Upgrade to the latest version of Wazuh 3.x

The following steps show how to upgrade to the latest available version of Wazuh 3.x (which implies upgrading to the latest version of Elastic Stack 6.x).

Starting the upgrade

If you followed our manager or agents installation guides, probably you disabled the repository in order to avoid undesired upgrades. It’s necessary to enable them again to get the last packages.

  1. For CentOS/RHEL/Fedora:
# sed -i "s/^enabled=0/enabled=1/" /etc/yum.repos.d/wazuh.repo
  1. For Debian/Ubuntu:

This step is not necessary if you set the packages to the hold state instead of disabling the repositories.

# sed -i "s/^#deb/deb/" /etc/apt/sources.list.d/wazuh.list

Upgrade the Wazuh manager

Note

Since Wazuh v3.7.0 the File Integrity Monitoring database is not used anymore. In order to add to Wazuh DB the file and registry entries stored from previous versions it’s necessary to run the FIM migration tool.

  1. Upgrade the wazuh-manager package:
  1. For CentOS/RHEL/Fedora:
# yum upgrade wazuh-manager
  1. For Debian/Ubuntu:
# apt-get update && apt-get install --only-upgrade wazuh-manager
  1. Upgrade the wazuh-api package:
  1. For CentOS/RHEL/Fedora:
# yum upgrade wazuh-api
  1. For Debian/Ubuntu:
# apt-get update && apt-get install --only-upgrade wazuh-api

Note

The installation of the updated packages will automatically restart the services for the Wazuh manager, API and agents. Your Wazuh config file will keep unmodified, so you’ll need to manually add the settings for the new capabilities. Check the User Manual for more information.

Upgrade the Wazuh agent

  1. Upgrade the wazuh-agent package:
  1. For CentOS/RHEL/Fedora:
# yum upgrade wazuh-agent
  1. For Debian/Ubuntu:
# apt-get update && apt-get install --only-upgrade wazuh-agent
  1. For Windows:

The agent upgrading process for Windows systems requires to download the latest available installer from the packages list. There are two ways of using it (both of them require administrator rights):

  • Using the GUI installer:

Open the installer and follow the instructions to upgrade the agent.

../../_images/windows.png
  • Using the command line:

To upgrade the Windows agent from the command line, run the installer using Windows PowerShell or the command prompt (the /q argument is used for unattended installations):

# wazuh-agent-3.7.0-1.msi /q

Note

To learn more about the unattended installation process, you can check the Windows installation guide.

Finishing the Wazuh upgrade

You’ve finished upgrading your Wazuh installation to the latest version. Now you can disable again the Wazuh repositories in order to avoid undesired upgrades and compatibility issues.

  1. For CentOS/RHEL/Fedora:
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
  1. For Debian/Ubuntu:

This step is not necessary if you set the packages to the hold state instead of disabling the repositories.

# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list
# apt-get update

Upgrade to the latest Elastic Stack version

Since the release of Wazuh 3.0.0, there’s been several updates to the 6.x version of the Elastic Stack, introducing several bugfixes and important changes. In order to use the latest version of Wazuh, it’s necessary to install the latest compatible Elastic Stack packages.

  1. Stop the services:
# systemctl stop filebeat
# systemctl stop logstash
# systemctl stop kibana
# systemctl stop elasticsearch
  1. Enable the Elastic repository:

If you followed our Elastic Stack Installation Guide, probably you disabled the repository in order to avoid undesired upgrades for the Elastic Stack. It’s necessary to enable them again to get the last packages.

  1. For CentOS/RHEL/Fedora:
# sed -i "s/^enabled=0/enabled=1/" /etc/yum.repos.d/elastic.repo
  1. For Debian/Ubuntu:
# sed -i "s/^#deb/deb/" /etc/apt/sources.list.d/elastic-6.x.list
# apt-get update

Upgrade Elasticsearch

  1. Upgrade the elasticsearch package:
  1. For CentOS/RHEL/Fedora:
# yum install elasticsearch-6.5.0
  1. For Debian/Ubuntu:
# apt-get install elasticsearch=6.5.0
  1. Start the Elasticsearch service:
# systemctl daemon-reload
# systemctl enable elasticsearch.service
# systemctl start elasticsearch.service

It’s important to wait until the Elasticsearch server finishes starting. Check the current status with the following command, which should give you a response like the shown below:

# curl "http://localhost:9200/?pretty"

{
  "name" : "Zr2Shu_",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "M-W_RznZRA-CXykh_oJsCQ",
  "version" : {
    "number" : "6.5.0",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_hash" : "053779d",
    "build_date" : "2018-07-20T05:20:23.451332Z",
    "build_snapshot" : false,
    "lucene_version" : "7.3.1",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}
  1. Load the Wazuh template for Elasticsearch:

Warning

Updating the Elasticsearch template to the latest version is mandatory in order to avoid compatibility issues with the latest versions of Wazuh and the Elastic Stack.

# curl https://raw.githubusercontent.com/wazuh/wazuh/3.7/extensions/elasticsearch/wazuh-elastic6-template-alerts.json | curl -X PUT "http://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @-

Upgrade Logstash

  1. Upgrade the logstash package:
  1. For CentOS/RHEL/Fedora:
# yum install logstash-6.5.0
  1. For Debian/Ubuntu:
# apt-get install logstash=1:6.5.0-1
  1. Download and set the Wazuh configuration for Logstash:
  1. Local configuration:
# cp /etc/logstash/conf.d/01-wazuh.conf /backup_directory/01-wazuh.conf.bak
# curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/3.7/extensions/logstash/01-wazuh-local.conf
# usermod -a -G ossec logstash
  1. Remote configuration:
# cp /etc/logstash/conf.d/01-wazuh.conf /backup_directory/01-wazuh.conf.bak
# curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/3.7/extensions/logstash/01-wazuh-remote.conf
  1. Start the Logstash service:
# systemctl daemon-reload
# systemctl enable logstash.service
# systemctl start logstash.service

Note

The Logstash configuration file has been replaced for an updated one. If you already configured the encryption between Filebeat and Logstash, don’t forget to check again Setting up SSL for Filebeat and Logstash if you’re using a distributed architecture.

Upgrade Kibana

  1. Upgrade the kibana package:
  1. For CentOS/RHEL/Fedora:
# yum install kibana-6.5.0
  1. For Debian/Ubuntu:
# apt-get install kibana=6.5.0
  1. Uninstall the Wazuh app from Kibana:
  1. Update file permissions. This will avoid several errors prior to updating the app:
# chown -R kibana:kibana /usr/share/kibana/optimize
# chown -R kibana:kibana /usr/share/kibana/plugins
  1. Remove the Wazuh app:
# sudo -u kibana /usr/share/kibana/bin/kibana-plugin remove wazuh
  1. Upgrade the Wazuh app:
# rm -rf /usr/share/kibana/optimize/bundles
# sudo -u kibana NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.7.0_6.5.0.zip

Warning

The Wazuh app installation process may take several minutes. Please wait patiently.

  1. Start the Kibana service:
# systemctl daemon-reload
# systemctl enable kibana.service
# systemctl start kibana.service

Upgrade Filebeat

  1. Upgrade the filebeat package:
  1. For CentOS/RHEL/Fedora:
# yum install filebeat-6.5.0
  1. For Debian/Ubuntu:
# apt-get update
# apt-get install filebeat=6.5.0
  1. Start the Filebeat service:
# systemctl daemon-reload
# systemctl enable filebeat.service
# systemctl start filebeat.service

Finishing the Elastic Stack upgrade

You’ve finished upgrading your Wazuh installation to the latest version. Now you can disable again the Elastic Stack repositories in order to avoid undesired upgrades and compatibility issues with the Wazuh app.

  1. For CentOS/RHEL/Fedora:
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo
  1. For Debian/Ubuntu:

This step is not necessary if you set the packages to the hold state instead of disabling the repositories.

# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/elastic-6.x.list
# apt-get update

Official upgrading guides for the Elastic Stack: