This is the documentation for Wazuh 3.9. Check out the docs for the latest version of Wazuh!

Upgrading Elastic Stack from 7.x to 7.y

Prepare the Elastic Stack

  1. Stop the services:
# systemctl stop filebeat
# systemctl stop kibana
  1. Add the new repository for Elastic Stack 7.x:
  • For CentOS/RHEL/Fedora:

    # rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
    # cat > /etc/yum.repos.d/elastic.repo << EOF
    [elasticsearch-7.x]
    name=Elasticsearch repository for 7.x packages
    baseurl=https://artifacts.elastic.co/packages/7.x/yum
    gpgcheck=1
    gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
    enabled=1
    autorefresh=1
    type=rpm-md
    EOF
    
  • For Debian/Ubuntu:

    # curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
    # echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list
    

Upgrade Elasticsearch

  1. Disable shard allocation
curl -X PUT "localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d'
{
  "persistent": {
    "cluster.routing.allocation.enable": "primaries"
  }
}
'
  1. Stop non-essential indexing and perform a synced flush. (Optional)
curl -X POST "localhost:9200/_flush/synced"
  1. Shut down a single node.
# systemctl stop elasticsearch
  1. Upgrade the node you shut down.
  • For CentOS/RHEL/Fedora:

    # yum install elasticsearch-7.3.0
    
  • For Debian/Ubuntu:

    # apt-get install elasticsearch=7.3.0
    # systemctl restart elasticsearch
    
  1. Restart the service.
# systemctl daemon-reload
# systemctl restart elasticsearch
  1. Start the newly-upgraded node and confirm that it joins the cluster by checking the log file or by submitting a _cat/nodes request:
curl -X GET "localhost:9200/_cat/nodes"
  1. Reenable shard allocation.
curl -X PUT "localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d'
{
  "persistent": {
    "cluster.routing.allocation.enable": null
  }
}
'
  1. Before upgrading the next node, wait for the cluster to finish shard allocation.
curl -X GET "localhost:9200/_cat/health?v"
  1. Repeat it for every Elasticsearch node.

Upgrade Filebeat

  1. Upgrade Filebeat.
  • For CentOS/RHEL/Fedora:

    # yum install filebeat-7.3.0
    
  • For Debian/Ubuntu:

    # apt-get install filebeat=7.3.0
    
  1. Update the configuration file.
# cp /etc/filebeat/filebeat.yml /backup/filebeat.yml.backup
# curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v3.9.5/extensions/filebeat/7.x/filebeat.yml
# chmod go+r /etc/filebeat/filebeat.yml
  1. Download the alerts template for Elasticsearch:
# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v3.9.5/extensions/elasticsearch/7.x/wazuh-template.json
# chmod go+r /etc/filebeat/wazuh-template.json
  1. Download the Wazuh module for Filebeat:
# curl -s https://packages.wazuh.com/3.x/filebeat/wazuh-filebeat-0.1.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module
  1. Edit the file /etc/filebeat/filebeat.yml and replace YOUR_ELASTIC_SERVER_IP with the IP address or the hostname of the Elasticsearch server. For example:
output.elasticsearch.hosts: ['http://YOUR_ELASTIC_SERVER_IP:9200']
  1. Restart Filebeat.
# systemctl daemon-reload
# systemctl restart filebeat

Upgrade Kibana

  1. Remove the Wazuh app.
# /usr/share/kibana/bin/kibana-plugin remove wazuh
  1. Upgrade Kibana.
  • For CentOS/RHEL/Fedora:

    # yum install kibana-7.3.0
    
  • For Debian/Ubuntu:

    # apt-get install kibana=7.3.0
    
  1. Install the Wazuh app.
# sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.9.5_7.3.0.zip
  1. Restart Kibana.
# systemctl daemon-reload
# systemctl restart kibana