Upgrading Elastic Stack from a legacy version

To upgrade Elasticsearch to the latest version from a version prior to 6.8.x, it is needed to first upgrade to Elasticsearch 6.8.x as an intermediate step. Once Elastic Stack is on version 6.x it can be upgraded to the latest version

Prepare the Elastic Stack

  1. Stop the services:

# systemctl stop logstash
# systemctl stop filebeat
# systemctl stop kibana
  1. In case of having disabled the repository for Elastic Stack 6.x it can be enabled using:

  • For CentOS/RHEL/Fedora:

    # sed -i "s/^enabled=0/enabled=1/" /etc/yum.repos.d/elastic.repo
    
  • For Debian/Ubuntu:

    # sed -i "s/#deb/deb/" /etc/apt/sources.list.d/elastic-6.x.list
    # apt-get update
    
  • For openSUSE:

    # sed -i "s/^enabled=0/enabled=1/" /etc/zypp/repos.d/elastic.repo
    

Upgrade Elasticsearch

  1. Disable shard allocation

curl -X PUT "localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d'
{
  "persistent": {
    "cluster.routing.allocation.enable": "primaries"
  }
}
'
  1. Stop non-essential indexing and perform a synced flush. (Optional)

curl -X POST "localhost:9200/_flush/synced"
  1. Shut down a single node.

# systemctl stop elasticsearch
  1. Upgrade the node you shut down.

  • For CentOS/RHEL/Fedora:

    # yum install elasticsearch-6.8.8
    
  • For Debian/Ubuntu:

    # apt-get install elasticsearch=6.8.8
    

These steps must be repeated in all the Elasticsearch nodes of the installation.

Upgrade Logstash

  1. Upgrade the logstash package:

  1. For CentOS/RHEL/Fedora:

# yum install logstash-6.8.8
  1. For Debian/Ubuntu:

# apt-get install logstash=1:6.8.8-1

Upgrade Filebeat

  1. Upgrade Filebeat.

  • For CentOS/RHEL/Fedora:

    # yum install filebeat-6.8.8
    
  • For Debian/Ubuntu:

    # apt-get install filebeat=6.8.8
    

Upgrade Kibana

  1. Upgrade the kibana package:

  1. For CentOS/RHEL/Fedora:

# yum install kibana-6.8.8
  1. For Debian/Ubuntu:

# apt-get install kibana=6.8.8
  1. Uninstall the Wazuh app from Kibana:

  1. Update file permissions. This will avoid several errors prior to updating the app:

# chown -R kibana:kibana /usr/share/kibana/optimize
# chown -R kibana:kibana /usr/share/kibana/plugins
  1. Remove the Wazuh app:

# cd /usr/share/kibana/
# sudo -u kibana bin/kibana-plugin remove wazuh

Disabling repositories

  • For CentOS/RHEL/Fedora:

    # sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo
    
  • For Debian/Ubuntu:

    # sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/elastic-6.x.list
    # apt-get update
    

    Alternatively, you can set the package state to hold, which will stop updates (although you can still upgrade it manually using apt-get install).

    # echo "elasticsearch hold" | sudo dpkg --set-selections
    # echo "kibana hold" | sudo dpkg --set-selections
    
  • For openSUSE:

    # sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/elastic.repo
    

Now that the installation has been upgraded to 6.8.x version, it can be upgraded to the latest version available following the steps in the section Upgrading Elastic Stack from 6.8 to 7.x.