Upgrading Elastic Stack from 6.x to 6.8

This section guides through the upgrade process of the Elastic Stack components including Elasticsearch, Logstash, Filebeat and Kibana for the Elastic distribution.

Preparing the Elastic Stack

  1. Stop the services:

    # systemctl stop logstash
    # systemctl stop filebeat
    # systemctl stop kibana
  2. In case of having disabled the repository for Elastic Stack 6.x it can be enabled using:

    # sed -i "s/^enabled=0/enabled=1/" /etc/yum.repos.d/elastic.repo

Upgrading Elasticsearch

  1. Disable shard allocation:

    curl -X PUT "localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d'
      "persistent": {
        "cluster.routing.allocation.enable": "primaries"
  2. Stop non-essential indexing and perform a synced flush (optional):

    curl -X POST "localhost:9200/_flush/synced"
  3. Shut down a single node:

    # systemctl stop elasticsearch
  4. Upgrade the shut down node:

    # yum install elasticsearch-6.8.8
  5. Restart the service:

    # systemctl daemon-reload
    # systemctl restart elasticsearch
  6. Start the newly-upgraded node and confirm that it joins the cluster by checking the log file or by submitting a _cat/nodes request:

    curl -X GET "localhost:9200/_cat/nodes"
  7. Reenable shard allocation:

    curl -X PUT "localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d'
      "persistent": {
        "cluster.routing.allocation.enable": null
  8. Before upgrading the next node, wait for the cluster to finish shard allocation:

    curl -X GET "localhost:9200/_cat/health?v"
  9. Repeat the steps for every Elasticsearch node.

  10. Load the Wazuh template for Elasticsearch:

    # curl https://raw.githubusercontent.com/wazuh/wazuh/v4.0.4/extensions/elasticsearch/6.x/wazuh-template.json | curl -X PUT "http://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @-

Upgrading Logstash

  1. Upgrade Logstash:

    # yum install logstash-6.8.8
  2. Download and set the Wazuh configuration for Logstash:

    # cp /etc/logstash/conf.d/01-wazuh.conf /backup_directory/01-wazuh.conf.bak
    # curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/v4.0.4/extensions/logstash/6.x/01-wazuh-local.conf
    # usermod -a -G ossec logstash
  3. Start the Logstash service:

    # systemctl daemon-reload
    # systemctl start logstash

Upgrading Filebeat

  1. Upgrade Filebeat:

    # yum install filebeat-6.8.8
  2. Update the configuration file:

    # cp /etc/filebeat/filebeat.yml <back-up-directory>/filebeat.yml.backup
    # curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v4.0.4/extensions/filebeat/6.x/filebeat.yml
    # chmod go+r /etc/filebeat/filebeat.yml
  3. Restart Filebeat:

    # systemctl daemon-reload
    # systemctl restart filebeat

Upgrading Kibana

  1. Upgrade Kibana:

    # yum install kibana-6.8.8
  2. Uninstall the Wazuh Kibana plugin:

    1. Update file permissions. This will prevent errors when generating new bundles or updating the Wazuh Kibana plugin:

    # chown -R kibana:kibana /usr/share/kibana/optimize
    # chown -R kibana:kibana /usr/share/kibana/plugins
    1. Remove the Wazuh Kibana plugin:

    # cd /usr/share/kibana/
    # sudo -u kibana bin/kibana-plugin remove wazuh
  3. Upgrade the Wazuh Kibana plugin:

    # cd /usr/share/kibana/
    # rm -rf optimize/bundles
    # sudo -u kibana NODE_OPTIONS="--max-old-space-size=3072" bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-4.0.4_6.8.8.zip


    The Wazuh Kibana plugin installation process may take several minutes.

  4. Start the Kibana service:

    # systemctl daemon-reload
    # systemctl enable kibana
    # systemctl start kibana

Disabling the repositories

It is recommended to disable the Elastic repository to prevent an upgrade to a newer Elastic Stack version due to the possibility of undoing changes with the Wazuh Kibana plugin:

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo