Upgrading the Wazuh server from 2.x to 3.x

The following steps show how to upgrade from Wazuh 2.x to Wazuh 3.x, which implies upgrading from Elastic Stack 5.x to 7.x.

To upgrade the Wazuh server, choose the appropriate tab for the desired package manager:

  1. Add the new repository for Wazuh 3.x:

    # cat > /etc/yum.repos.d/wazuh.repo <<\EOF
    [wazuh_repo]
    gpgcheck=1
    gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
    enabled=1
    name=Wazuh repository
    baseurl=https://packages.wazuh.com/4.x/yum/
    protect=1
    EOF
    
  2. Upgrade the Wazuh manager and the Wazuh API:

    # yum install wazuh-manager wazuh-api
    

Note

The installation of the updated packages will automatically restart the services for the Wazuh manager and the Wazuh API. The Wazuh manager configuration file will be unmodified, so the user will need to manually add the settings for the new capabilities. More information can be found in the User manual.

After the upgrade, the old alerts will not be visualized in Kibana due to a change in the Wazuh alerts template. In order to access the old alerts and visualize them along with the new ones, the indices need to be reindexed to apply the new mapping. The process is described in the Restore the Wazuh alerts from Wazuh 2.x section.

Disable the Wazuh repository

It is recommended to disable the Wazuh repository in order to avoid undesired upgrades and compatibility issues:

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo