Upgrade from the same major version (3.x)
The following steps show how to upgrade to the latest available version of Wazuh 3.x (which implies upgrading to the latest version of Elastic Stack 6.x).
Starting the upgrade
If you followed our manager or agents installation guides, probably you disabled the repository in order to avoid undesired upgrades. It's necessary to enable them again to get the last packages.
For CentOS/RHEL/Fedora:
# sed -i "s/^enabled=0/enabled=1/" /etc/yum.repos.d/wazuh.repo
For Debian/Ubuntu:
This step is not necessary if you set the packages to the
hold
state instead of disabling the repositories.# sed -i "s/^#deb/deb/" /etc/apt/sources.list.d/wazuh.list
Upgrade the Wazuh manager
Note
Since Wazuh v3.7.0 the File Integrity Monitoring database is not used anymore. In order to add to Wazuh DB the file and registry entries stored from previous versions it's necessary to run the FIM migration tool.
Upgrade the
wazuh-manager
package:
For CentOS/RHEL/Fedora:
# yum upgrade wazuh-manager
For Debian/Ubuntu:
# apt-get update && apt-get install wazuh-manager
Upgrade the
wazuh-api
package:
For CentOS/RHEL/Fedora:
# yum upgrade wazuh-api
For Debian/Ubuntu:
# apt-get update && apt-get install wazuh-api
Note
The installation of the updated packages will automatically restart the services for the Wazuh manager, API and agents. Your Wazuh config file will keep unmodified, so you'll need to manually add the settings for the new capabilities. Check the User Manual for more information.
Upgrade the Wazuh agent
Upgrade the
wazuh-agent
package:
For CentOS/RHEL/Fedora:
# yum upgrade wazuh-agent
For Debian/Ubuntu:
# apt-get update && apt-get install wazuh-agent
For Windows:
The agent upgrading process for Windows systems requires to download the latest available installer from the packages list. There are two ways of using it (both of them require administrator rights):
Using the GUI installer:
Open the installer and follow the instructions to upgrade the agent.
![]()
Using the command line:
To upgrade the Windows agent from the command line, run the installer using Windows PowerShell or the command prompt (the
/q
argument is used for unattended installations):# wazuh-agent-3.7.2-1.msi /q
Note
To learn more about the unattended installation process, you can check the Windows installation guide.
Finishing the Wazuh upgrade
You've finished upgrading your Wazuh installation to the latest version. Now you can disable again the Wazuh repositories in order to avoid undesired upgrades and compatibility issues.
For CentOS/RHEL/Fedora:
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
For Debian/Ubuntu:
This step is not necessary if you set the packages to the
hold
state instead of disabling the repositories.# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list # apt-get update
Upgrade to the latest Elastic Stack version
Since the release of Wazuh 3.0.0, there's been several updates to the 6.x version of the Elastic Stack, introducing several bugfixes and important changes. In order to use the latest version of Wazuh, it's necessary to install the latest compatible Elastic Stack packages.
Stop the services:
# systemctl stop filebeat # systemctl stop logstash # systemctl stop kibana # systemctl stop elasticsearch
Enable the Elastic repository:
If you followed our Elastic Stack Installation Guide, probably you disabled the repository in order to avoid undesired upgrades for the Elastic Stack. It's necessary to enable them again to get the last packages.
For CentOS/RHEL/Fedora:
# sed -i "s/^enabled=0/enabled=1/" /etc/yum.repos.d/elastic.repo
For Debian/Ubuntu:
# sed -i "s/^#deb/deb/" /etc/apt/sources.list.d/elastic-6.x.list # apt-get update
Upgrade Elasticsearch
Upgrade the
elasticsearch
package:
For CentOS/RHEL/Fedora:
# yum install elasticsearch-6.5.4
For Debian/Ubuntu:
# apt-get install elasticsearch=6.5.4
Start the Elasticsearch service:
# systemctl daemon-reload # systemctl enable elasticsearch.service # systemctl start elasticsearch.serviceIt's important to wait until the Elasticsearch server finishes starting. Check the current status with the following command, which should give you a response like the shown below:
# curl "http://localhost:9200/?pretty" { "name" : "Zr2Shu_", "cluster_name" : "elasticsearch", "cluster_uuid" : "M-W_RznZRA-CXykh_oJsCQ", "version" : { "number" : "6.5.4", "build_flavor" : "default", "build_type" : "rpm", "build_hash" : "053779d", "build_date" : "2018-07-20T05:20:23.451332Z", "build_snapshot" : false, "lucene_version" : "7.3.1", "minimum_wire_compatibility_version" : "5.6.0", "minimum_index_compatibility_version" : "5.0.0" }, "tagline" : "You Know, for Search" }
Load the Wazuh template for Elasticsearch:
Warning
Updating the Elasticsearch template to the latest version is mandatory in order to avoid compatibility issues with the latest versions of Wazuh and the Elastic Stack.
# curl https://raw.githubusercontent.com/wazuh/wazuh/3.7/extensions/elasticsearch/wazuh-elastic6-template-alerts.json | curl -X PUT "http://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @-
Upgrade Logstash
Upgrade the
logstash
package:
For CentOS/RHEL/Fedora:
# yum install logstash-6.5.4
For Debian/Ubuntu:
# apt-get install logstash=1:6.5.4-1
Download and set the Wazuh configuration for Logstash:
Local configuration:
# cp /etc/logstash/conf.d/01-wazuh.conf /backup_directory/01-wazuh.conf.bak # curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/3.7/extensions/logstash/01-wazuh-local.conf # usermod -a -G ossec logstash
Remote configuration:
# cp /etc/logstash/conf.d/01-wazuh.conf /backup_directory/01-wazuh.conf.bak # curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/3.7/extensions/logstash/01-wazuh-remote.conf
Start the Logstash service:
# systemctl daemon-reload # systemctl enable logstash.service # systemctl start logstash.service
Note
The Logstash configuration file has been replaced for an updated one. If you already configured the encryption between Filebeat and Logstash, don't forget to check again Setting up SSL for Filebeat and Logstash if you're using a distributed architecture.
Upgrade Kibana
Upgrade the
kibana
package:
For CentOS/RHEL/Fedora:
# yum install kibana-6.5.4
For Debian/Ubuntu:
# apt-get install kibana=6.5.4
Uninstall the Wazuh app from Kibana:
Update file permissions. This will avoid several errors prior to updating the app:
# chown -R kibana:kibana /usr/share/kibana/optimize # chown -R kibana:kibana /usr/share/kibana/plugins
Remove the Wazuh app:
# sudo -u kibana /usr/share/kibana/bin/kibana-plugin remove wazuh
Upgrade the Wazuh app:
# rm -rf /usr/share/kibana/optimize/bundles # sudo -u kibana NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.7.2_6.5.4.zip
Warning
The Wazuh app installation process may take several minutes. Please wait patiently.
Start the Kibana service:
# systemctl daemon-reload # systemctl enable kibana.service # systemctl start kibana.service
Upgrade Filebeat
Upgrade the
filebeat
package:
For CentOS/RHEL/Fedora:
# yum install filebeat-6.5.4
For Debian/Ubuntu:
# apt-get update # apt-get install filebeat=6.5.4
Start the Filebeat service:
# systemctl daemon-reload # systemctl enable filebeat.service # systemctl start filebeat.service
Finishing the Elastic Stack upgrade
You've finished upgrading your Wazuh installation to the latest version. Now you can disable again the Elastic Stack repositories in order to avoid undesired upgrades and compatibility issues with the Wazuh app.
For CentOS/RHEL/Fedora:
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo
For Debian/Ubuntu:
This step is not necessary if you set the packages to the
hold
state instead of disabling the repositories.# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/elastic-6.x.list # apt-get update
Official upgrading guides for the Elastic Stack: