Upgrade to the latest version of Wazuh 3.x

The following steps show how to upgrade to the latest available version of Wazuh 3.x (which implies upgrading to the latest version of Elastic Stack 6.x).

Upgrade the Wazuh agent

  1. Upgrade the wazuh-agent package:

  1. For CentOS/RHEL/Fedora:

# yum upgrade wazuh-agent
  1. For Debian/Ubuntu:

# apt-get update && apt-get install --only-upgrade wazuh-agent
  1. For Windows:

The agent upgrading process for Windows systems requires to download the latest available installer from the packages list. There are two ways of using it (both of them require administrator rights):

  • Using the GUI installer:

Open the installer and follow the instructions to upgrade the agent.

../../_images/windows.png
  • Using the command line:

To upgrade the Windows agent from the command line, run the installer using Windows PowerShell or the command prompt (the /q argument is used for unattended installations):

# wazuh-agent-3.4.0-1.msi /q

Note

To learn more about the unattended installation process, you can check the Windows installation guide.

Upgrade the Wazuh manager

  1. Upgrade the wazuh-manager package:

  1. For CentOS/RHEL/Fedora:

# yum upgrade wazuh-manager
  1. For Debian/Ubuntu:

# apt-get update && apt-get install --only-upgrade wazuh-manager
  1. Upgrade the wazuh-api package:

  1. For CentOS/RHEL/Fedora:

# yum upgrade wazuh-api
  1. For Debian/Ubuntu:

# apt-get update && apt-get install --only-upgrade wazuh-api

Note

The installation of the updated packages will automatically restart the services for the Wazuh manager, API and agents. Your Wazuh config file will keep unmodified, so you'll need to manually add the settings for the new capabilities. Check the User Manual for more information.

Upgrade to the latest Elastic Stack version

Since the release of Wazuh 3.0.0, there's been several updates to the 6.x version of the Elastic Stack, introducing several bugfixes and important changes. In order to use the latest version of Wazuh, it's necessary to install the latest compatible Elastic Stack packages.

  1. Stop the services:

# systemctl stop filebeat
# systemctl stop logstash
# systemctl stop kibana
# systemctl stop elasticsearch
  1. Enable the Elastic repository:

If you followed our Elastic Stack Installation Guide, probably you disabled the repository in order to avoid undesired upgrades for the Elastic Stack. It's necessary to enable them again to get the last packages.

  1. For CentOS/RHEL/Fedora:

# sed -i "s/^enabled=0/enabled=1/" /etc/yum.repos.d/elastic.repo
  1. For Debian/Ubuntu:

# sed -i "s/^#deb/deb/" /etc/apt/sources.list.d/elastic-6.x.list
# apt-get update

Upgrade Elasticsearch

  1. Upgrade the elasticsearch package:

  1. For CentOS/RHEL/Fedora:

# yum install elasticsearch-6.3.2
  1. For Debian/Ubuntu:

# apt-get install elasticsearch=6.3.2
  1. Start the Elasticsearch service:

# systemctl daemon-reload
# systemctl enable elasticsearch.service
# systemctl start elasticsearch.service

It's important to wait until the Elasticsearch server finishes starting. Check the current status with the following command, which should give you a response like the shown below:

# curl localhost:9200/?pretty

{
  "name" : "Zr2Shu_",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "M-W_RznZRA-CXykh_oJsCQ",
  "version" : {
    "number" : "6.3.2",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_hash" : "053779d",
    "build_date" : "2018-07-20T05:20:23.451332Z",
    "build_snapshot" : false,
    "lucene_version" : "7.3.1",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}
  1. Load the Wazuh template for Elasticsearch:

# curl https://raw.githubusercontent.com/wazuh/wazuh/3.4/extensions/elasticsearch/wazuh-elastic6-template-alerts.json | curl -XPUT 'http://localhost:9200/_template/wazuh' -H 'Content-Type: application/json' -d @-

Upgrade Logstash

  1. Upgrade the logstash package:

  1. For CentOS/RHEL/Fedora:

# yum install logstash-6.3.2
  1. For Debian/Ubuntu:

# apt-get install logstash=1:6.3.2-1
  1. Download and set the Wazuh configuration for Logstash:

  1. Local configuration:

# cp /etc/logstash/conf.d/01-wazuh.conf /backup_directory/01-wazuh.conf.bak
# curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/3.4/extensions/logstash/01-wazuh-local.conf
# usermod -a -G ossec logstash
  1. Remote configuration:

# cp /etc/logstash/conf.d/01-wazuh.conf /backup_directory/01-wazuh.conf.bak
# curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/3.4/extensions/logstash/01-wazuh-remote.conf
  1. Start the Logstash service:

# systemctl daemon-reload
# systemctl enable logstash.service
# systemctl start logstash.service

Note

The Logstash configuration file has been replaced for an updated one. If you already configured the encryption between Filebeat and Logstash, don't forget to check again Setting up SSL for Filebeat and Logstash if you're using a distributed architecture.

Upgrade Kibana

  1. Upgrade the kibana package:

  1. For CentOS/RHEL/Fedora:

# yum install kibana-6.3.2
  1. For Debian/Ubuntu:

# apt-get install kibana=6.3.2
  1. Uninstall the Wazuh app from Kibana:

# /usr/share/kibana/bin/kibana-plugin remove wazuh
  1. Upgrade the Wazuh app:

  1. Increase the default Node.js heap memory limit to prevent out of memory errors when installing the Wazuh app:

# export NODE_OPTIONS="--max-old-space-size=3072"
  1. Install the Wazuh app:

# rm -rf /usr/share/kibana/optimize/bundles
# /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.4.0_6.3.2.zip

Warning

The Wazuh app installation process may take several minutes. Please wait patiently.

  1. Start the Kibana service:

# systemctl daemon-reload
# systemctl enable kibana.service
# systemctl start kibana.service

Upgrade Filebeat

  1. Upgrade the filebeat package:

  1. For CentOS/RHEL/Fedora:

# yum install filebeat-6.3.2
  1. For Debian/Ubuntu:

# apt-get update
# apt-get install filebeat=6.3.2
  1. Start the Filebeat service:

# systemctl daemon-reload
# systemctl enable filebeat.service
# systemctl start filebeat.service

You've finished upgrading your Wazuh installation to the latest version. Now you can disable again the Elastic Stack repositories in order to avoid undesired upgrades and compatibility issues with the Wazuh app.

  1. For CentOS/RHEL/Fedora:

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo
  1. For Debian/Ubuntu:

# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/elastic-6.x.list
# apt-get update

Official upgrading guides for the Elastic Stack: