Upgrading Elastic Stack from 7.x to 7.y

Prepare the Elastic Stack

  1. Stop the services:

    # systemctl stop filebeat
    # systemctl stop kibana
  2. In case of having disabled the repository for Elastic Stack 7.x it can be enabled using:

  • For CentOS/RHEL/Fedora:

    # sed -i "s/^enabled=0/enabled=1/" /etc/yum.repos.d/elastic.repo
  • For Debian/Ubuntu:

    # sed -i "s/#deb/deb/" /etc/apt/sources.list.d/elastic-7.x.list
    # apt-get update
  • For openSUSE:

    # sed -i "s/^enabled=0/enabled=1/" /etc/zypp/repos.d/elastic.repo

Upgrade Elasticsearch

  1. Disable shard allocation

    curl -X PUT "localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d'
      "persistent": {
        "cluster.routing.allocation.enable": "primaries"
  2. Stop non-essential indexing and perform a synced flush. (Optional)

    curl -X POST "localhost:9200/_flush/synced"
  3. Shut down a single node.

    # systemctl stop elasticsearch
  4. Upgrade the node you shut down.

    • For CentOS/RHEL/Fedora:

      # yum install elasticsearch-7.6.1
    • For Debian/Ubuntu:

      # apt-get install elasticsearch=7.6.1
      # systemctl restart elasticsearch
  5. Restart the service.

    # systemctl daemon-reload
    # systemctl restart elasticsearch
  6. Start the newly-upgraded node and confirm that it joins the cluster by checking the log file or by submitting a _cat/nodes request:

    curl -X GET "localhost:9200/_cat/nodes"
  7. Reenable shard allocation.

    curl -X PUT "localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d'
      "persistent": {
        "cluster.routing.allocation.enable": null
  8. Before upgrading the next node, wait for the cluster to finish shard allocation.

    curl -X GET "localhost:9200/_cat/health?v"
  9. Repeat it for every Elasticsearch node.

Upgrade Filebeat

  1. Upgrade Filebeat.

    • For CentOS/RHEL/Fedora:

      # yum install filebeat-7.6.1
    • For Debian/Ubuntu:

      # apt-get install filebeat=7.6.1
  2. Update the configuration file.

    # cp /etc/filebeat/filebeat.yml /backup/filebeat.yml.backup
    # curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v3.11.4/extensions/filebeat/7.x/filebeat.yml
    # chmod go+r /etc/filebeat/filebeat.yml
  3. Download the alerts template for Elasticsearch:

    # curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v3.11.4/extensions/elasticsearch/7.x/wazuh-template.json
    # chmod go+r /etc/filebeat/wazuh-template.json
  4. Download the Wazuh module for Filebeat:

    # curl -s https://packages.wazuh.com/3.x/filebeat/wazuh-filebeat-0.1.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module
  5. Edit the file /etc/filebeat/filebeat.yml and replace YOUR_ELASTIC_SERVER_IP with the IP address or the hostname of the Elasticsearch server. For example:

    output.elasticsearch.hosts: ['http://YOUR_ELASTIC_SERVER_IP:9200']
  6. Restart Filebeat.

    # systemctl daemon-reload
    # systemctl restart filebeat

Upgrade Kibana


For updates from Wazuh 3.11.x to 3.11.y (regardless of the version of the Elastic Stack) it is recommended to make a backup of the Wazuh app configuration file in order not to lose the modified parameters or the configured APIs.

  1. Make a backup of the configuration file.

    # cp /usr/share/kibana/plugins/wazuh/wazuh.yml /tmp/wazuh-backup.yml
  2. Remove the Wazuh app.

    # cd /usr/share/kibana/
    # sudo -u kibana bin/kibana-plugin remove wazuh
  3. Upgrade Kibana.

    • For CentOS/RHEL/Fedora:

      # yum install kibana-7.6.1
    • For Debian/Ubuntu:

      # apt-get install kibana=7.6.1
  4. Remove generated bundles.

    # rm -rf /usr/share/kibana/optimize/bundles
  5. Update file permissions. This will prevent errors when generating new bundles or updating the app.

    # chown -R kibana:kibana /usr/share/kibana/optimize
    chown -R kibana:kibana /usr/share/kibana/plugins
  6. Install the Wazuh app.

    • From URL:

    # cd /usr/share/kibana/
    # sudo -u kibana bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.11.4_7.6.1.zip
    • From the package:

    # cd /usr/share/kibana/
    # sudo -u kibana bin/kibana-plugin install file:///path/wazuhapp-3.11.4_7.6.1.zip
  7. Restore the configuration file backup.

    # sudo cp /tmp/wazuh-backup.yml /usr/share/kibana/plugins/wazuh/wazuh.yml
  8. Update configuration file permissions.

    # sudo chown kibana:kibana /usr/share/kibana/plugins/wazuh/wazuh.yml
    # sudo chmod 600 /usr/share/kibana/plugins/wazuh/wazuh.yml
  9. For installations on Kibana 7.6.X versions it is recommended to increase the heap size of Kibana to ensure the Kibana's plugins installation:

    # cat >> /etc/default/kibana << EOF
  10. Restart Kibana.

    # systemctl daemon-reload
    # systemctl restart kibana

Disabling repositories

  • For CentOS/RHEL/Fedora:

    # sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo
  • For Debian/Ubuntu:

    # sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/elastic-7.x.list
    # apt-get update

    Alternatively, you can set the package state to hold, which will stop updates (although you can still upgrade it manually using apt-get install).

    # echo "elasticsearch hold" | sudo dpkg --set-selections
    # echo "kibana hold" | sudo dpkg --set-selections
  • For openSUSE:

    # sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/elastic.repo