOSSYS 5.3.3, audit messages have been introduced. For this, the filebeat.yml configuration file had to be changed. So, if you update SEAL Elastic Stack in the context of a PLOSSYS 5 update to version 5.3.3, you have to do some manual changes in the Filebeat configuration file.

  1. On the PLOSSYS 5 server, open the Filebeat configuration file:

    /opt/seal/etc/filebeat.yml

  2. Add the following entry below the processors section:

    - add_fields:
    when:
      has_fields:
        - metadata.audit
    target: ""
    fields:
      indextype: audit
- rename:
    when:
      has_fields:
        - metadata.audit
    fields:
      - from: metadata.audit
        to: audit
      - from: application
        to: audit.application
    ignore_missing: true
- copy_fields:
    when:
      has_fields:
        - audit
    fields:
      - from: timestamp
        to: audit.timestamp
    ignore_missing: true
- drop_fields:
    when:
      has_fields:
        - audit
    fields: ["sourcefile", "hostname", "message", "application", "module", "level", "metadata", "agent", "host", "ecs", "processId"]
    ignore_missing: true
Back to top