Upgrading Elastic Stack from 7.x to 7.y
Prepare the Elastic Stack
Stop the services:
# systemctl stop filebeat # systemctl stop kibana
Add the new repository for Elastic Stack 7.x:
For CentOS/RHEL/Fedora:
# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch # cat > /etc/yum.repos.d/elastic.repo << EOF [elasticsearch-7.x] name=Elasticsearch repository for 7.x packages baseurl=https://artifacts.elastic.co/packages/7.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOFFor Debian/Ubuntu:
# curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add - # echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list
Upgrade Elasticsearch
Disable shard allocation
curl -X PUT "localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d' { "persistent": { "cluster.routing.allocation.enable": "primaries" } } '
Stop non-essential indexing and perform a synced flush. (Optional)
curl -X POST "localhost:9200/_flush/synced"
Shut down a single node.
# systemctl stop elasticsearch
Upgrade the node you shut down.
For CentOS/RHEL/Fedora:
# yum install elasticsearch-7.3.0For Debian/Ubuntu:
# apt-get install elasticsearch=7.3.0 # systemctl restart elasticsearch
Restart the service.
# systemctl daemon-reload # systemctl restart elasticsearch
Start the newly-upgraded node and confirm that it joins the cluster by checking the log file or by submitting a _cat/nodes request:
curl -X GET "localhost:9200/_cat/nodes"
Reenable shard allocation.
curl -X PUT "localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d' { "persistent": { "cluster.routing.allocation.enable": null } } '
Before upgrading the next node, wait for the cluster to finish shard allocation.
curl -X GET "localhost:9200/_cat/health?v"
Repeat it for every Elasticsearch node.
Upgrade Filebeat
Upgrade Filebeat.
For CentOS/RHEL/Fedora:
# yum install filebeat-7.3.0For Debian/Ubuntu:
# apt-get install filebeat=7.3.0
Update the configuration file.
# cp /etc/filebeat/filebeat.yml /backup/filebeat.yml.backup # curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v3.9.5/extensions/filebeat/7.x/filebeat.yml # chmod go+r /etc/filebeat/filebeat.yml
Download the alerts template for Elasticsearch:
# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v3.9.5/extensions/elasticsearch/7.x/wazuh-template.json # chmod go+r /etc/filebeat/wazuh-template.json
Download the Wazuh module for Filebeat:
# curl -s https://packages.wazuh.com/3.x/filebeat/wazuh-filebeat-0.1.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module
Edit the file
/etc/filebeat/filebeat.yml
and replaceYOUR_ELASTIC_SERVER_IP
with the IP address or the hostname of the Elasticsearch server. For example:
output.elasticsearch.hosts: ['http://YOUR_ELASTIC_SERVER_IP:9200']
Restart Filebeat.
# systemctl daemon-reload # systemctl restart filebeat
Upgrade Kibana
Remove the Wazuh app.
# /usr/share/kibana/bin/kibana-plugin remove wazuh
Upgrade Kibana.
For CentOS/RHEL/Fedora:
# yum install kibana-7.3.0For Debian/Ubuntu:
# apt-get install kibana=7.3.0
Install the Wazuh app.
# sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.9.5_7.3.0.zip
Restart Kibana.
# systemctl daemon-reload # systemctl restart kibana