Log Insight content packs have always included setup instructions, but they have not included upgrade instructions. In Log Insight 3.6, upgrade instructions are now also possible. Read on to learn why this enhancement is so important.
Content packs are made up of a variety of components including:
- Agent Groups
- Extracted Fields
Of all of these components, changes to Alerts and Agent Groups are the most critical. Why? Because changes introduced in an upgrade are only applied with manual intervention. The reason for this is because enabled Alerts and Agent Groups are done so in user space. When they are enabled they are no longer tied to the content pack so they cannot inherit changes. Why do changes to Alerts and Agent Groups matter? Let me break down each next.
Let’s say an alert query was not properly defined and either returned events it should not or was not alerting about events it should. This issue could be addressed in an updated content pack version, however if you or any other user of Log Insight had enabled the old alert, the old alert would continue to run post upgrade. Again, this is because alerts are copied into user space once enabled. The solution would be to manually delete the old alert and then manually enable the new alert post upgrade of the content pack. What would be helpful is for the content pack told you when and which alerts require modification.
Let’s say an agent groups either did not include agent parsers or contained a configuration error. The result may be that some dashboards, queries, and/or alerts may not work properly pre or post upgrade — because they require agent group configuration changes. The solution would be to manually delete the old agent group and then manually enable the new agent group post upgrade of the content pack. What would be helpful is for the content pack told you when and which agent groups require modification.
So, how do content pack upgrade instructions work? Well, during the export process, a new Upgrade Instructions metadata field is provided:
Assuming this field has been filled in and you are running at least Log Insight 3.6, then after upgrading a content pack you will be presented with upgrade instructions:
Of course, if you ever need to return to the upgrade instructions you can:
- Not all content pack have upgrade instructions today
- Upgrade Instructions may also include a change log
© 2016, Steve Flanders. All rights reserved.