Upgrading Elastic Stack from 6.x to 6.8

This section guides through the upgrade process of the Elastic Stack components including Elasticsearch, Logstash, Filebeat and Kibana for the Elastic distribution.

Preparing the Elastic Stack

  1. Stop the services:

    # systemctl stop logstash
    # systemctl stop filebeat
    # systemctl stop kibana
  2. In case of having disabled the repository for Elastic Stack 6.x it can be enabled using:

    # sed -i "s/^enabled=0/enabled=1/" /etc/yum.repos.d/elastic.repo
    # sed -i "s/#deb/deb/" /etc/apt/sources.list.d/elastic-6.x.list
    # apt-get update
    # sed -i "s/^enabled=0/enabled=1/" /etc/zypp/repos.d/elastic.repo

Upgrading Elasticsearch

  1. Disable shard allocation:

    curl -X PUT "localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d'
      "persistent": {
        "cluster.routing.allocation.enable": "primaries"
  2. Stop non-essential indexing and perform a synced flush (optional):

    curl -X POST "localhost:9200/_flush/synced"
  3. Shut down a single node:

    # systemctl stop elasticsearch
  4. Upgrade the shut down node:

    # yum install elasticsearch-6.8.8
    # apt-get install elasticsearch=6.8.8
    # systemctl restart elasticsearch
    # zypper update elasticsearch-6.8.8
  5. Restart the service:

    # systemctl daemon-reload
    # systemctl restart elasticsearch
  6. Start the newly-upgraded node and confirm that it joins the cluster by checking the log file or by submitting a _cat/nodes request:

    curl -X GET "localhost:9200/_cat/nodes"
  7. Reenable shard allocation:

    curl -X PUT "localhost:9200/_cluster/settings" -H 'Content-Type: application/json' -d'
      "persistent": {
        "cluster.routing.allocation.enable": null
  8. Before upgrading the next node, wait for the cluster to finish shard allocation:

    curl -X GET "localhost:9200/_cat/health?v"
  9. Repeat the steps for every Elasticsearch node.

  10. Load the Wazuh template for Elasticsearch:

    # curl https://raw.githubusercontent.com/wazuh/wazuh/v4.0.4/extensions/elasticsearch/6.x/wazuh-template.json | curl -X PUT "http://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @-

Upgrading Logstash

  1. Upgrade Logstash:

    # yum install logstash-6.8.8
    # apt-get install logstash=1:6.8.8-1
    # zypper update logstash-6.8.8
  2. Download and set the Wazuh configuration for Logstash:

    # cp /etc/logstash/conf.d/01-wazuh.conf /backup_directory/01-wazuh.conf.bak
    # curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/v4.0.4/extensions/logstash/6.x/01-wazuh-local.conf
    # usermod -a -G ossec logstash
    # cp /etc/logstash/conf.d/01-wazuh.conf /backup_directory/01-wazuh.conf.bak
    # curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/v4.0.4/extensions/logstash/6.x/01-wazuh-remote.conf
  3. Start the Logstash service:

    # systemctl daemon-reload
    # systemctl start logstash

Upgrading Filebeat

  1. Upgrade Filebeat:

    # yum install filebeat-6.8.8
    # apt-get install filebeat=6.8.8
    # zypper update filebeat-6.8.8
  2. Update the configuration file:

    # cp /etc/filebeat/filebeat.yml <back-up-directory>/filebeat.yml.backup
    # curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/v4.0.4/extensions/filebeat/6.x/filebeat.yml
    # chmod go+r /etc/filebeat/filebeat.yml
  3. Restart Filebeat:

    # systemctl daemon-reload
    # systemctl restart filebeat

Upgrading Kibana

  1. Upgrade Kibana:

    # yum install kibana-6.8.8
    # apt-get install kibana=6.8.8
    # zypper update kibana-6.8.8
  2. Uninstall the Wazuh Kibana plugin:

    1. Update file permissions. This will prevent errors when generating new bundles or updating the Wazuh Kibana plugin:

    # chown -R kibana:kibana /usr/share/kibana/optimize
    # chown -R kibana:kibana /usr/share/kibana/plugins
    1. Remove the Wazuh Kibana plugin:

    # cd /usr/share/kibana/
    # sudo -u kibana bin/kibana-plugin remove wazuh
  3. Upgrade the Wazuh Kibana plugin:

    # cd /usr/share/kibana/
    # rm -rf optimize/bundles
    # sudo -u kibana NODE_OPTIONS="--max-old-space-size=3072" bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-4.0.4_6.8.8.zip
    # cd /usr/share/kibana/
    # rm -rf optimize/bundles
    # sudo -u kibana NODE_OPTIONS="--max-old-space-size=3072" bin/kibana-plugin install file:///path/wazuhapp-4.0.4_7.6.0.zip


    The Wazuh Kibana plugin installation process may take several minutes.

  4. Start the Kibana service:

    # systemctl daemon-reload
    # systemctl enable kibana
    # systemctl start kibana

Disabling the repositories

It is recommended to disable the Elastic repository to prevent an upgrade to a newer Elastic Stack version due to the possibility of undoing changes with the Wazuh Kibana plugin:

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo
# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/elastic-6.x.list
# apt-get update

Alternatively, the user can set the package state to hold, which will stop updates. It will be still possible to upgrade it manually using apt-get install:

# echo "elasticsearch hold" | sudo dpkg --set-selections
# echo "filebeat hold" | sudo dpkg --set-selections
# echo "kibana hold" | sudo dpkg --set-selections
# sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/elastic.repo