Upgrading Elastic Stack from 7.x to 7.y

Prepare the Elastic Stack

  1. Stop the services:

# systemctl stop filebeat
# systemctl stop kibana
  1. Add the new repository for Elastic Stack 7.x:

  • For CentOS/RHEL/Fedora:

    # rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
    # cat > /etc/yum.repos.d/elastic.repo << EOF
    name=Elasticsearch repository for 7.x packages
  • For Debian/Ubuntu:

    # curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
    # echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list

Upgrade Elasticsearch

  1. Disable shard allocation

curl -X PUT "localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d'
  "persistent": {
    "cluster.routing.allocation.enable": "primaries"
  1. Stop non-essential indexing and perform a synced flush. (Optional)

curl -X POST "localhost:9200/_flush/synced"
  1. Shut down a single node.

# systemctl stop elasticsearch
  1. Upgrade the node you shut down.

  • For CentOS/RHEL/Fedora:

    # yum install elasticsearch-7.3.0
  • For Debian/Ubuntu:

    # apt-get install elasticsearch=7.3.0
    # systemctl restart elasticsearch
  1. Restart the service.

# systemctl daemon-reload
# systemctl restart elasticsearch
  1. Start the newly-upgraded node and confirm that it joins the cluster by checking the log file or by submitting a _cat/nodes request:

curl -X GET "localhost:9200/_cat/nodes"
  1. Reenable shard allocation.

curl -X PUT "localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d'
  "persistent": {
    "cluster.routing.allocation.enable": null
  1. Before upgrading the next node, wait for the cluster to finish shard allocation.

curl -X GET "localhost:9200/_cat/health?v"
  1. Repeat it for every Elasticsearch node.

Upgrade Filebeat

  1. Upgrade Filebeat.

  • For CentOS/RHEL/Fedora:

    # yum install filebeat-7.3.0
  • For Debian/Ubuntu:

    # apt-get install filebeat=7.3.0
  1. Update the configuration file.

# cp /etc/filebeat/filebeat.yml /backup/filebeat.yml.backup
# curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v3.9.5/extensions/filebeat/7.x/filebeat.yml
# chmod go+r /etc/filebeat/filebeat.yml
  1. Download the alerts template for Elasticsearch:

# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v3.9.5/extensions/elasticsearch/7.x/wazuh-template.json
# chmod go+r /etc/filebeat/wazuh-template.json
  1. Download the Wazuh module for Filebeat:

# curl -s https://packages.wazuh.com/3.x/filebeat/wazuh-filebeat-0.1.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module
  1. Edit the file /etc/filebeat/filebeat.yml and replace YOUR_ELASTIC_SERVER_IP with the IP address or the hostname of the Elasticsearch server. For example:

output.elasticsearch.hosts: ['http://YOUR_ELASTIC_SERVER_IP:9200']
  1. Restart Filebeat.

# systemctl daemon-reload
# systemctl restart filebeat

Upgrade Kibana

  1. Remove the Wazuh app.

# /usr/share/kibana/bin/kibana-plugin remove wazuh
  1. Upgrade Kibana.

  • For CentOS/RHEL/Fedora:

    # yum install kibana-7.3.0
  • For Debian/Ubuntu:

    # apt-get install kibana=7.3.0
  1. Install the Wazuh app.

# sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.9.5_7.3.0.zip
  1. Restart Kibana.

# systemctl daemon-reload
# systemctl restart kibana