Upgrade from different major version

The following steps show how to upgrade from Wazuh 2.x to Wazuh 3.x (which implies upgrading from Elastic Stack 5.x to 6.x).

Upgrade Wazuh agent

  1. Stop the service:

# systemctl stop wazuh-agent
  1. Add the new repository for Wazuh 3.x.

  1. For CentOS/RHEL/Fedora:

# cat > /etc/yum.repos.d/wazuh.repo <<\EOF
[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://packages.wazuh.com/3.x/yum/
protect=1
EOF
  1. For Debian/Ubuntu:

# echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
  1. Upgrade the agent.

  1. Upgrade the Wazuh agent on CentOS/RHEL/Fedora:

# yum install wazuh-agent
  1. Upgrade the Wazuh agent on Debian/Ubuntu:

# apt-get update
# apt-get install wazuh-agent
  1. For Windows:

The agent upgrading process for Windows systems requires to download the latest available installer from the packages list. There are two ways of using it (both of them require administrator rights):

  • Using the GUI installer:

Open the installer and follow the instructions to upgrade the agent.

../../_images/windows.png
  • Using the command line:

To upgrade the Windows agent from the command line, run the installer using Windows PowerShell or the command prompt (the /q argument is used for unattended installations):

# wazuh-agent-3.2.4-1.msi /q

Note

To learn more about the unattended installation process, you can check the Windows installation guide.

Upgrade Wazuh manager

  1. Stop the services:

# systemctl stop wazuh-api
# systemctl stop wazuh-manager
  1. Add the new repository for Wazuh 3.x.

  1. For CentOS/RHEL/Fedora:

# cat > /etc/yum.repos.d/wazuh.repo <<\EOF
[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=Wazuh repository
baseurl=https://packages.wazuh.com/3.x/yum/
protect=1
EOF
  1. For Debian/Ubuntu:

# echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
  1. Upgrade the manager.

  1. Upgrade the Wazuh manager on CentOS/RHEL/Fedora:

# yum install wazuh-manager
  1. Upgrade the Wazuh manager on Debian/Ubuntu:

# apt-get update
# apt-get install wazuh-manager
  1. Upgrade the API.

  1. Upgrade the Wazuh API on CentOS/RHEL/Fedora:

# yum install wazuh-api
  1. Upgrade the Wazuh API on Debian/Ubuntu:

# apt-get install wazuh-api

Prepare Elastic Stack

  1. Stop the services:

# systemctl stop filebeat
# systemctl stop logstash
# systemctl stop kibana
# systemctl stop elasticsearch
  1. Add the new repository for Elastic Stack 6.x:

  1. For CentOS/RHEL/Fedora:

# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch

# cat > /etc/yum.repos.d/elastic.repo << EOF
[elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF
  1. For Debian/Ubuntu:

# curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
# echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-6.x.list

Upgrade Elasticsearch

Note

Since you are upgrading to a different major version of Elasticsearch , it's important that you backup /etc/elasticsearch/elasticsearch.yml and /etc/elasticsearch/jvm.options before upgrading Elasticsearch. Check the Elasticsearch Reference for more information.

  1. Update Elasticsearch:

  1. For CentOS/RHEL/Fedora:

# yum install elasticsearch-6.2.4
  1. For Debian/Ubuntu:

# apt-get update
# apt-get install elasticsearch=6.2.4
  1. Start Elasticsearch:

# systemctl daemon-reload
# systemctl enable elasticsearch.service
# systemctl start elasticsearch.service

It's important to wait until the Elasticsearch server finishes starting. Check the current status with the following command, which should give you a response like the shown below:

# curl localhost:9200/?pretty

{
  "name" : "5urh-FJ",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "B5rXKBg2Tr-KWwFdbDHJQg",
  "version" : {
    "number" : "6.2.4",
    "build_hash" : "7299dc3",
    "build_date" : "2018-02-07T19:34:26.990113Z",
    "build_snapshot" : false,
    "lucene_version" : "7.2.1",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}
  1. Load the Wazuh template for Elasticsearch:

# curl https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/elasticsearch/wazuh-elastic6-template-alerts.json | curl -XPUT 'http://localhost:9200/_template/wazuh' -H 'Content-Type: application/json' -d @-

Upgrade Logstash

  1. Upgrade Logstash:

  1. For CentOS/RHEL/Fedora:

# yum install logstash-6.2.4
  1. For Debian/Ubuntu:

# apt-get install logstash=1:6.2.4-1
  1. Download and set the Wazuh configuration for Logstash:

  1. Local configuration:

# cp /etc/logstash/conf.d/01-wazuh.conf /backup_directory/01-wazuh.conf.bak
# curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/logstash/01-wazuh-local.conf
# usermod -a -G ossec logstash
  1. Remote configuration:

# cp /etc/logstash/conf.d/01-wazuh.conf /backup_directory/01-wazuh.conf.bak
# curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/logstash/01-wazuh-remote.conf
  1. Start Logstash:

# systemctl daemon-reload
# systemctl enable logstash.service
# systemctl start logstash.service

Upgrade Kibana

  1. Upgrade Kibana:

  1. For CentOS/RHEL/Fedora:

# yum install kibana-6.2.4
  1. For Debian/Ubuntu:

# apt-get install kibana=6.2.4
  1. Remove the Wazuh Kibana App plugin from Kibana:

    # /usr/share/kibana/bin/kibana-plugin remove wazuh
    
  2. Migrate .kibana from 5.x to 6.x:

The .kibana index (which holds Kibana's configuration) has drastically changed. To migrate it, follow the official documentation:

  1. Upgrade the Wazuh Kibana App:

  1. Increase the default Node.js heap memory limit to prevent out of memory errors when installing the Wazuh App. Set the limit as follow:

# export NODE_OPTIONS="--max-old-space-size=3072"
  1. Install the Wazuh App:

# rm -rf /usr/share/kibana/optimize/bundles
# /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.2.4_6.2.4.zip
  1. Start Kibana:

# systemctl daemon-reload
# systemctl enable kibana.service
# systemctl start kibana.service

Upgrade Filebeat

  1. Upgrade Filebeat:

  1. For CentOS/RHEL/Fedora:

# yum install filebeat-6.2.4
  1. For Debian/Ubuntu:

# apt-get install filebeat=6.2.4
  1. Download the Filebeat configuration file from the Wazuh repository:

# curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/filebeat/filebeat.yml
  1. Edit the file /etc/filebeat/filebeat.yml and replace ELASTIC_SERVER_IP with the IP address or the hostname of your Elastic Stack server:

output:
  logstash:
    hosts: ["ELASTIC_SERVER_IP:5000"]
  1. Enable and start the Filebeat service:

# systemctl daemon-reload
# systemctl enable filebeat.service
# systemctl start filebeat.service

Official upgrading guides for Elastic Stack:

Disable the Elasticsearch repository

We recommend that the Elasticsearch repository be disabled in order to prevent an upgrade to a newer Elastic Stack version. An untimely or unplanned upgrade may break the Wazuh App. To disable the repository, follow these steps:

  1. For CentOS/RHEL/Fedora:

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo
  1. For Debian/Ubuntu:

# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/elastic-6.x.list
# apt-get update

Reindexing your previous alerts

In the new version of Wazuh, the structure of the Wazuh alerts have changed. The new alerts present more information to the end user than the old alerts. This is why Wazuh 3.x uses different indices and templates than Wazuh 2.x.

For this reason, you will not be able to see the previous alerts using Kibana. If you need to access them, you will have to reindex the previous indices.

Reindexing can be a complex process, depending on the size of your dataset. This should only be done if you need to visualize alerts that were generated before the upgrade of your Kibana environment.

There is a reindex script developed by the Wazuh Team. The documentation for this script is available at Restore Wazuh alerts from Wazuh 2.x.

Note

Older alerts will not disappear if you choose not to reindex. These alerts will still be stored in Elasticsearch and the Wazuh manager.