Upgrading Open Distro for Elasticsearch

This section guides through the upgrade process of Elasticsearch, Filebeat and Kibana for Open Distro for Elasticsearch distribution.

Note

Root user privileges are required to execute all the commands described below.

Preparing Open Distro for Elasticsearch

Stop the services:

# systemctl stop filebeat
# systemctl stop kibana

# service filebeat stop
# service kibana stop

Prepare the repositories. Wazuh now hosts the Open Distro packages. In order to prevent accidental upgrades, it is recommended to disable the Open Distro repository. Besides, if Elastic repository was added, it is also recommended to disable it:

2.1. Disable the Open Distro for Elasticsearch repository:

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/opendistroforelasticsearch-artifacts.repo

# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/opendistroforelasticsearch.list
# apt-get update

# sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/opendistroforelasticsearch-artifacts.repo

2.2. (Optional) Disable the Elastic Stack basic license repository:

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo

# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/elastic-7.x.list
# apt-get update

Alternatively, the user can set the package state to hold, which will stop updates. It will be still possible to upgrade it manually using apt-get install:

# echo "elasticsearch hold" | sudo dpkg --set-selections
# echo "filebeat hold" | sudo dpkg --set-selections
# echo "kibana hold" | sudo dpkg --set-selections

# sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/elastic.repo

2.3. Add the Wazuh 4.x repository:

Import the GPG key:

# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Add the repository:

# cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF

Clean the YUM cache:

# yum clean all

Install the GPG key:

# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -

Add the repository:

# echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

Update the package information:
# apt-get update

Import the GPG key:

# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Add the repository:

# cat > /etc/zypp/repos.d/wazuh.repo <<\EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF

Upgrading Elasticsearch

This guide explains how to perform a rolling upgrade, which allows you to shut down one node at a time for minimal disruption of service. The cluster remains available throughout the process.

In the commands below 127.0.0.1 IP address is used. If Elasticsearch is bound to a specific IP address, replace 127.0.0.1 with your Elasticsearch IP. If using http, the option -k must be omitted and if not using user/password authentication, -u must be omitted.

Disable shard allocation:

curl -X PUT "https://127.0.0.1:9200/_cluster/settings"  -u <username>:<password> -k -H 'Content-Type: application/json' -d'
{
  "persistent": {
    "cluster.routing.allocation.enable": "primaries"
  }
}
'

Stop non-essential indexing and perform a synced flush:

curl -X POST "https://127.0.0.1:9200/_flush/synced" -u <username>:<password> -k

Shut down a single node:

# systemctl stop elasticsearch

# service elasticsearch stop

Upgrade the node you shut down:

# yum install opendistroforelasticsearch-1.11.0

Upgrade Elasticsearch OSS:

# apt install elasticsearch-oss=7.9.1

Upgrade Open Distro for Elasticsearch:

# apt install opendistro-alerting=1.11.0.1-1 opendistro-anomaly-detection=1.11.0.0-1 opendistro-index-management=1.11.0.0-1 opendistro-job-scheduler=1.11.0.0-1 opendistro-knn=1.11.0.0-1 opendistro-knnlib=1.11.0.0 opendistro-performance-analyzer=1.11.0.0-1 opendistro-security=1.11.0.0-0 opendistro-sql=1.11.0.0-1 opendistroforelasticsearch=1.11.0-1

# zypper update opendistroforelasticsearch-1.11.0

Restart the service:

# systemctl daemon-reload
# systemctl enable elasticsearch
# systemctl start elasticsearch

Choose one option according to the OS used:

Debian based OS

# update-rc.d elasticsearch defaults 95 10
# service elasticsearch start

RPM based OS

# chkconfig --add elasticsearch
# service elasticsearch start

Start the newly-upgraded node and confirm that it joins the cluster by checking the log file or by submitting a _cat/nodes request:
curl -X GET "https://127.0.0.1:9200/_cat/nodes" -u <username>:<password> -k

Reenable shard allocation:

curl -X PUT "https://127.0.0.1:9200/_cluster/settings" -u <username>:<password> -k -H 'Content-Type: application/json' -d'
{
  "persistent": {
    "cluster.routing.allocation.enable": "all"
  }
}
'

Before upgrading the next node, wait for the cluster to finish shard allocation:

curl -X GET "https://127.0.0.1:9200/_cat/health?v" -u <username>:<password> -k

Repeat the steps for every Elasticsearch node.

Note

The Open Distro for Elasticsearch performance analyzer plugin is installed by default and can have a negative impact on system resources. We recommend removing it with the following command /usr/share/elasticsearch/bin/elasticsearch-plugin remove opendistro_performance_analyzer. Please be sure to restart the Elasticsearch service afterwards.

Upgrading Filebeat

Upgrade Filebeat:

# yum install filebeat-7.9.1

# apt-get install filebeat=7.9.1

# zypper update filebeat-7.9.1

Download the alerts template for Elasticsearch:

# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.0.4/extensions/elasticsearch/7.x/wazuh-template.json
# chmod go+r /etc/filebeat/wazuh-template.json

Download the Wazuh module for Filebeat:

# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module

Edit the /etc/filebeat/filebeat.yml configuration file. This step is only needed for the upgrade of a Distributed installation. In case of having an All-in-one installation, the file is already configured:
Elasticsearch single-node

Elasticsearch multi-node
output.elasticsearch: hosts: ["<elasticsearch_ip>:9200"]

Replace elasticsearch_ip with the IP address or the hostname of the Elasticsearch server.
output.elasticsearch: hosts: ["<elasticsearch_ip_node_1>:9200", "<elasticsearch_ip_node_2>:9200", "<elasticsearch_ip_node_3>:9200"]

Replace elasticsearch_ip_node_x with the IP address or the hostname of the Elasticsearch server to connect to.
During the installation, the default username and password were used. If those credentials were changed, replace those values in the filebeat.yml configuration file.

Restart Filebeat:

# systemctl daemon-reload
# systemctl enable filebeat
# systemctl start filebeat

Choose one option according to the OS used:

Debian based OS

# update-rc.d filebeat defaults 95 10
# service filebeat start

RPM based OS

# chkconfig --add filebeat
# service filebeat start

Upload the new Wazuh template to Elasticsearch. This step can be omitted in Wazuh single-node installations:

# filebeat setup --index-management -E output.logstash.enabled=false

Upgrading Kibana

Warning

Since Wazuh 3.12.0 release, regardless of the Elastic Stack version, the location of the Wazuh Kibana plugin configuration file has been moved from /usr/share/kibana/plugins/wazuh/wazuh.yml, for the version 3.11.x, and from /usr/share/kibana/plugins/wazuh/config.yml, for the version 3.10.x or older, to /usr/share/kibana/optimize/wazuh/config/wazuh.yml.

Copy the Wazuh Kibana plugin configuration file to its new location. This step is not needed for upgrades from 3.12.x to 3.13.x:

For upgrades from 3.11.x to 3.13.x

For upgrades from 3.10.x or older to 3.13.x
Create the new directory and copy the Wazuh Kibana plugin configuration file:
# mkdir -p /usr/share/kibana/optimize/wazuh/config
# cp /usr/share/kibana/plugins/wazuh/wazuh.yml /usr/share/kibana/optimize/wazuh/config/wazuh.yml
Create the new directory and copy the Wazuh Kibana plugin configuration file:
# mkdir -p /usr/share/kibana/optimize/wazuh/config
# cp /usr/share/kibana/plugins/wazuh/config.yml /usr/share/kibana/optimize/wazuh/config/wazuh.yml
Edit the /usr/share/kibana/optimize/wazuh/config/wazuh.yml configuration file and add to the end of the file the following default structure to define an Wazuh API entry:
hosts:
  - <id>:
     url: http(s)://<api_url>
     port: <api_port>
     user: <api_user>
     password: <api_password>
The following values need to be replaced:

<id>: an arbitrary ID.

<api_url>: url of the Wazuh API.

<api_port>: port.

<api_user>: credentials to authenticate.

<api_password>: credentials to authenticate.

In case of having more Wazuh API entries, each of them must be added manually.

Replace the value user by username and set the username and password as wazuh in the file /usr/share/kibana/optimize/wazuh/config/wazuh.yml:

hosts:
  - default:
      url: https://localhost
      port: 55000
      username: wazuh
      password: wazuh
      run_as: false

Remove the Wazuh Kibana plugin:

# cd /usr/share/kibana/
# sudo -u kibana bin/kibana-plugin remove wazuh

Upgrade Kibana:

# yum install opendistroforelasticsearch-kibana-1.11.0

# apt-get install opendistroforelasticsearch-kibana=1.11.0

# zypper update opendistroforelasticsearch-kibana-1.11.0

Remove generated bundles and the wazuh-registry.json file:

# rm -rf /usr/share/kibana/optimize/bundles
# rm -f /usr/share/kibana/optimize/wazuh/config/wazuh-registry.json

Update file permissions. This will prevent errors when generating new bundles or updating the Wazuh Kibana plugin:
# chown -R kibana:kibana /usr/share/kibana/optimize # chown -R kibana:kibana /usr/share/kibana/plugins

Install the Wazuh Kibana plugin:

# cd /usr/share/kibana/
# sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.0.4_7.9.1-1.zip

# cd /usr/share/kibana/
# sudo -u kibana bin/kibana-plugin install file:///path/wazuh_kibana-4.0.4_7.9.1.zip

Update configuration file permissions:

# sudo chown kibana:kibana /usr/share/kibana/optimize/wazuh/config/wazuh.yml
# sudo chmod 600 /usr/share/kibana/optimize/wazuh/config/wazuh.yml

For installations on Kibana 7.6.x version and higher, it is recommended to increase the heap size of Kibana to ensure the Kibana's plugins installation:
# cat >> /etc/default/kibana << EOF NODE_OPTIONS="--max_old_space_size=2048" EOF

Link Kibana’s socket to privileged port 443:

# setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node

Restart Kibana:

# systemctl daemon-reload
# systemctl enable kibana
# systemctl start kibana

Choose one option according to the OS used:

Debian based OS

# update-rc.d kibana defaults 95 10
# service kibana start

RPM based OS

# chkconfig --add kibana
# service kibana start

Once Kibana is accesible, remove the wazuh-alerts-3.x-* index pattern. Since Wazuh 4.0 it has been replaced by wazuh-alerts-* , it is necessary to remove the old pattern in order for the new one to take its place.
# curl 'https://<kibana_ip>:<kibana_port>/api/saved_objects/index-pattern/wazuh-alerts-3.x-*' -X DELETE -H 'Content-Type: application/json' -H 'kbn-version: 7.9.1' -k -uadmin:admin
If you have a custom index pattern, be sure to replace it accordingly.
Clean the browser's cache and cookies.

Disabling the repository

It is recommended to disable the Wazuh repository to prevent an upgrade to a newest Elastic Stack version due to the possibility of undoing changes with the Wazuh Kibana plugin:

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list
# apt-get update

# sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/wazuh.repo

Next step

The next step consists on upgrading the Wazuh agents.