Upgrading Elastic Stack from 7.x to 7.y

Prepare the Elastic Stack

  1. Stop the services:

    # systemctl stop filebeat
    # systemctl stop kibana
  2. Add the new repository for Elastic Stack 7.x:

    • For CentOS/RHEL/Fedora:

      # rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
      # cat > /etc/yum.repos.d/elastic.repo << EOF
      name=Elasticsearch repository for 7.x packages
    • For Debian/Ubuntu:

      # curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
      # echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list

Upgrade Elasticsearch

  1. Disable shard allocation

    curl -X PUT "localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d'
      "persistent": {
        "cluster.routing.allocation.enable": "primaries"
  2. Stop non-essential indexing and perform a synced flush. (Optional)

    curl -X POST "localhost:9200/_flush/synced"
  3. Shut down a single node.

    # systemctl stop elasticsearch
  4. Upgrade the node you shut down.

    • For CentOS/RHEL/Fedora:

      # yum install elasticsearch-7.5.1
    • For Debian/Ubuntu:

      # apt-get install elasticsearch=7.5.1
      # systemctl restart elasticsearch
  5. Restart the service.

    # systemctl daemon-reload
    # systemctl restart elasticsearch
  6. Start the newly-upgraded node and confirm that it joins the cluster by checking the log file or by submitting a _cat/nodes request:

    curl -X GET "localhost:9200/_cat/nodes"
  7. Reenable shard allocation.

    curl -X PUT "localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d'
      "persistent": {
        "cluster.routing.allocation.enable": null
  8. Before upgrading the next node, wait for the cluster to finish shard allocation.

    curl -X GET "localhost:9200/_cat/health?v"
  9. Repeat it for every Elasticsearch node.

Upgrade Filebeat

  1. Upgrade Filebeat.

    • For CentOS/RHEL/Fedora:

      # yum install filebeat-7.5.1
    • For Debian/Ubuntu:

      # apt-get install filebeat=7.5.1
  2. Update the configuration file.

    # cp /etc/filebeat/filebeat.yml /backup/filebeat.yml.backup
    # curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v3.10.2/extensions/filebeat/7.x/filebeat.yml
    # chmod go+r /etc/filebeat/filebeat.yml
  3. Download the Wazuh module for Filebeat:

    # curl -s https://packages.wazuh.com/3.x/filebeat/wazuh-filebeat-0.1.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module
  4. Edit the file /etc/filebeat/filebeat.yml and replace YOUR_ELASTIC_SERVER_IP with the IP address or the hostname of the Elasticsearch server. For example:

    output.elasticsearch.hosts: ['http://YOUR_ELASTIC_SERVER_IP:9200']
  5. Restart Filebeat.

    # systemctl daemon-reload
    # systemctl restart filebeat

Upgrade Kibana

  1. Remove the Wazuh app.

    # /usr/share/kibana/bin/kibana-plugin remove wazuh
  2. Upgrade Kibana.

    • For CentOS/RHEL/Fedora:

      # yum install kibana-7.5.1
    • For Debian/Ubuntu:

      # apt-get install kibana=7.5.1
  3. Install the Wazuh app.

    # sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.10.2_7.5.1.zip
  4. Restart Kibana.

    # systemctl daemon-reload
    # systemctl restart kibana