Upgrading Elastic Stack server

Although Wazuh v2.x is compatible with both Elastic Stack 2.x and 5.x, it is recommended that version 5.x be installed because the Wazuh Kibana App is not compatible with Elastic Stack 2.X. In any case, here is a brief description of the upgrade process, no matter which version of the cluster you decide to use.

  1. Keep using Elastic Stack 2.x

  2. Upgrade from Elastic Stack 2.x to 5.x

Keep using Elastic Stack 2.x

In this scenario, simply configure Logstash to receive data from Filebeat (or directly read alerts generated by Wazuh server for a single-host architecture) and feed Elasticsearch using the Wazuh alerts template:

Configure Logstash

  1. Download the new logstash configuration:

# curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/2.1/extensions/logstash/01-wazuh.conf
# curl -so /etc/logstash/wazuh-elastic2-template.json https://raw.githubusercontent.com/wazuh/wazuh/2.1/extensions/elasticsearch/wazuh-elastic2-template.json
  1. In the output section of /etc/logstash/conf.d/01-wazuh.conf, comment the line for elastic5-template and uncomment the line for elastic2-template:

output {
  elasticsearch {
  hosts => ["localhost:9200"]
  index => "wazuh-alerts-%{+YYYY.MM.dd}"
  document_type => "wazuh"
        #      template => "/etc/logstash/wazuh-elastic5-template.json"
              template => "/etc/logstash/wazuh-elastic2-template.json"
              template_name => "wazuh"
              template_overwrite => true
        }
}
  1. If you are using a **single-host architecture* (where Wazuh server is running with Elastic Stack on the same host), edit /etc/logstash/conf.d/01-wazuh.conf commenting out the entire input section titled Remote Wazuh server - Filebeat input and uncommenting the entire input section titled Local Wazuh server - JSON file input:

# Wazuh - Logstash configuration file
## Remote Wazuh server - Filebeat input
#input {
#beats {
#      port => 5000
#      codec => "json_lines"
#      ssl => true
#      ssl_certificate => "/etc/logstash/logstash.crt"
#      ssl_key => "/etc/logstash/logstash.key"
#  }
#}
# Local Wazuh server - JSON file input
input {
    file {
        type => "wazuh-alerts"
        path => "/var/ossec/logs/alerts/alerts.json"
        codec => "json"
    }
}
...

The above configuration will setup Logstash to read the Wazuh alerts.json file directly from the local filesystem rather than receive forwarded data from Filebeat.

Configure Kibana

Next, in order to display Wazuh alerts data, configure the Kibana index pattern.

  1. Go to Settings and configure a new wildcard:

  1. Set wazuh-* as the index pattern and choose timestamp as time field. Then, click on create:

  1. Set this as the default wildcard by clicking on the Star:

  1. Go to the Discover tab in order to visualize the alerts data.

Upgrade from Elastic Stack 2.x to 5.x

Follow these steps to upgrade your Elastic Stack cluster to version 5.X:

  1. Stop Logstash, Elasticsearch and Kibana:

  1. For Systemd:

# systemctl stop logstash.service
# systemctl stop elasticsearch.service
# systemctl stop kibana.service
  1. For SysV Init:

# service logstash stop
# service elasticsearch stop
# service kibana stop
  1. Remove the old Logstash configuration and template files:

For single-host architectures (Wazuh server and Elastic Stack running on the same system):

# rm /etc/logstash/conf.d/01-ossec-singlehost.conf
# rm /etc/logstash/elastic-ossec-template.json

For distributed architectures (Elastic Stack standalone server):

# rm /etc/logstash/conf.d/01-ossec.conf
# rm /etc/logstash/elastic-ossec-template.json
  1. Remove deprecated settings from configuration file:

Removing deprecated settings on Elasticsearch will avoid errors and conflicts after the upgrade. To do this, comment the following lines on your /etc/elasticsearch/elasticsearch.yml file:

index.number_of_shards: 1
index.number_of_replicas: 0

ES_HEAP_SIZE option is now deprecated. You should remove or comment out this option in your /etc/sysconfig/elasticsearch file:

# ES_HEAP_SIZE - Set it to half your system RAM memory
ES_HEAP_SIZE=8g

Now you can go ahead and configure Elasticsearch following the Elastic jvm.options guide

  1. At this point, you are ready to install the new version of Elastic Stack. Follow the appropriate link below for installation instructions for your specific operating system:

  2. Following this installation, check the software version of the Elasticsearch components to verify that everything updated as expected:

  1. For Logstash:

# /usr/share/logstash/bin/logstash -V
logstash 5.2.2
  1. For Elasticsearch:

# /usr/share/elasticsearch/bin/elasticsearch -V
Version: 5.2.2, Build: f9d9b74/2017-02-24T17:26:45.835Z, JVM: 1.8.0_60
  1. For Kibana:

# /usr/share/kibana/bin/kibana -V
5.2.

Note

Wazuh v2.x uses different indices and templates than Wazuh v1.x, so you will not be able to see the previous alerts using Kibana. In order to access these alerts, you will have to reindex the previous indices.