Upgrading the Wazuh server from 2.x to 3.x
The following steps show how to upgrade from Wazuh 2.x to Wazuh 3.x, which implies upgrading from Elastic Stack 5.x to 7.x.
To upgrade the Wazuh server, choose the appropriate tab for the desired package manager:
Add the new repository for Wazuh 3.x:
# cat > /etc/yum.repos.d/wazuh.repo <<\EOF [wazuh_repo] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=Wazuh repository baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 EOF
# echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH # cat > /etc/zypp/repos.d/wazuh.repo <<\EOF [wazuh_repo] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 autorefresh=1 name=Wazuh repository baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 EOF
Upgrade the Wazuh manager and the Wazuh API:
# yum install wazuh-manager wazuh-api
# apt-get update # apt-get install wazuh-manager wazuh-api
# zypper update wazuh-manager wazuh-api
Note
The installation of the updated packages will automatically restart the services
for the Wazuh manager and the Wazuh API. The Wazuh manager configuration file will be unmodified
, so the user will need to manually add the settings for the new capabilities. More information can be found in the User manual.
After the upgrade, the old alerts will not be visualized in Kibana due to a change in the Wazuh alerts template. In order to access the old alerts and visualize them along with the new ones, the indices need to be reindexed to apply the new mapping. The process is described in the Restore the Wazuh alerts from Wazuh 2.x section.
Disable the Wazuh repository
It is recommended to disable the Wazuh repository in order to avoid undesired upgrades and compatibility issues:
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list # apt-get updateAlternatively, the user can set the package state to
hold
, which will stop updates. It will be still possible to upgrade it manually usingapt-get install
:# echo "wazuh-manager hold" | sudo dpkg --set-selections # echo "wazuh-api hold" | sudo dpkg --set-selections# sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/wazuh.repo