Upgrade from different major version
The following steps show how to upgrade from Wazuh 2.x to Wazuh 3.x (which implies upgrading from Elastic Stack 5.x to 6.x).
Upgrade Wazuh agent
Stop the service:
# systemctl stop wazuh-agent
Add the new repository for Wazuh 3.x.
For CentOS/RHEL/Fedora:
# cat > /etc/yum.repos.d/wazuh.repo <<\EOF [wazuh_repo] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=Wazuh repository baseurl=https://packages.wazuh.com/3.x/yum/ protect=1 EOF
For Debian/Ubuntu:
# echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
Upgrade the agent.
Upgrade the Wazuh agent on CentOS/RHEL/Fedora:
# yum install wazuh-agent
Upgrade the Wazuh agent on Debian/Ubuntu:
# apt-get update # apt-get install wazuh-agent
For Windows:
The agent upgrading process for Windows systems requires to download the latest available installer from the packages list. There are two ways of using it (both of them require administrator rights):
Using the GUI installer:
Open the installer and follow the instructions to upgrade the agent.
Using the command line:
To upgrade the Windows agent from the command line, run the installer using Windows PowerShell or the command prompt (the
/q
argument is used for unattended installations):# wazuh-agent-3.2.4-1.msi /q
Note
To learn more about the unattended installation process, you can check the Windows installation guide.
Upgrade Wazuh manager
Stop the services:
# systemctl stop wazuh-api # systemctl stop wazuh-manager
Add the new repository for Wazuh 3.x.
For CentOS/RHEL/Fedora:
# cat > /etc/yum.repos.d/wazuh.repo <<\EOF [wazuh_repo] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=Wazuh repository baseurl=https://packages.wazuh.com/3.x/yum/ protect=1 EOF
For Debian/Ubuntu:
# echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
Upgrade the manager.
Upgrade the Wazuh manager on CentOS/RHEL/Fedora:
# yum install wazuh-manager
Upgrade the Wazuh manager on Debian/Ubuntu:
# apt-get update # apt-get install wazuh-manager
Upgrade the API.
Upgrade the Wazuh API on CentOS/RHEL/Fedora:
# yum install wazuh-api
Upgrade the Wazuh API on Debian/Ubuntu:
# apt-get install wazuh-api
Prepare Elastic Stack
Stop the services:
# systemctl stop filebeat # systemctl stop logstash # systemctl stop kibana # systemctl stop elasticsearch
Add the new repository for Elastic Stack 6.x:
For CentOS/RHEL/Fedora:
# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch # cat > /etc/yum.repos.d/elastic.repo << EOF [elasticsearch-6.x] name=Elasticsearch repository for 6.x packages baseurl=https://artifacts.elastic.co/packages/6.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF
For Debian/Ubuntu:
# curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add - # echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-6.x.list
Upgrade Elasticsearch
Note
Since you are upgrading to a different major version of Elasticsearch , it's important that you backup /etc/elasticsearch/elasticsearch.yml and /etc/elasticsearch/jvm.options before upgrading Elasticsearch. Check the Elasticsearch Reference for more information.
Update Elasticsearch:
For CentOS/RHEL/Fedora:
# yum install elasticsearch-6.2.4
For Debian/Ubuntu:
# apt-get update # apt-get install elasticsearch=6.2.4
Start Elasticsearch:
# systemctl daemon-reload # systemctl enable elasticsearch.service # systemctl start elasticsearch.serviceIt's important to wait until the Elasticsearch server finishes starting. Check the current status with the following command, which should give you a response like the shown below:
# curl localhost:9200/?pretty { "name" : "5urh-FJ", "cluster_name" : "elasticsearch", "cluster_uuid" : "B5rXKBg2Tr-KWwFdbDHJQg", "version" : { "number" : "6.2.4", "build_hash" : "7299dc3", "build_date" : "2018-02-07T19:34:26.990113Z", "build_snapshot" : false, "lucene_version" : "7.2.1", "minimum_wire_compatibility_version" : "5.6.0", "minimum_index_compatibility_version" : "5.0.0" }, "tagline" : "You Know, for Search" }
Load the Wazuh template for Elasticsearch:
# curl https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/elasticsearch/wazuh-elastic6-template-alerts.json | curl -XPUT 'http://localhost:9200/_template/wazuh' -H 'Content-Type: application/json' -d @-
Upgrade Logstash
Upgrade Logstash:
For CentOS/RHEL/Fedora:
# yum install logstash-6.2.4
For Debian/Ubuntu:
# apt-get install logstash=1:6.2.4-1
Download and set the Wazuh configuration for Logstash:
Local configuration:
# cp /etc/logstash/conf.d/01-wazuh.conf /backup_directory/01-wazuh.conf.bak # curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/logstash/01-wazuh-local.conf # usermod -a -G ossec logstash
Remote configuration:
# cp /etc/logstash/conf.d/01-wazuh.conf /backup_directory/01-wazuh.conf.bak # curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/logstash/01-wazuh-remote.conf
Start Logstash:
# systemctl daemon-reload # systemctl enable logstash.service # systemctl start logstash.service
Upgrade Kibana
Upgrade Kibana:
For CentOS/RHEL/Fedora:
# yum install kibana-6.2.4
For Debian/Ubuntu:
# apt-get install kibana=6.2.4
Remove the Wazuh Kibana App plugin from Kibana:
# /usr/share/kibana/bin/kibana-plugin remove wazuh
Migrate .kibana from 5.x to 6.x:
The .kibana index (which holds Kibana's configuration) has drastically changed. To migrate it, follow the official documentation:
Upgrade the Wazuh Kibana App:
Increase the default Node.js heap memory limit to prevent out of memory errors when installing the Wazuh App. Set the limit as follow:
# export NODE_OPTIONS="--max-old-space-size=3072"
Install the Wazuh App:
# rm -rf /usr/share/kibana/optimize/bundles # /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.2.4_6.2.4.zip
Start Kibana:
# systemctl daemon-reload # systemctl enable kibana.service # systemctl start kibana.service
Upgrade Filebeat
Upgrade Filebeat:
For CentOS/RHEL/Fedora:
# yum install filebeat-6.2.4
For Debian/Ubuntu:
# apt-get install filebeat=6.2.4
Download the Filebeat configuration file from the Wazuh repository:
# curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/filebeat/filebeat.yml
Edit the file
/etc/filebeat/filebeat.yml
and replaceELASTIC_SERVER_IP
with the IP address or the hostname of your Elastic Stack server:
output: logstash: hosts: ["ELASTIC_SERVER_IP:5000"]
Enable and start the Filebeat service:
# systemctl daemon-reload # systemctl enable filebeat.service # systemctl start filebeat.service
Official upgrading guides for Elastic Stack:
Disable the Elasticsearch repository
We recommend that the Elasticsearch repository be disabled in order to prevent an upgrade to a newer Elastic Stack version. An untimely or unplanned upgrade may break the Wazuh App. To disable the repository, follow these steps:
For CentOS/RHEL/Fedora:
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo
For Debian/Ubuntu:
# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/elastic-6.x.list # apt-get update
Reindexing your previous alerts
In the new version of Wazuh, the structure of the Wazuh alerts have changed. The new alerts present more information to the end user than the old alerts. This is why Wazuh 3.x uses different indices and templates than Wazuh 2.x.
For this reason, you will not be able to see the previous alerts using Kibana. If you need to access them, you will have to reindex the previous indices.
Reindexing can be a complex process, depending on the size of your dataset. This should only be done if you need to visualize alerts that were generated before the upgrade of your Kibana environment.
There is a reindex script developed by the Wazuh Team. The documentation for this script is available at Restore Wazuh alerts from Wazuh 2.x.
Note
Older alerts will not disappear if you choose not to reindex. These alerts will still be stored in Elasticsearch and the Wazuh manager.