Upgrade from different major version
The following steps show how to upgrade from Wazuh 2.x to Wazuh 3.x (which implies upgrading from Elastic Stack 5.x to 6.x).
Upgrade Wazuh manager
- Stop the services: 
# systemctl stop wazuh-api # systemctl stop wazuh-manager
- Add the new repository for Wazuh 3.x. 
For CentOS/RHEL/Fedora:
# cat > /etc/yum.repos.d/wazuh.repo <<\EOF [wazuh_repo] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=Wazuh repository baseurl=https://packages.wazuh.com/3.x/yum/ protect=1 EOF
For Debian/Ubuntu:
# echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
- Upgrade the manager. 
Upgrade the Wazuh manager on CentOS/RHEL/Fedora:
# yum install wazuh-manager-3.8.2-1
Upgrade the Wazuh manager on Debian/Ubuntu:
# apt-get update # apt-get install wazuh-manager=3.8.2-1
- Upgrade the API. 
Upgrade the Wazuh API on CentOS/RHEL/Fedora:
# yum install wazuh-api
Upgrade the Wazuh API on Debian/Ubuntu:
# apt-get install wazuh-api
Upgrade Wazuh agent
- Stop the service: 
# systemctl stop wazuh-agent
- Add the new repository for Wazuh 3.x. 
For CentOS/RHEL/Fedora:
# cat > /etc/yum.repos.d/wazuh.repo <<\EOF [wazuh_repo] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=Wazuh repository baseurl=https://packages.wazuh.com/3.x/yum/ protect=1 EOF
For Debian/Ubuntu:
# echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
- Upgrade the agent. 
Upgrade the Wazuh agent on CentOS/RHEL/Fedora:
# yum install wazuh-agent
Upgrade the Wazuh agent on Debian/Ubuntu:
# apt-get update # apt-get install wazuh-agent
For Windows:
The agent upgrading process for Windows systems requires to download the latest available installer from the packages list. There are two ways of using it (both of them require administrator rights):
Using the GUI installer:
Open the installer and follow the instructions to upgrade the agent.

Using the command line:
To upgrade the Windows agent from the command line, run the installer using Windows PowerShell or the command prompt (the
/qargument is used for unattended installations):# wazuh-agent-3.8.2-1.msi /q
Note
To learn more about the unattended installation process, you can check the Windows installation guide.
Disable the Wazuh repository
We recommend that the Wazuh repository be disabled in order to prevent accidental upgrades. To disable the repository, follow these steps:
For CentOS/RHEL/Fedora:
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
For Debian/Ubuntu:
# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list # apt-get updateAlternately, you can set the package state to
hold, which will stop updates (although you can still upgrade it manually usingapt-get install).# echo "wazuh-manager hold" | sudo dpkg --set-selections # echo "wazuh-api hold" | sudo dpkg --set-selections # echo "wazuh-agent hold" | sudo dpkg --set-selections
Prepare the Elastic Stack
- Stop the services: 
# systemctl stop filebeat # systemctl stop logstash # systemctl stop kibana # systemctl stop elasticsearch
- Add the new repository for Elastic Stack 6.x: 
For CentOS/RHEL/Fedora:
# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch # cat > /etc/yum.repos.d/elastic.repo << EOF [elasticsearch-6.x] name=Elasticsearch repository for 6.x packages baseurl=https://artifacts.elastic.co/packages/6.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF
For Debian/Ubuntu:
# curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add - # echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-6.x.list
Upgrade Elasticsearch
Note
Since you are upgrading to a different major version of Elasticsearch , it's important that you backup /etc/elasticsearch/elasticsearch.yml and /etc/elasticsearch/jvm.options before upgrading Elasticsearch. Check the Elasticsearch Reference for more information.
- Update Elasticsearch: 
For CentOS/RHEL/Fedora:
# yum install elasticsearch-6.7.1
For Debian/Ubuntu:
# apt-get update # apt-get install elasticsearch=6.7.1
- Start Elasticsearch: 
# systemctl daemon-reload # systemctl enable elasticsearch.service # systemctl start elasticsearch.serviceIt's important to wait until the Elasticsearch server finishes starting. Check the current status with the following command, which should give you a response like the shown below:
# curl "http://localhost:9200/?pretty" { "name" : "Zr2Shu_", "cluster_name" : "elasticsearch", "cluster_uuid" : "M-W_RznZRA-CXykh_oJsCQ", "version" : { "number" : "6.7.1", "build_flavor" : "default", "build_type" : "rpm", "build_hash" : "053779d", "build_date" : "2018-07-20T05:20:23.451332Z", "build_snapshot" : false, "lucene_version" : "7.3.1", "minimum_wire_compatibility_version" : "5.6.0", "minimum_index_compatibility_version" : "5.0.0" }, "tagline" : "You Know, for Search" }
- Load the Wazuh template for Elasticsearch: 
Warning
The Wazuh app for Kibana needs the Elasticsearch template in order to work properly, so it's important to make sure that it was properly inserted.
# curl https://raw.githubusercontent.com/wazuh/wazuh/3.8/extensions/elasticsearch/wazuh-elastic6-template-alerts.json | curl -X PUT "http://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @-
Upgrade Logstash
- Upgrade Logstash: 
For CentOS/RHEL/Fedora:
# yum install logstash-6.7.1
For Debian/Ubuntu:
# apt-get install logstash=1:6.7.1-1
- Download and set the Wazuh configuration for Logstash: 
Local configuration:
# cp /etc/logstash/conf.d/01-wazuh.conf /backup_directory/01-wazuh.conf.bak # curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/3.8/extensions/logstash/01-wazuh-local.conf # usermod -a -G ossec logstash
Remote configuration:
# cp /etc/logstash/conf.d/01-wazuh.conf /backup_directory/01-wazuh.conf.bak # curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/3.8/extensions/logstash/01-wazuh-remote.conf
- Start Logstash: 
# systemctl daemon-reload # systemctl enable logstash.service # systemctl start logstash.service
Upgrade Kibana
- Upgrade Kibana: 
For CentOS/RHEL/Fedora:
# yum install kibana-6.7.1
For Debian/Ubuntu:
# apt-get install kibana=6.7.1
- Uninstall the Wazuh app from Kibana: - Update file permissions. This will avoid several errors prior to updating the app: 
 - # chown -R kibana:kibana /usr/share/kibana/optimize # chown -R kibana:kibana /usr/share/kibana/plugins - Remove the Wazuh app: 
 - # sudo -u kibana /usr/share/kibana/bin/kibana-plugin remove wazuh 
- Migrate .kibana from 5.x to 6.x: 
The .kibana index (which holds Kibana's configuration) has drastically changed. To migrate it, follow the official documentation:
- Upgrade the Wazuh Kibana App: 
# rm -rf /usr/share/kibana/optimize/bundles
With sudo:
# sudo -u kibana NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.8.2_6.7.1.zip
Without sudo:
# su -c 'NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.8.2_6.7.1.zip' kibana
- Start Kibana: 
# systemctl daemon-reload # systemctl enable kibana.service # systemctl start kibana.service
Upgrade Filebeat
- Upgrade Filebeat: 
For CentOS/RHEL/Fedora:
# yum install filebeat-6.7.1
For Debian/Ubuntu:
# apt-get install filebeat=6.7.1
- Download the Filebeat configuration file from the Wazuh repository: 
# curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/3.8/extensions/filebeat/filebeat.yml
- Edit the file - /etc/filebeat/filebeat.ymland replace- ELASTIC_SERVER_IPwith the IP address or the hostname of your Elastic Stack server:
output: logstash: hosts: ["ELASTIC_SERVER_IP:5000"]
- Enable and start the Filebeat service: 
# systemctl daemon-reload # systemctl enable filebeat.service # systemctl start filebeat.service
Disable the Elastic Stack repository
We recommend that the Elasticsearch repository be disabled in order to prevent an upgrade to a newer Elastic Stack version. An untimely or unplanned upgrade may break the Wazuh app. To disable the repository, follow these steps:
For CentOS/RHEL/Fedora:
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo
For Debian/Ubuntu:
# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/elastic-6.x.list # apt-get updateAlternately, you can set the package state to
hold, which will stop updates (although you can still upgrade it manually usingapt-get install).# echo "elasticsearch hold" | sudo dpkg --set-selections # echo "kibana hold" | sudo dpkg --set-selections # echo "logstash hold" | sudo dpkg --set-selections
Official upgrading guides for the Elastic Stack:
Reindexing your previous alerts
In the new version of Wazuh, the structure of the Wazuh alerts have changed. The new alerts present more information to the end user than the old alerts. This is why Wazuh 3.x uses different indices and templates than Wazuh 2.x.
For this reason, you will not be able to see the previous alerts using Kibana. If you need to access them, you will have to reindex the previous indices.
Reindexing can be a complex process, depending on the size of your dataset. This should only be done if you need to visualize alerts that were generated before the upgrade of your Kibana environment.
There is a reindex script developed by the Wazuh Team. The documentation for this script is available at Restore Wazuh alerts from Wazuh 2.x.
Note
Older alerts will not disappear if you choose not to reindex. These alerts will still be stored in Elasticsearch and the Wazuh manager.