Upgrading Elastic Stack from 7.x to 7.y

Prepare the Elastic Stack

  1. Stop the services:

    # systemctl stop filebeat
# systemctl stop kibana

  2. Add the new repository for Elastic Stack 7.x:

    • For CentOS/RHEL/Fedora:

      # rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
# cat > /etc/yum.repos.d/elastic.repo << EOF
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF

    • For Debian/Ubuntu:

      # curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
# echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list

Upgrade Elasticsearch

  1. Disable shard allocation

    curl -X PUT "localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d'
{
  "persistent": {
    "cluster.routing.allocation.enable": "primaries"
  }
}
'

  2. Stop non-essential indexing and perform a synced flush. (Optional)

    curl -X POST "localhost:9200/_flush/synced"

  3. Shut down a single node.

    # systemctl stop elasticsearch

  4. Upgrade the node you shut down.

    • For CentOS/RHEL/Fedora:

      # yum install elasticsearch-7.5.1

    • For Debian/Ubuntu:

      # apt-get install elasticsearch=7.5.1
# systemctl restart elasticsearch

  5. Restart the service.

    # systemctl daemon-reload
# systemctl restart elasticsearch

  6. Start the newly-upgraded node and confirm that it joins the cluster by checking the log file or by submitting a _cat/nodes request:

    curl -X GET "localhost:9200/_cat/nodes"

  7. Reenable shard allocation.

    curl -X PUT "localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d'
{
  "persistent": {
    "cluster.routing.allocation.enable": null
  }
}
'

  8. Before upgrading the next node, wait for the cluster to finish shard allocation.

    curl -X GET "localhost:9200/_cat/health?v"

  9. Repeat it for every Elasticsearch node.

Upgrade Filebeat

  1. Upgrade Filebeat.

    • For CentOS/RHEL/Fedora:

      # yum install filebeat-7.5.1

    • For Debian/Ubuntu:

      # apt-get install filebeat=7.5.1

  2. Update the configuration file.

    # cp /etc/filebeat/filebeat.yml /backup/filebeat.yml.backup
# curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v3.10.2/extensions/filebeat/7.x/filebeat.yml
# chmod go+r /etc/filebeat/filebeat.yml

  3. Download the Wazuh module for Filebeat:

    # curl -s https://packages.wazuh.com/3.x/filebeat/wazuh-filebeat-0.1.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module

  4. Edit the file /etc/filebeat/filebeat.yml and replace YOUR_ELASTIC_SERVER_IP with the IP address or the hostname of the Elasticsearch server. For example:

    output.elasticsearch.hosts: ['http://YOUR_ELASTIC_SERVER_IP:9200']

  5. Restart Filebeat.

    # systemctl daemon-reload
# systemctl restart filebeat

Upgrade Kibana

  1. Remove the Wazuh app.

    # /usr/share/kibana/bin/kibana-plugin remove wazuh

  2. Upgrade Kibana.

    • For CentOS/RHEL/Fedora:

      # yum install kibana-7.5.1

    • For Debian/Ubuntu:

      # apt-get install kibana=7.5.1

  3. Install the Wazuh app.

    # sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.10.2_7.5.1.zip

  4. Restart Kibana.

    # systemctl daemon-reload
# systemctl restart kibana