Upgrading Elastic Stack from 7.x to 7.y
Prepare the Elastic Stack
Stop the services:
# systemctl stop filebeat # systemctl stop kibana
In case of having disabled the repository for Elastic Stack 7.x it can be enabled using:
For CentOS/RHEL/Fedora:
# sed -i "s/^enabled=0/enabled=1/" /etc/yum.repos.d/elastic.repoFor Debian/Ubuntu:
# sed -i "s/#deb/deb/" /etc/apt/sources.list.d/elastic-7.x.list # apt-get updateFor openSUSE:
# sed -i "s/^enabled=0/enabled=1/" /etc/zypp/repos.d/elastic.repo
Upgrade Elasticsearch
Disable shard allocation
curl -X PUT "localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d' { "persistent": { "cluster.routing.allocation.enable": "primaries" } } '
Stop non-essential indexing and perform a synced flush. (Optional)
curl -X POST "localhost:9200/_flush/synced"
Shut down a single node.
# systemctl stop elasticsearch
Upgrade the node you shut down.
For CentOS/RHEL/Fedora:
# yum install elasticsearch-7.6.1
For Debian/Ubuntu:
# apt-get install elasticsearch=7.6.1 # systemctl restart elasticsearch
Restart the service.
# systemctl daemon-reload # systemctl restart elasticsearch
Start the newly-upgraded node and confirm that it joins the cluster by checking the log file or by submitting a _cat/nodes request:
curl -X GET "localhost:9200/_cat/nodes"
Reenable shard allocation.
curl -X PUT "localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d' { "persistent": { "cluster.routing.allocation.enable": null } } '
Before upgrading the next node, wait for the cluster to finish shard allocation.
curl -X GET "localhost:9200/_cat/health?v"
Repeat it for every Elasticsearch node.
Upgrade Filebeat
Upgrade Filebeat.
For CentOS/RHEL/Fedora:
# yum install filebeat-7.6.1
For Debian/Ubuntu:
# apt-get install filebeat=7.6.1
Update the configuration file.
# cp /etc/filebeat/filebeat.yml /backup/filebeat.yml.backup # curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v3.11.4/extensions/filebeat/7.x/filebeat.yml # chmod go+r /etc/filebeat/filebeat.yml
Download the alerts template for Elasticsearch:
# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v3.11.4/extensions/elasticsearch/7.x/wazuh-template.json # chmod go+r /etc/filebeat/wazuh-template.json
Download the Wazuh module for Filebeat:
# curl -s https://packages.wazuh.com/3.x/filebeat/wazuh-filebeat-0.1.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module
Edit the file
/etc/filebeat/filebeat.yml
and replaceYOUR_ELASTIC_SERVER_IP
with the IP address or the hostname of the Elasticsearch server. For example:output.elasticsearch.hosts: ['http://YOUR_ELASTIC_SERVER_IP:9200']
Restart Filebeat.
# systemctl daemon-reload # systemctl restart filebeat
Upgrade Kibana
Warning
For updates from Wazuh 3.11.x to 3.11.y (regardless of the version of the Elastic Stack) it is recommended to make a backup of the Wazuh app configuration file in order not to lose the modified parameters or the configured APIs.
Make a backup of the configuration file.
# cp /usr/share/kibana/plugins/wazuh/wazuh.yml /tmp/wazuh-backup.yml
Remove the Wazuh app.
# cd /usr/share/kibana/ # sudo -u kibana bin/kibana-plugin remove wazuh
Upgrade Kibana.
For CentOS/RHEL/Fedora:
# yum install kibana-7.6.1
For Debian/Ubuntu:
# apt-get install kibana=7.6.1
Remove generated bundles.
# rm -rf /usr/share/kibana/optimize/bundles
Update file permissions. This will prevent errors when generating new bundles or updating the app.
# chown -R kibana:kibana /usr/share/kibana/optimize # chown -R kibana:kibana /usr/share/kibana/plugins
Install the Wazuh app.
From URL:
# cd /usr/share/kibana/ # sudo -u kibana bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.11.4_7.6.1.zip
From the package:
# cd /usr/share/kibana/ # sudo -u kibana bin/kibana-plugin install file:///path/wazuhapp-3.11.4_7.6.1.zip
Restore the configuration file backup.
# sudo cp /tmp/wazuh-backup.yml /usr/share/kibana/plugins/wazuh/wazuh.yml
Update configuration file permissions.
# sudo chown kibana:kibana /usr/share/kibana/plugins/wazuh/wazuh.yml # sudo chmod 600 /usr/share/kibana/plugins/wazuh/wazuh.yml
For installations on Kibana 7.6.X versions it is recommended to increase the heap size of Kibana to ensure the Kibana's plugins installation:
# cat >> /etc/default/kibana << EOF NODE_OPTIONS="--max_old_space_size=2048" EOF
Restart Kibana.
# systemctl daemon-reload # systemctl restart kibana
Disabling repositories
For CentOS/RHEL/Fedora:
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repoFor Debian/Ubuntu:
# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/elastic-7.x.list # apt-get updateAlternatively, you can set the package state to
hold
, which will stop updates (although you can still upgrade it manually usingapt-get install
).# echo "elasticsearch hold" | sudo dpkg --set-selections # echo "kibana hold" | sudo dpkg --set-selectionsFor openSUSE:
# sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/elastic.repo