Upgrade from different major version

The following steps show how to upgrade from Wazuh 2.x to Wazuh 3.x (which implies upgrading from Elastic Stack 5.x to 6.x).

Upgrade Wazuh agent

  1. Stop the service:

# systemctl stop wazuh-agent
  1. Add the new repository for Wazuh 3.x.

  1. For CentOS/RHEL/Fedora:

# cat > /etc/yum.repos.d/wazuh.repo <<\EOF
[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://packages.wazuh.com/3.x/yum/
protect=1
EOF
  1. For Debian/Ubuntu:

# echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
  1. Upgrade the agent.

  1. Upgrade Wazuh agent on CentOS/RHEL/Fedora:

# yum install wazuh-agent
  1. Upgrade Wazuh agent on Debian/Ubuntu:

# apt-get update
# apt-get install wazuh-agent

Upgrade Wazuh manager

  1. Stop services:

# systemctl stop wazuh-api
# systemctl stop wazuh-manager
  1. Add the new repository for Wazuh 3.x.

  1. For CentOS/RHEL/Fedora:

# cat > /etc/yum.repos.d/wazuh.repo <<\EOF
[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://packages.wazuh.com/3.x/yum/
protect=1
EOF
  1. For Debian/Ubuntu:

# echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
  1. Upgrade the manager.

  1. Upgrade Wazuh manager on CentOS/RHEL/Fedora:

# yum install wazuh-manager
  1. Upgrade Wazuh manager on Debian/Ubuntu:

# apt-get update
# apt-get install wazuh-manager
  1. Upgrade the API.

  1. Upgrade Wazuh API on CentOS/RHEL/Fedora:

# yum install wazuh-api
  1. Upgrade Wazuh API on Debian/Ubuntu:

# apt-get install wazuh-api

Prepare Elastic Stack

  1. Stop services:

# systemctl stop filebeat
# systemctl stop logstash
# systemctl stop kibana
# systemctl stop elasticsearch
  1. Add the new repository for Elastic Stack 6.x:

  1. For CentOS/RHEL/Fedora:

# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch

# cat > /etc/yum.repos.d/elastic.repo << EOF
[elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF
  1. For Debian/Ubuntu:

# curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
# echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-6.x.list

Upgrade Elasticsearch

Note

Since you are upgrading to a different major version of Elasticsearch you should backup /etc/elasticsearch/elasticsearch.yml and /etc/elasticsearch/jvm.options before upgrade Elasticsearch. Check https://www.elastic.co/guide/en/elasticsearch/reference/6.x/index.html for more information.

  1. Update Elasticsearch:

  1. For CentOS/RHEL/Fedora:

# yum install elasticsearch-6.1.0
  1. For Debian/Ubuntu:

# apt-get update
# apt-get install elasticsearch=6.1.0
  1. Start Elasticsearch:

# systemctl daemon-reload
# systemctl enable elasticsearch.service
# systemctl start elasticsearch.service
  1. Load Wazuh Elasticsearch templates:

# curl https://raw.githubusercontent.com/wazuh/wazuh/3.0/extensions/elasticsearch/wazuh-elastic6-template-alerts.json | curl -XPUT 'http://localhost:9200/_template/wazuh' -H 'Content-Type: application/json' -d @-
# curl https://raw.githubusercontent.com/wazuh/wazuh/3.0/extensions/elasticsearch/wazuh-elastic6-template-monitoring.json | curl -XPUT 'http://localhost:9200/_template/wazuh-agent' -H 'Content-Type: application/json' -d @-
  1. Insert sample alert in Elasticsearch:

# curl https://raw.githubusercontent.com/wazuh/wazuh/3.0/extensions/elasticsearch/alert_sample.json | curl -XPUT "http://localhost:9200/wazuh-alerts-3.x-"`date +%Y.%m.%d`"/wazuh/sample" -H 'Content-Type: application/json' -d @-

Upgrade Logstash

  1. Upgrade Logstash:

  1. For CentOS/RHEL/Fedora:

# yum install logstash-6.1.0
  1. For Debian/Ubuntu:

# apt-get install logstash=1:6.1.0-1
  1. Download and set the Wazuh configuration for Logstash:

  1. Local configuration:

# cp /etc/logstash/conf.d/01-wazuh.conf /etc/logstash/conf.d/01-wazuh.conf.bak
# curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/3.0/extensions/logstash/01-wazuh-local.conf
# usermod -a -G ossec logstash
  1. Remote configuration:

# cp /etc/logstash/conf.d/01-wazuh.conf /etc/logstash/conf.d/01-wazuh.conf.bak
# curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/3.0/extensions/logstash/01-wazuh-remote.conf
  1. Start Logstash:

# systemctl daemon-reload
# systemctl enable logstash.service
# systemctl start logstash.service

Upgrade Kibana

  1. Upgrade Kibana:

  1. For CentOS/RHEL/Fedora:

# yum install kibana-6.1.0
  1. For Debian/Ubuntu:

# apt-get install kibana=6.1.0
  1. Remove the Wazuh Kibana App plugin from Kibana:

    # /usr/share/kibana/bin/kibana-plugin remove wazuh
    
  2. Migrate .kibana from 5.x to 6.x:

The .kibana index (which holds Kibana configuration) has drastically changed. To migrate it, follow the official documentation:

  1. Upgrade Wazuh Kibana App:

4.1) Increase the default Node.js heap memory limit to prevent out of memory errors when installing the Wazuh App. Set the limit as follow:

# export NODE_OPTIONS="--max-old-space-size=3072"

4.2) Install Wazuh App:

# rm -rf /usr/share/kibana/optimize/bundles
# /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp.zip
  1. Start Kibana:

# systemctl daemon-reload
# systemctl enable kibana.service
# systemctl start kibana.service

Upgrade Filebeat

  1. Upgrade Filebeat:

  1. For CentOS/RHEL/Fedora:

# yum install filebeat-6.1.0
  1. For Debian/Ubuntu:

# apt-get install filebeat=6.1.0

Official Upgrading guides for Elastic Stack:

Disable the Elasticsearch repository

We recommend to disable the Elasticsearch repository in order to prevent an upgrade to a newer Elastic Stack version due to possible breaking changes with our App, so you should do it as follow:

  1. For CentOS/RHEL/Fedora:

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo
  1. For Debian/Ubuntu:

# sed -i -r '/deb https:\/\/artifacts.elastic.co\/packages\/6.x\/apt stable main/ s/^(.*)$/#\1/g' /etc/apt/sources.list.d/elastic-6.x.list

Reindexing your previous alerts

A reindex can be a complex process depending on how big is your dataset. Do it only if you are interested in visualizing alerts generated before the upgrade in your Kibana environment.

In the new version of Wazuh, there's a change in the Wazuh alerts structure. Now, the new alerts bring more information to the final user. That is why Wazuh 3.x uses different indices and templates than Wazuh 2.x.

For that reason, you will not be able to see the previous alerts using Kibana. If you need to access them, you will have to reindex the previous indices.

The Wazuh team is currently working on a reindex script to accomplish this process.

Note

Not reindexing alerts doesn't mean that they will disappear, alerts will still be stored in Elasticsearch and the Wazuh manager.