Upgrading the Wazuh server from 2.x to 3.x

The following steps show how to upgrade from Wazuh 2.x to Wazuh 3.x, which implies upgrading from Elastic Stack 5.x to 7.x.

To upgrade the Wazuh server choose the the appropriate tab for the desired package manager:

  1. Add the new repository for Wazuh 3.x:

    # cat > /etc/yum.repos.d/wazuh.repo <<\EOF
    [wazuh_repo]
    gpgcheck=1
    gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
    enabled=1
    name=Wazuh repository
    baseurl=https://packages.wazuh.com/4.x/yum/
    protect=1
    EOF
    
    # echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
    
    # rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
    # cat > /etc/zypp/repos.d/wazuh.repo <<\EOF
    [wazuh_repo]
    gpgcheck=1
    gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
    enabled=1
    autorefresh=1
    name=Wazuh repository
    baseurl=https://packages.wazuh.com/4.x/yum/
    protect=1
    EOF
    
  2. Upgrade the Wazuh manager and the Wazuh API:

    # yum install wazuh-manager wazuh-api
    
    # apt-get update
    # apt-get install wazuh-manager wazuh-api
    
    # zypper update wazuh-manager wazuh-api
    

Note

The installation of the updated packages will automatically restart the services for the Wazuh manager and the Wazuh API. The Wazuh manager’s configuration file will be unmodified, so the user will need to manually add the settings for the new capabilities. More information can be found in the User manual.

After the upgrade, the old alerts will not be visualized in Kibana due to a change in the Wazuh alerts’ template. In order to access the old alerts and visualize them along with the new ones, the indices need to be reindexed to apply the new mapping. The process is described in the Restore the Wazuh alerts from Wazuh 2.x section.

Disable the Wazuh repository

It is recommended to disable the Wazuh repository in order to avoid undesired upgrades and compatibility issues:

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list
# apt-get update

Alternatively, the user can set the package state to hold, which will stop updates. It will be still possible to upgrade it manually using apt-get install:

# echo "wazuh-manager hold" | sudo dpkg --set-selections
# echo "wazuh-api hold" | sudo dpkg --set-selections
# sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/wazuh.repo