Upgrading Elastic Stack basic license

This section guides through the upgrade process of Elasticsearch, Filebeat and Kibana for Elastic distribution.


This guide is meant for upgrades from 7.x to 7.y. The upgrade instructions for Elastic Stack versions prior to 7.0 can be found in the Upgrading Elastic Stack from a legacy version section.


Root user privileges are required to execute all the commands described below.

Preparing Elastic Stack

  1. Stop the services:

    # systemctl stop filebeat
    # systemctl stop kibana
  2. Add the Elastic Stack repository:

    1. Import the GPG key:

      # rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
    2. Add the repository:

      # cat > /etc/yum.repos.d/elastic.repo << EOF
      name=Elasticsearch repository for 7.x packages
  3. Before the upgrade process it is important to ensure that the Wazuh repository is disabled, as it contains Filebeat packages used by Open Distro for Elasticsearch distribution, which might be accidentally installed instead of the Elastic package. In case of having enabled the Wazuh repository it can be disabled using:

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

Upgrading Elasticsearch

This guide explains how to perform a rolling upgrade, which allows you to shut down one node at a time for minimal disruption of service. The cluster remains available throughout the process.

In the commands below IP address is used. If Elasticsearch is bound to a specific IP address, replace with your Elasticsearch IP. If using http, the option -k must be omitted and if not using user/password authentication, -u must be omitted.

  1. Disable shard allocation:

    curl -X PUT ""  -u <username>:<password> -k -H 'Content-Type: application/json' -d'
      "persistent": {
        "cluster.routing.allocation.enable": "primaries"
  2. Stop non-essential indexing and perform a synced flush:

    curl -X POST "" -u <username>:<password> -k
  3. Shut down a single node:

    # systemctl stop elasticsearch
  4. Upgrade the node you shut down:

    # yum install elasticsearch-7.9.3
  5. Restart the service:

    # systemctl daemon-reload
    # systemctl enable elasticsearch
    # systemctl start elasticsearch
  6. Start the newly-upgraded node and confirm that it joins the cluster by checking the log file or by submitting a _cat/nodes request:

    curl -X GET "" -u <username>:<password> -k
  7. Reenable shard allocation:

    curl -X PUT "" -u <username>:<password> -k -H 'Content-Type: application/json' -d'
      "persistent": {
        "cluster.routing.allocation.enable": "all"
  8. Before upgrading the next node, wait for the cluster to finish shard allocation:

    curl -X GET "" -u <username>:<password> -k
  9. Repeat the steps for every Elasticsearch node.

Upgrading Filebeat

The following steps needs to be run in the Wazuh server or servers in case of Wazuh multi-node cluster.

  1. Upgrade Filebeat:

    # yum install filebeat-7.9.3
  2. Download the alerts template for Elasticsearch:

    # curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.0.4/extensions/elasticsearch/7.x/wazuh-template.json
    # chmod go+r /etc/filebeat/wazuh-template.json
  3. Download the Wazuh module for Filebeat:

    # curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module
  4. Edit the /etc/filebeat/filebeat.yml configuration file. Replace YOUR_ELASTIC_SERVER_IP with the IP address or the hostname of the Elasticsearch server. For example:

    output.elasticsearch.hosts: ['http://YOUR_ELASTIC_SERVER_IP:9200']
  5. Restart Filebeat:

    # systemctl daemon-reload
    # systemctl enable filebeat
    # systemctl start filebeat
  6. Upload the new Wazuh template to Elasticsearch. This step can be omitted in Wazuh single-node installations:

# filebeat setup --index-management -E output.logstash.enabled=false

Upgrading Kibana


Since Wazuh 3.12.0 release, regardless of the Elastic Stack version, the location of the Wazuh Kibana plugin configuration file has been moved from /usr/share/kibana/plugins/wazuh/wazuh.yml, for the version 3.11.x, and from /usr/share/kibana/plugins/wazuh/config.yml, for the version 3.10.x or older, to /usr/share/kibana/optimize/wazuh/config/wazuh.yml.

Copy the Wazuh Kibana plugin configuration file to its new location. This step is not needed for upgrades from 3.12.x to latest:

Create the new directory and copy the Wazuh Kibana plugin configuration file:

# mkdir -p /usr/share/kibana/optimize/wazuh/config
# cp /usr/share/kibana/plugins/wazuh/wazuh.yml /usr/share/kibana/optimize/wazuh/config/wazuh.yml
  1. Replace the value user by username and set the username and password as wazuh in the file /usr/share/kibana/optimize/wazuh/config/wazuh.yml:

      - default:
          url: https://localhost
          port: 55000
          username: wazuh
          password: wazuh
          run_as: false
  2. Remove the Wazuh Kibana plugin:

    # cd /usr/share/kibana/
    # sudo -u kibana bin/kibana-plugin remove wazuh
  3. Upgrade Kibana:

    # yum install kibana-7.9.3
  4. Remove generated bundles and the wazuh-registry.json file:

    # rm -rf /usr/share/kibana/optimize/bundles
    # rm -f /usr/share/kibana/optimize/wazuh/config/wazuh-registry.json
  5. Update file permissions. This will prevent errors when generating new bundles or updating the Wazuh Kibana plugin:

    # chown -R kibana:kibana /usr/share/kibana/optimize
    # chown -R kibana:kibana /usr/share/kibana/plugins
  6. Install the Wazuh Kibana plugin:

    # cd /usr/share/kibana/
    # sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.0.4_7.9.3-1.zip
  7. Update configuration file permissions:

    # sudo chown kibana:kibana /usr/share/kibana/optimize/wazuh/config/wazuh.yml
    # sudo chmod 600 /usr/share/kibana/optimize/wazuh/config/wazuh.yml
  8. For installations on Kibana 7.6.x version and higher, it is recommended to increase the heap size of Kibana to ensure the Kibana's plugins installation:

    # cat >> /etc/default/kibana << EOF
  9. Link Kibana’s socket to privileged port 443:

    # setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
  10. Restart Kibana:

    # systemctl daemon-reload
    # systemctl enable kibana
    # systemctl start kibana
  11. Once Kibana is accesible, remove the wazuh-alerts-3.x-* index pattern. Since Wazuh 4.0 it has been replaced by wazuh-alerts-* , it is necessary to remove the old pattern in order for the new one to take its place.

    # curl 'https://<kibana_ip>:<kibana_port>/api/saved_objects/index-pattern/wazuh-alerts-3.x-*' -X DELETE  -H 'Content-Type: application/json' -H 'kbn-version: 7.9.3' -k -uelastic:<elastic_password>

    If you have a custom index pattern, be sure to replace it accordingly.

  12. Clean the browser's cache and cookies.

Disabling the repository

It is recommended to disable the Elastic repository to prevent an upgrade to a newest Elastic Stack version due to the possibility of undoing changes with the Wazuh Kibana plugin:

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo

Next step

The next step consists on upgrading the Wazuh agents.