Upgrade to the latest version of Wazuh 3.x
The following steps show how to upgrade to the latest available version of Wazuh 3.x (which implies upgrading to the latest version of Elastic Stack 6.x).
Upgrade the Wazuh agent
Upgrade the
wazuh-agent
package:
For CentOS/RHEL/Fedora:
# yum upgrade wazuh-agent
For Debian/Ubuntu:
# apt-get update && apt-get install --only-upgrade wazuh-agent
For Windows:
The agent upgrading process for Windows systems requires to download the latest available installer from the packages list. There are two ways of using it (both of them require administrator rights):
Using the GUI installer:
Open the installer and follow the instructions to upgrade the agent.
Using the command line:
To upgrade the Windows agent from the command line, run the installer using Windows PowerShell or the command prompt (the
/q
argument is used for unattended installations):# wazuh-agent-3.4.0-1.msi /q
Note
To learn more about the unattended installation process, you can check the Windows installation guide.
Upgrade the Wazuh manager
Upgrade the
wazuh-manager
package:
For CentOS/RHEL/Fedora:
# yum upgrade wazuh-manager
For Debian/Ubuntu:
# apt-get update && apt-get install --only-upgrade wazuh-manager
Upgrade the
wazuh-api
package:
For CentOS/RHEL/Fedora:
# yum upgrade wazuh-api
For Debian/Ubuntu:
# apt-get update && apt-get install --only-upgrade wazuh-api
Note
The installation of the updated packages will automatically restart the services for the Wazuh manager, API and agents. Your Wazuh config file will keep unmodified, so you'll need to manually add the settings for the new capabilities. Check the User Manual for more information.
Upgrade to the latest Elastic Stack version
Since the release of Wazuh 3.0.0, there's been several updates to the 6.x version of the Elastic Stack, introducing several bugfixes and important changes. In order to use the latest version of Wazuh, it's necessary to install the latest compatible Elastic Stack packages.
Stop the services:
# systemctl stop filebeat # systemctl stop logstash # systemctl stop kibana # systemctl stop elasticsearch
Enable the Elastic repository:
If you followed our Elastic Stack Installation Guide, probably you disabled the repository in order to avoid undesired upgrades for the Elastic Stack. It's necessary to enable them again to get the last packages.
For CentOS/RHEL/Fedora:
# sed -i "s/^enabled=0/enabled=1/" /etc/yum.repos.d/elastic.repo
For Debian/Ubuntu:
# sed -i "s/^#deb/deb/" /etc/apt/sources.list.d/elastic-6.x.list # apt-get update
Upgrade Elasticsearch
Upgrade the
elasticsearch
package:
For CentOS/RHEL/Fedora:
# yum install elasticsearch-6.3.2
For Debian/Ubuntu:
# apt-get install elasticsearch=6.3.2
Start the Elasticsearch service:
# systemctl daemon-reload # systemctl enable elasticsearch.service # systemctl start elasticsearch.serviceIt's important to wait until the Elasticsearch server finishes starting. Check the current status with the following command, which should give you a response like the shown below:
# curl localhost:9200/?pretty { "name" : "Zr2Shu_", "cluster_name" : "elasticsearch", "cluster_uuid" : "M-W_RznZRA-CXykh_oJsCQ", "version" : { "number" : "6.3.2", "build_flavor" : "default", "build_type" : "rpm", "build_hash" : "053779d", "build_date" : "2018-07-20T05:20:23.451332Z", "build_snapshot" : false, "lucene_version" : "7.3.1", "minimum_wire_compatibility_version" : "5.6.0", "minimum_index_compatibility_version" : "5.0.0" }, "tagline" : "You Know, for Search" }
Load the Wazuh template for Elasticsearch:
# curl https://raw.githubusercontent.com/wazuh/wazuh/3.4/extensions/elasticsearch/wazuh-elastic6-template-alerts.json | curl -XPUT 'http://localhost:9200/_template/wazuh' -H 'Content-Type: application/json' -d @-
Upgrade Logstash
Upgrade the
logstash
package:
For CentOS/RHEL/Fedora:
# yum install logstash-6.3.2
For Debian/Ubuntu:
# apt-get install logstash=1:6.3.2-1
Download and set the Wazuh configuration for Logstash:
Local configuration:
# cp /etc/logstash/conf.d/01-wazuh.conf /backup_directory/01-wazuh.conf.bak # curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/3.4/extensions/logstash/01-wazuh-local.conf # usermod -a -G ossec logstash
Remote configuration:
# cp /etc/logstash/conf.d/01-wazuh.conf /backup_directory/01-wazuh.conf.bak # curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/3.4/extensions/logstash/01-wazuh-remote.conf
Start the Logstash service:
# systemctl daemon-reload # systemctl enable logstash.service # systemctl start logstash.service
Note
The Logstash configuration file has been replaced for an updated one. If you already configured the encryption between Filebeat and Logstash, don't forget to check again Setting up SSL for Filebeat and Logstash if you're using a distributed architecture.
Upgrade Kibana
Upgrade the
kibana
package:
For CentOS/RHEL/Fedora:
# yum install kibana-6.3.2
For Debian/Ubuntu:
# apt-get install kibana=6.3.2
Uninstall the Wazuh app from Kibana:
# /usr/share/kibana/bin/kibana-plugin remove wazuh
Upgrade the Wazuh app:
Increase the default Node.js heap memory limit to prevent out of memory errors when installing the Wazuh app:
# export NODE_OPTIONS="--max-old-space-size=3072"
Install the Wazuh app:
# rm -rf /usr/share/kibana/optimize/bundles # /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.4.0_6.3.2.zip
Warning
The Wazuh app installation process may take several minutes. Please wait patiently.
Start the Kibana service:
# systemctl daemon-reload # systemctl enable kibana.service # systemctl start kibana.service
Upgrade Filebeat
Upgrade the
filebeat
package:
For CentOS/RHEL/Fedora:
# yum install filebeat-6.3.2
For Debian/Ubuntu:
# apt-get update # apt-get install filebeat=6.3.2
Start the Filebeat service:
# systemctl daemon-reload # systemctl enable filebeat.service # systemctl start filebeat.service
You've finished upgrading your Wazuh installation to the latest version. Now you can disable again the Elastic Stack repositories in order to avoid undesired upgrades and compatibility issues with the Wazuh app.
For CentOS/RHEL/Fedora:
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo
For Debian/Ubuntu:
# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/elastic-6.x.list
# apt-get update
Official upgrading guides for the Elastic Stack: