Upgrading Elastic Stack from 6.x to 6.8

Prepare the Elastic Stack

  1. Stop the services:
# systemctl stop logstash
# systemctl stop filebeat
# systemctl stop kibana
  1. In case of having disabled the repository for Elastic Stack 6.x it can be enabled using:
  • For CentOS/RHEL/Fedora:

    # sed -i "s/^enabled=0/enabled=1/" /etc/yum.repos.d/elastic.repo
    
  • For Debian/Ubuntu:

    # sed -i "s/#deb/deb/" /etc/apt/sources.list.d/elastic-6.x.list
    # apt-get update
    
  • For openSUSE:

    # sed -i "s/^enabled=0/enabled=1/" /etc/zypp/repos.d/elastic.repo
    

Upgrade Elasticsearch

  1. Disable shard allocation
curl -X PUT "localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d'
{
  "persistent": {
    "cluster.routing.allocation.enable": "primaries"
  }
}
'
  1. Stop non-essential indexing and perform a synced flush. (Optional)
curl -X POST "localhost:9200/_flush/synced"
  1. Shut down a single node.
# systemctl stop elasticsearch
  1. Upgrade the node you shut down.
  • For CentOS/RHEL/Fedora:

    # yum install elasticsearch-6.8.7
    
  • For Debian/Ubuntu:

    # apt-get install elasticsearch=6.8.7
    # systemctl restart elasticsearch
    
  1. Restart the service.
# systemctl daemon-reload
# systemctl restart elasticsearch
  1. Start the newly-upgraded node and confirm that it joins the cluster by checking the log file or by submitting a _cat/nodes request:
curl -X GET "localhost:9200/_cat/nodes"
  1. Reenable shard allocation.
curl -X PUT "localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d'
{
  "persistent": {
    "cluster.routing.allocation.enable": null
  }
}
'
  1. Before upgrading the next node, wait for the cluster to finish shard allocation.
curl -X GET "localhost:9200/_cat/health?v"
  1. Repeat it for every Elasticsearch node.
  2. Load the Wazuh template for Elasticsearch:
# curl https://raw.githubusercontent.com/wazuh/wazuh/v3.11.4/extensions/elasticsearch/6.x/wazuh-template.json | curl -X PUT "http://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @-

Upgrade Logstash

  1. Upgrade the logstash package:
  1. For CentOS/RHEL/Fedora:
# yum install logstash-6.8.7
  1. For Debian/Ubuntu:
# apt-get install logstash=1:6.8.7-1
  1. Download and set the Wazuh configuration for Logstash:
  1. Local configuration:
# cp /etc/logstash/conf.d/01-wazuh.conf /backup_directory/01-wazuh.conf.bak
# curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/v3.11.4/extensions/logstash/6.x/01-wazuh-local.conf
# usermod -a -G ossec logstash
  1. Remote configuration:
# cp /etc/logstash/conf.d/01-wazuh.conf /backup_directory/01-wazuh.conf.bak
# curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/v3.11.4/extensions/logstash/6.x/01-wazuh-remote.conf
  1. Start the Logstash service:
# systemctl daemon-reload
# systemctl start logstash.service

Upgrade Filebeat

  1. Upgrade Filebeat.
  • For CentOS/RHEL/Fedora:

    # yum install filebeat-6.8.7
    
  • For Debian/Ubuntu:

    # apt-get install filebeat=6.8.7
    
  1. Update the configuration file.
# cp /etc/filebeat/filebeat.yml /backup/filebeat.yml.backup
# curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v3.11.4/extensions/filebeat/6.x/filebeat.yml
# chmod go+r /etc/filebeat/filebeat.yml
  1. Restart Filebeat.
# systemctl daemon-reload
# systemctl restart filebeat

Upgrade Kibana

Upgrade Kibana

  1. Upgrade the kibana package:
  1. For CentOS/RHEL/Fedora:
# yum install kibana-6.8.7
  1. For Debian/Ubuntu:
# apt-get install kibana=6.8.7
  1. Uninstall the Wazuh app from Kibana:
  1. Update file permissions. This will avoid several errors prior to updating the app:
# chown -R kibana:kibana /usr/share/kibana/optimize
# chown -R kibana:kibana /usr/share/kibana/plugins
  1. Remove the Wazuh app:
# cd /usr/share/kibana/
# sudo -u kibana bin/kibana-plugin remove wazuh
  1. Upgrade the Wazuh app:
  • Install from URL:
# cd /usr/share/kibana/
# rm -rf optimize/bundles
# sudo -u kibana NODE_OPTIONS="--max-old-space-size=3072" bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.11.4_6.8.7.zip
  • Install from the package:
# cd /usr/share/kibana/
# rm -rf optimize/bundles
# sudo -u kibana NODE_OPTIONS="--max-old-space-size=3072" bin/kibana-plugin install file:///path/wazuhapp-3.11.4_7.6.0.zip

Warning

The Wazuh app installation process may take several minutes. Please wait patiently.

  1. Start the Kibana service:
# systemctl daemon-reload
# systemctl enable kibana.service
# systemctl start kibana.service

Disabling repositories

  • For CentOS/RHEL/Fedora:

    # sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo
    
  • For Debian/Ubuntu:

    # sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/elastic-6.x.list
    # apt-get update
    

    Alternatively, you can set the package state to hold, which will stop updates (although you can still upgrade it manually using apt-get install).

    # echo "elasticsearch hold" | sudo dpkg --set-selections
    # echo "kibana hold" | sudo dpkg --set-selections
    
  • For openSUSE:

    # sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/elastic.repo