Upgrading Elastic Stack from 6.x to 6.8¶

Prepare the Elastic Stack¶

Stop the services:

# systemctl stop logstash
# systemctl stop filebeat
# systemctl stop kibana

Upgrade Elasticsearch¶

Disable shard allocation

curl -X PUT "localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d'
{
  "persistent": {
    "cluster.routing.allocation.enable": "primaries"
  }
}
'

Stop non-essential indexing and perform a synced flush. (Optional)

curl -X POST "localhost:9200/_flush/synced"

Shut down a single node.

# systemctl stop elasticsearch

Upgrade the node you shut down.

For CentOS/RHEL/Fedora:
```
# yum install elasticsearch-6.8.2
```

For Debian/Ubuntu:

# apt-get install elasticsearch=6.8.2
# systemctl restart elasticsearch

Restart the service.

# systemctl daemon-reload
# systemctl restart elasticsearch

Start the newly-upgraded node and confirm that it joins the cluster by checking the log file or by submitting a _cat/nodes request:

curl -X GET "localhost:9200/_cat/nodes"

Reenable shard allocation.

curl -X PUT "localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d'
{
  "persistent": {
    "cluster.routing.allocation.enable": null
  }
}
'

Before upgrading the next node, wait for the cluster to finish shard allocation.

curl -X GET "localhost:9200/_cat/health?v"

Repeat it for every Elasticsearch node.
Load the Wazuh template for Elasticsearch:

# curl https://raw.githubusercontent.com/wazuh/wazuh/v3.9.5/extensions/elasticsearch/6.x/wazuh-template.json | curl -X PUT "http://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @-

Upgrade Logstash¶

Upgrade the logstash package:

For CentOS/RHEL/Fedora:
# yum install logstash-6.8.2
For Debian/Ubuntu:
# apt-get install logstash=1:6.8.2-1

Download and set the Wazuh configuration for Logstash:

Local configuration:

# cp /etc/logstash/conf.d/01-wazuh.conf /backup_directory/01-wazuh.conf.bak
# curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/v3.9.5/extensions/logstash/6.x/01-wazuh-local.conf
# usermod -a -G ossec logstash

Remote configuration:

# cp /etc/logstash/conf.d/01-wazuh.conf /backup_directory/01-wazuh.conf.bak
# curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/v3.9.5/extensions/logstash/6.x/01-wazuh-remote.conf

Start the Logstash service:

# systemctl daemon-reload
# systemctl start logstash.service

Upgrade Filebeat¶

Upgrade Filebeat.

For CentOS/RHEL/Fedora:
# yum install filebeat-6.8.2
For Debian/Ubuntu:
# apt-get install filebeat=6.8.2

Update the configuration file.

# cp /etc/filebeat/filebeat.yml /backup/filebeat.yml.backup
# curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v3.9.5/extensions/filebeat/6.x/filebeat.yml
# chmod go+r /etc/filebeat/filebeat.yml

Restart Filebeat.

# systemctl daemon-reload
# systemctl restart filebeat

Upgrade Kibana¶

Upgrade the kibana package:

For CentOS/RHEL/Fedora:
# yum install kibana-6.8.2
For Debian/Ubuntu:
# apt-get install kibana=6.8.2

Uninstall the Wazuh app from Kibana:

Update file permissions. This will avoid several errors prior to updating the app:
# chown -R kibana:kibana /usr/share/kibana/optimize
# chown -R kibana:kibana /usr/share/kibana/plugins
Remove the Wazuh app:
# sudo -u kibana /usr/share/kibana/bin/kibana-plugin remove wazuh

Upgrade the Wazuh app:

# rm -rf /usr/share/kibana/optimize/bundles
# sudo -u kibana NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.9.5_6.8.2.zip

Warning

The Wazuh app installation process may take several minutes. Please wait patiently.

Start the Kibana service:

# systemctl daemon-reload
# systemctl enable kibana.service
# systemctl start kibana.service