This is the documentation for Wazuh 3.11. Check out the docs for the latest version of Wazuh!

Upgrading Elastic Stack from 6.x to 6.8

Prepare the Elastic Stack

  1. Stop the services:
# systemctl stop logstash
# systemctl stop filebeat
# systemctl stop kibana
  1. In case of having disabled the repository for Elastic Stack 6.x it can be enabled using:
  • For CentOS/RHEL/Fedora:

    # sed -i "s/^enabled=0/enabled=1/" /etc/yum.repos.d/elastic.repo
    
  • For Debian/Ubuntu:

    # sed -i "s/#deb/deb/" /etc/apt/sources.list.d/elastic-6.x.list
    # apt-get update
    
  • For openSUSE:

    # sed -i "s/^enabled=0/enabled=1/" /etc/zypp/repos.d/elastic.repo
    

Upgrade Elasticsearch

  1. Disable shard allocation
curl -X PUT "localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d'
{
  "persistent": {
    "cluster.routing.allocation.enable": "primaries"
  }
}
'
  1. Stop non-essential indexing and perform a synced flush. (Optional)
curl -X POST "localhost:9200/_flush/synced"
  1. Shut down a single node.
# systemctl stop elasticsearch
  1. Upgrade the node you shut down.
  • For CentOS/RHEL/Fedora:

    # yum install elasticsearch-6.8.7
    
  • For Debian/Ubuntu:

    # apt-get install elasticsearch=6.8.7
    # systemctl restart elasticsearch
    
  1. Restart the service.
# systemctl daemon-reload
# systemctl restart elasticsearch
  1. Start the newly-upgraded node and confirm that it joins the cluster by checking the log file or by submitting a _cat/nodes request:
curl -X GET "localhost:9200/_cat/nodes"
  1. Reenable shard allocation.
curl -X PUT "localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d'
{
  "persistent": {
    "cluster.routing.allocation.enable": null
  }
}
'
  1. Before upgrading the next node, wait for the cluster to finish shard allocation.
curl -X GET "localhost:9200/_cat/health?v"
  1. Repeat it for every Elasticsearch node.
  2. Load the Wazuh template for Elasticsearch:
# curl https://raw.githubusercontent.com/wazuh/wazuh/v3.11.4/extensions/elasticsearch/6.x/wazuh-template.json | curl -X PUT "http://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @-

Upgrade Logstash

  1. Upgrade the logstash package:
  1. For CentOS/RHEL/Fedora:
# yum install logstash-6.8.7
  1. For Debian/Ubuntu:
# apt-get install logstash=1:6.8.7-1
  1. Download and set the Wazuh configuration for Logstash:
  1. Local configuration:
# cp /etc/logstash/conf.d/01-wazuh.conf /backup_directory/01-wazuh.conf.bak
# curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/v3.11.4/extensions/logstash/6.x/01-wazuh-local.conf
# usermod -a -G ossec logstash
  1. Remote configuration:
# cp /etc/logstash/conf.d/01-wazuh.conf /backup_directory/01-wazuh.conf.bak
# curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/v3.11.4/extensions/logstash/6.x/01-wazuh-remote.conf
  1. Start the Logstash service:
# systemctl daemon-reload
# systemctl start logstash.service

Upgrade Filebeat

  1. Upgrade Filebeat.
  • For CentOS/RHEL/Fedora:

    # yum install filebeat-6.8.7
    
  • For Debian/Ubuntu:

    # apt-get install filebeat=6.8.7
    
  1. Update the configuration file.
# cp /etc/filebeat/filebeat.yml /backup/filebeat.yml.backup
# curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v3.11.4/extensions/filebeat/6.x/filebeat.yml
# chmod go+r /etc/filebeat/filebeat.yml
  1. Restart Filebeat.
# systemctl daemon-reload
# systemctl restart filebeat

Upgrade Kibana

Upgrade Kibana

  1. Upgrade the kibana package:
  1. For CentOS/RHEL/Fedora:
# yum install kibana-6.8.7
  1. For Debian/Ubuntu:
# apt-get install kibana=6.8.7
  1. Uninstall the Wazuh app from Kibana:
  1. Update file permissions. This will avoid several errors prior to updating the app:
# chown -R kibana:kibana /usr/share/kibana/optimize
# chown -R kibana:kibana /usr/share/kibana/plugins
  1. Remove the Wazuh app:
# cd /usr/share/kibana/
# sudo -u kibana bin/kibana-plugin remove wazuh
  1. Upgrade the Wazuh app:
  • Install from URL:
# cd /usr/share/kibana/
# rm -rf optimize/bundles
# sudo -u kibana NODE_OPTIONS="--max-old-space-size=3072" bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.11.4_6.8.7.zip
  • Install from the package:
# cd /usr/share/kibana/
# rm -rf optimize/bundles
# sudo -u kibana NODE_OPTIONS="--max-old-space-size=3072" bin/kibana-plugin install file:///path/wazuhapp-3.11.4_7.6.0.zip

Warning

The Wazuh app installation process may take several minutes. Please wait patiently.

  1. Start the Kibana service:
# systemctl daemon-reload
# systemctl enable kibana.service
# systemctl start kibana.service

Disabling repositories

  • For CentOS/RHEL/Fedora:

    # sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo
    
  • For Debian/Ubuntu:

    # sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/elastic-6.x.list
    # apt-get update
    

    Alternatively, you can set the package state to hold, which will stop updates (although you can still upgrade it manually using apt-get install).

    # echo "elasticsearch hold" | sudo dpkg --set-selections
    # echo "kibana hold" | sudo dpkg --set-selections
    
  • For openSUSE:

    # sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/elastic.repo