Upgrade from different major version
The following steps show how to upgrade from Wazuh 2.x to Wazuh 3.x (which implies upgrading from Elastic Stack 5.x to 6.x).
Upgrade Wazuh agent
Stop the service:
# systemctl stop wazuh-agent
Add the new repository for Wazuh 3.x.
For CentOS/RHEL/Fedora:
# cat > /etc/yum.repos.d/wazuh.repo <<\EOF [wazuh_repo] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=Wazuh repository baseurl=https://packages.wazuh.com/3.x/yum/ protect=1 EOF
For Debian/Ubuntu:
# echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
Upgrade the agent.
Upgrade Wazuh agent on CentOS/RHEL/Fedora:
# yum install wazuh-agent
Upgrade Wazuh agent on Debian/Ubuntu:
# apt-get update # apt-get install wazuh-agent
Upgrade Wazuh manager
Stop services:
# systemctl stop wazuh-api # systemctl stop wazuh-manager
Add the new repository for Wazuh 3.x.
For CentOS/RHEL/Fedora:
# cat > /etc/yum.repos.d/wazuh.repo <<\EOF [wazuh_repo] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=Wazuh repository baseurl=https://packages.wazuh.com/3.x/yum/ protect=1 EOF
For Debian/Ubuntu:
# echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
Upgrade the manager.
Upgrade Wazuh manager on CentOS/RHEL/Fedora:
# yum install wazuh-manager
Upgrade Wazuh manager on Debian/Ubuntu:
# apt-get update # apt-get install wazuh-manager
Upgrade the API.
Upgrade Wazuh API on CentOS/RHEL/Fedora:
# yum install wazuh-api
Upgrade Wazuh API on Debian/Ubuntu:
# apt-get install wazuh-api
Prepare Elastic Stack
Stop services:
# systemctl stop filebeat # systemctl stop logstash # systemctl stop kibana # systemctl stop elasticsearch
Add the new repository for Elastic Stack 6.x:
For CentOS/RHEL/Fedora:
# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch # cat > /etc/yum.repos.d/elastic.repo << EOF [elasticsearch-6.x] name=Elasticsearch repository for 6.x packages baseurl=https://artifacts.elastic.co/packages/6.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF
For Debian/Ubuntu:
# curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add - # echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-6.x.list
Upgrade Elasticsearch
Note
Since you are upgrading to a different major version of Elasticsearch you should backup /etc/elasticsearch/elasticsearch.yml and /etc/elasticsearch/jvm.options before upgrade Elasticsearch. Check https://www.elastic.co/guide/en/elasticsearch/reference/6.x/index.html for more information.
Update Elasticsearch:
For CentOS/RHEL/Fedora:
# yum install elasticsearch-6.1.0
For Debian/Ubuntu:
# apt-get update # apt-get install elasticsearch=6.1.0
Start Elasticsearch:
# systemctl daemon-reload # systemctl enable elasticsearch.service # systemctl start elasticsearch.service
Load Wazuh Elasticsearch templates:
# curl https://raw.githubusercontent.com/wazuh/wazuh/3.0/extensions/elasticsearch/wazuh-elastic6-template-alerts.json | curl -XPUT 'http://localhost:9200/_template/wazuh' -H 'Content-Type: application/json' -d @-# curl https://raw.githubusercontent.com/wazuh/wazuh/3.0/extensions/elasticsearch/wazuh-elastic6-template-monitoring.json | curl -XPUT 'http://localhost:9200/_template/wazuh-agent' -H 'Content-Type: application/json' -d @-
Insert sample alert in Elasticsearch:
# curl https://raw.githubusercontent.com/wazuh/wazuh/3.0/extensions/elasticsearch/alert_sample.json | curl -XPUT "http://localhost:9200/wazuh-alerts-3.x-"`date +%Y.%m.%d`"/wazuh/sample" -H 'Content-Type: application/json' -d @-
Upgrade Logstash
Upgrade Logstash:
For CentOS/RHEL/Fedora:
# yum install logstash-6.1.0
For Debian/Ubuntu:
# apt-get install logstash=1:6.1.0-1
Download and set the Wazuh configuration for Logstash:
Local configuration:
# cp /etc/logstash/conf.d/01-wazuh.conf /etc/logstash/conf.d/01-wazuh.conf.bak # curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/3.0/extensions/logstash/01-wazuh-local.conf # usermod -a -G ossec logstash
Remote configuration:
# cp /etc/logstash/conf.d/01-wazuh.conf /etc/logstash/conf.d/01-wazuh.conf.bak # curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/3.0/extensions/logstash/01-wazuh-remote.conf
Start Logstash:
# systemctl daemon-reload # systemctl enable logstash.service # systemctl start logstash.service
Upgrade Kibana
Upgrade Kibana:
For CentOS/RHEL/Fedora:
# yum install kibana-6.1.0
For Debian/Ubuntu:
# apt-get install kibana=6.1.0
Remove the Wazuh Kibana App plugin from Kibana:
# /usr/share/kibana/bin/kibana-plugin remove wazuh
Migrate .kibana from 5.x to 6.x:
The .kibana index (which holds Kibana configuration) has drastically changed. To migrate it, follow the official documentation:
Migrating Kibana .index to 6.0: https://www.elastic.co/guide/en/kibana/6.x/migrating-6.0-index.html
Upgrade Wazuh Kibana App:
4.1) Increase the default Node.js heap memory limit to prevent out of memory errors when installing the Wazuh App. Set the limit as follow:
# export NODE_OPTIONS="--max-old-space-size=3072"4.2) Install Wazuh App:
# rm -rf /usr/share/kibana/optimize/bundles # /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp.zip
Start Kibana:
# systemctl daemon-reload # systemctl enable kibana.service # systemctl start kibana.service
Upgrade Filebeat
Upgrade Filebeat:
For CentOS/RHEL/Fedora:
# yum install filebeat-6.1.0
For Debian/Ubuntu:
# apt-get install filebeat=6.1.0
Official Upgrading guides for Elastic Stack:
Upgrading Elasticsearch: https://www.elastic.co/guide/en/elasticsearch/reference/current/setup-upgrade.html
Upgrading Logstash: https://www.elastic.co/guide/en/logstash/current/upgrading-logstash.html
Upgrading Kibana: https://www.elastic.co/guide/en/kibana/current/upgrade.html
Upgrading Filebeat: https://www.elastic.co/guide/en/beats/libbeat/6.0/upgrading.html
Disable the Elasticsearch repository
We recommend to disable the Elasticsearch repository in order to prevent an upgrade to a newer Elastic Stack version due to possible breaking changes with our App, so you should do it as follow:
For CentOS/RHEL/Fedora:
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo
For Debian/Ubuntu:
# sed -i -r '/deb https:\/\/artifacts.elastic.co\/packages\/6.x\/apt stable main/ s/^(.*)$/#\1/g' /etc/apt/sources.list.d/elastic-6.x.list
Reindexing your previous alerts
A reindex can be a complex process depending on how big is your dataset. Do it only if you are interested in visualizing alerts generated before the upgrade in your Kibana environment.
In the new version of Wazuh, there's a change in the Wazuh alerts structure. Now, the new alerts bring more information to the final user. That is why Wazuh 3.x uses different indices and templates than Wazuh 2.x.
For that reason, you will not be able to see the previous alerts using Kibana. If you need to access them, you will have to reindex the previous indices.
The Wazuh team is currently working on a reindex script to accomplish this process.
Note
Not reindexing alerts doesn't mean that they will disappear, alerts will still be stored in Elasticsearch and the Wazuh manager.