Upgrading Elastic Stack from 6.x to 6.8
This section guides through the upgrade process of the Elastic Stack components including Elasticsearch, Logstash, Filebeat and Kibana for the Elastic distribution.
Preparing the Elastic Stack
Stop the services:
# systemctl stop logstash # systemctl stop filebeat # systemctl stop kibana
In case of having disabled the repository for Elastic Stack 6.x it can be enabled using:
# sed -i "s/^enabled=0/enabled=1/" /etc/yum.repos.d/elastic.repo
# sed -i "s/#deb/deb/" /etc/apt/sources.list.d/elastic-6.x.list # apt-get update
# sed -i "s/^enabled=0/enabled=1/" /etc/zypp/repos.d/elastic.repo
Upgrading Elasticsearch
Disable shard allocation:
curl -X PUT "localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d' { "persistent": { "cluster.routing.allocation.enable": "primaries" } } '
Stop non-essential indexing and perform a synced flush (optional):
curl -X POST "localhost:9200/_flush/synced"
Shut down a single node:
# systemctl stop elasticsearch
Upgrade the shut down node:
# yum install elasticsearch-6.8.8
# apt-get install elasticsearch=6.8.8 # systemctl restart elasticsearch
# zypper update elasticsearch-6.8.8
Restart the service:
# systemctl daemon-reload # systemctl restart elasticsearch
Start the newly-upgraded node and confirm that it joins the cluster by checking the log file or by submitting a
_cat/nodes
request:curl -X GET "localhost:9200/_cat/nodes"
Reenable shard allocation:
curl -X PUT "localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d' { "persistent": { "cluster.routing.allocation.enable": null } } '
Before upgrading the next node, wait for the cluster to finish shard allocation:
curl -X GET "localhost:9200/_cat/health?v"
Repeat the steps for every Elasticsearch node.
Load the Wazuh template for Elasticsearch:
# curl https://raw.githubusercontent.com/wazuh/wazuh/v4.0.4/extensions/elasticsearch/6.x/wazuh-template.json | curl -X PUT "http://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @-
Upgrading Logstash
Upgrade Logstash:
# yum install logstash-6.8.8
# apt-get install logstash=1:6.8.8-1
# zypper update logstash-6.8.8
Download and set the Wazuh configuration for Logstash:
# cp /etc/logstash/conf.d/01-wazuh.conf /backup_directory/01-wazuh.conf.bak # curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/v4.0.4/extensions/logstash/6.x/01-wazuh-local.conf # usermod -a -G ossec logstash
# cp /etc/logstash/conf.d/01-wazuh.conf /backup_directory/01-wazuh.conf.bak # curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/v4.0.4/extensions/logstash/6.x/01-wazuh-remote.conf
Start the Logstash service:
# systemctl daemon-reload # systemctl start logstash
Upgrading Filebeat
Upgrade Filebeat:
# yum install filebeat-6.8.8
# apt-get install filebeat=6.8.8
# zypper update filebeat-6.8.8
Update the configuration file:
# cp /etc/filebeat/filebeat.yml <back-up-directory>/filebeat.yml.backup # curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v4.0.4/extensions/filebeat/6.x/filebeat.yml # chmod go+r /etc/filebeat/filebeat.yml
Restart Filebeat:
# systemctl daemon-reload # systemctl restart filebeat
Upgrading Kibana
Upgrade Kibana:
# yum install kibana-6.8.8
# apt-get install kibana=6.8.8
# zypper update kibana-6.8.8
Uninstall the Wazuh Kibana plugin:
Update file permissions. This will prevent errors when generating new bundles or updating the Wazuh Kibana plugin:
# chown -R kibana:kibana /usr/share/kibana/optimize # chown -R kibana:kibana /usr/share/kibana/plugins
Remove the Wazuh Kibana plugin:
# cd /usr/share/kibana/ # sudo -u kibana bin/kibana-plugin remove wazuh
Upgrade the Wazuh Kibana plugin:
# cd /usr/share/kibana/ # rm -rf optimize/bundles # sudo -u kibana NODE_OPTIONS="--max-old-space-size=3072" bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-4.0.4_6.8.8.zip
# cd /usr/share/kibana/ # rm -rf optimize/bundles # sudo -u kibana NODE_OPTIONS="--max-old-space-size=3072" bin/kibana-plugin install file:///path/wazuhapp-4.0.4_7.6.0.zip
Note
The Wazuh Kibana plugin installation process may take several minutes.
Start the Kibana service:
# systemctl daemon-reload # systemctl enable kibana # systemctl start kibana
Disabling the repositories
It is recommended to disable the Elastic repository to prevent an upgrade to a newer Elastic Stack version due to the possibility of undoing changes with the Wazuh Kibana plugin:
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/elastic-6.x.list # apt-get updateAlternatively, the user can set the package state to
hold
, which will stop updates. It will be still possible to upgrade it manually usingapt-get install
:# echo "elasticsearch hold" | sudo dpkg --set-selections # echo "filebeat hold" | sudo dpkg --set-selections # echo "kibana hold" | sudo dpkg --set-selections# sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/elastic.repo