This is the documentation for Wazuh 3.9. Check out the docs for the latest version of Wazuh!

Upgrading Elastic Stack from 6.x to 6.8

Prepare the Elastic Stack

  1. Stop the services:
# systemctl stop logstash
# systemctl stop filebeat
# systemctl stop kibana

Upgrade Elasticsearch

  1. Disable shard allocation
curl -X PUT "localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d'
{
  "persistent": {
    "cluster.routing.allocation.enable": "primaries"
  }
}
'
  1. Stop non-essential indexing and perform a synced flush. (Optional)
curl -X POST "localhost:9200/_flush/synced"
  1. Shut down a single node.
# systemctl stop elasticsearch
  1. Upgrade the node you shut down.
  • For CentOS/RHEL/Fedora:

    # yum install elasticsearch-6.8.2
    
  • For Debian/Ubuntu:

    # apt-get install elasticsearch=6.8.2
    # systemctl restart elasticsearch
    
  1. Restart the service.
# systemctl daemon-reload
# systemctl restart elasticsearch
  1. Start the newly-upgraded node and confirm that it joins the cluster by checking the log file or by submitting a _cat/nodes request:
curl -X GET "localhost:9200/_cat/nodes"
  1. Reenable shard allocation.
curl -X PUT "localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d'
{
  "persistent": {
    "cluster.routing.allocation.enable": null
  }
}
'
  1. Before upgrading the next node, wait for the cluster to finish shard allocation.
curl -X GET "localhost:9200/_cat/health?v"
  1. Repeat it for every Elasticsearch node.
  2. Load the Wazuh template for Elasticsearch:
# curl https://raw.githubusercontent.com/wazuh/wazuh/v3.9.5/extensions/elasticsearch/6.x/wazuh-template.json | curl -X PUT "http://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @-

Upgrade Logstash

  1. Upgrade the logstash package:
  1. For CentOS/RHEL/Fedora:
# yum install logstash-6.8.2
  1. For Debian/Ubuntu:
# apt-get install logstash=1:6.8.2-1
  1. Download and set the Wazuh configuration for Logstash:
  1. Local configuration:
# cp /etc/logstash/conf.d/01-wazuh.conf /backup_directory/01-wazuh.conf.bak
# curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/v3.9.5/extensions/logstash/6.x/01-wazuh-local.conf
# usermod -a -G ossec logstash
  1. Remote configuration:
# cp /etc/logstash/conf.d/01-wazuh.conf /backup_directory/01-wazuh.conf.bak
# curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/v3.9.5/extensions/logstash/6.x/01-wazuh-remote.conf
  1. Start the Logstash service:
# systemctl daemon-reload
# systemctl start logstash.service

Upgrade Filebeat

  1. Upgrade Filebeat.
  • For CentOS/RHEL/Fedora:

    # yum install filebeat-6.8.2
    
  • For Debian/Ubuntu:

    # apt-get install filebeat=6.8.2
    
  1. Update the configuration file.
# cp /etc/filebeat/filebeat.yml /backup/filebeat.yml.backup
# curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v3.9.5/extensions/filebeat/6.x/filebeat.yml
# chmod go+r /etc/filebeat/filebeat.yml
  1. Restart Filebeat.
# systemctl daemon-reload
# systemctl restart filebeat

Upgrade Kibana

Upgrade Kibana

  1. Upgrade the kibana package:
  1. For CentOS/RHEL/Fedora:
# yum install kibana-6.8.2
  1. For Debian/Ubuntu:
# apt-get install kibana=6.8.2
  1. Uninstall the Wazuh app from Kibana:
  1. Update file permissions. This will avoid several errors prior to updating the app:
# chown -R kibana:kibana /usr/share/kibana/optimize
# chown -R kibana:kibana /usr/share/kibana/plugins
  1. Remove the Wazuh app:
# sudo -u kibana /usr/share/kibana/bin/kibana-plugin remove wazuh
  1. Upgrade the Wazuh app:
# rm -rf /usr/share/kibana/optimize/bundles
# sudo -u kibana NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.9.5_6.8.2.zip

Warning

The Wazuh app installation process may take several minutes. Please wait patiently.

  1. Start the Kibana service:
# systemctl daemon-reload
# systemctl enable kibana.service
# systemctl start kibana.service