Upgrading Elastic Stack from 6.x to 6.8¶
Prepare the Elastic Stack¶
- Stop the services:
# systemctl stop logstash # systemctl stop filebeat # systemctl stop kibana
Upgrade Elasticsearch¶
- Disable shard allocation
curl -X PUT "localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d' { "persistent": { "cluster.routing.allocation.enable": "primaries" } } '
- Stop non-essential indexing and perform a synced flush. (Optional)
curl -X POST "localhost:9200/_flush/synced"
- Shut down a single node.
# systemctl stop elasticsearch
- Upgrade the node you shut down.
For CentOS/RHEL/Fedora:
# yum install elasticsearch-6.8.2
For Debian/Ubuntu:
# apt-get install elasticsearch=6.8.2 # systemctl restart elasticsearch
- Restart the service.
# systemctl daemon-reload # systemctl restart elasticsearch
- Start the newly-upgraded node and confirm that it joins the cluster by checking the log file or by submitting a _cat/nodes request:
curl -X GET "localhost:9200/_cat/nodes"
- Reenable shard allocation.
curl -X PUT "localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d' { "persistent": { "cluster.routing.allocation.enable": null } } '
- Before upgrading the next node, wait for the cluster to finish shard allocation.
curl -X GET "localhost:9200/_cat/health?v"
- Repeat it for every Elasticsearch node.
- Load the Wazuh template for Elasticsearch:
# curl https://raw.githubusercontent.com/wazuh/wazuh/v3.9.5/extensions/elasticsearch/6.x/wazuh-template.json | curl -X PUT "http://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @-
Upgrade Logstash¶
- Upgrade the
logstash
package:
- For CentOS/RHEL/Fedora:
# yum install logstash-6.8.2
- For Debian/Ubuntu:
# apt-get install logstash=1:6.8.2-1
- Download and set the Wazuh configuration for Logstash:
- Local configuration:
# cp /etc/logstash/conf.d/01-wazuh.conf /backup_directory/01-wazuh.conf.bak # curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/v3.9.5/extensions/logstash/6.x/01-wazuh-local.conf # usermod -a -G ossec logstash
- Remote configuration:
# cp /etc/logstash/conf.d/01-wazuh.conf /backup_directory/01-wazuh.conf.bak # curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/v3.9.5/extensions/logstash/6.x/01-wazuh-remote.conf
- Start the Logstash service:
# systemctl daemon-reload # systemctl start logstash.service
Upgrade Filebeat¶
- Upgrade Filebeat.
For CentOS/RHEL/Fedora:
# yum install filebeat-6.8.2
For Debian/Ubuntu:
# apt-get install filebeat=6.8.2
- Update the configuration file.
# cp /etc/filebeat/filebeat.yml /backup/filebeat.yml.backup # curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v3.9.5/extensions/filebeat/6.x/filebeat.yml # chmod go+r /etc/filebeat/filebeat.yml
- Restart Filebeat.
# systemctl daemon-reload # systemctl restart filebeat
Upgrade Kibana¶
Upgrade Kibana¶
- Upgrade the
kibana
package:
- For CentOS/RHEL/Fedora:
# yum install kibana-6.8.2
- For Debian/Ubuntu:
# apt-get install kibana=6.8.2
- Uninstall the Wazuh app from Kibana:
- Update file permissions. This will avoid several errors prior to updating the app:
# chown -R kibana:kibana /usr/share/kibana/optimize # chown -R kibana:kibana /usr/share/kibana/plugins
- Remove the Wazuh app:
# sudo -u kibana /usr/share/kibana/bin/kibana-plugin remove wazuh
- Upgrade the Wazuh app:
# rm -rf /usr/share/kibana/optimize/bundles # sudo -u kibana NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.9.5_6.8.2.zipWarning
The Wazuh app installation process may take several minutes. Please wait patiently.
- Start the Kibana service:
# systemctl daemon-reload # systemctl enable kibana.service # systemctl start kibana.service