Wazuh central components

This section guides through the upgrade process of the Wazuh indexer, the Wazuh server, and the Wazuh dashboard. To migrate from Open Distro for Elasticsearch 1.13 to the Wazuh indexer and dashboard components, read the corresponding Migrating to the Wazuh indexer and Migrating to the Wazuh dashboard sections.

Note

Root user privileges are required to execute all the commands described below.

Preparing the upgrade

In the case Wazuh is installed in a multi-node cluster configuration, repeat the following steps for every node.

  1. Add the Wazuh repository. You can skip this step if the repository is already present and enabled on the node.

    1. Import the GPG key.

      # rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
      
    2. Add the repository.

      # echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
      
    1. Install the following packages if missing.

      # apt install gnupg apt-transport-https
      
    2. Install the GPG key.

      # curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
      
    3. Add the repository.

      # echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
      
    4. Update the packages information.

      # apt-get update
      
  2. Stop the Filebeat service and the Wazuh dashboard service if installed in the node.

    # systemctl stop filebeat
    # systemctl stop wazuh-dashboard
    
    # service filebeat stop
    # service wazuh-dashboard stop
    

Upgrading the Wazuh indexer

In the case of having a Wazuh indexer cluster with multiple nodes, the cluster will remain available throughout the upgrading process. This rolling upgrade allows shutting down one Wazuh indexer node at a time for minimal disruption of service. Repeat these steps for every Wazuh indexer node.

Note

  • Replace <WAZUH_INDEXER_IP>, <username>, and <password> before running the commands below.

  1. Disable shard allocation.

    curl -X PUT "https://<WAZUH_INDEXER_IP>:9200/_cluster/settings"  -u <username>:<password> -k -H 'Content-Type: application/json' -d'
    {
      "persistent": {
        "cluster.routing.allocation.enable": "primaries"
      }
    }
    '
    
  2. Stop non-essential indexing and perform a synced flush.

    # curl -X POST "https://<WAZUH_INDEXER_IP>:9200/_flush/synced" -u <username>:<password> -k
    
  3. Shut down the Wazuh indexer in the node.

    # systemctl stop wazuh-indexer
    
    # service wazuh-indexer stop
    
  4. Upgrade the Wazuh indexer to the latest version.

    # yum upgrade wazuh-indexer
    
    # apt-get install wazuh-indexer
    
  5. Restart the service.

    # systemctl daemon-reload
    # systemctl enable wazuh-indexer
    # systemctl start wazuh-indexer
    

    Choose one option according to the operating system used.

    1. RPM-based operating system:

    # chkconfig --add wazuh-indexer
    # service wazuh-indexer start
    
    1. Debian-based operating system:

    # update-rc.d wazuh-indexer defaults 95 10
    # service wazuh-indexer start
    
  6. Check that the newly-upgraded node joins the cluster.

    # curl -k -u <username>:<password> https://<WAZUH_INDEXER_IP>:9200/_cat/nodes?v
    
  7. Re-enable shard allocation.

    curl -X PUT "https://<WAZUH_INDEXER_IP>:9200/_cluster/settings" -u <username>:<password> -k -H 'Content-Type: application/json' -d'
    {
      "persistent": {
        "cluster.routing.allocation.enable": "all"
      }
    }
    '
    
  8. Check again the status of the cluster to see if shard allocation has finished.

    # curl -k -u <username>:<password> https://<WAZUH_INDEXER_IP>:9200/_cat/nodes?v
    

Upgrading the Wazuh server

When upgrading a multi-node Wazuh manager cluster, run the upgrade in every node to make all the Wazuh manager nodes join the cluster. Start with the master node to reduce server downtime.

Note

Upgrading from Wazuh 4.2.x or lower creates the wazuh operating system user and group to replace ossec. To avoid upgrade conflicts, make sure that the wazuh user and group are not present in your operating system.

  1. Upgrade the Wazuh manager to the latest version.

    # yum upgrade wazuh-manager
    
    # apt-get install wazuh-manager
    

    Note

    If the /var/ossec/etc/ossec.conf configuration file was modified, it will not be replaced by the upgrade. You will therefore have to add the settings of the new capabilities manually. More information can be found in User manual.

  2. Download the Wazuh module for Filebeat:

    # curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.2.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module
    
  3. Download the alerts template:

    # curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.3.5/extensions/elasticsearch/7.x/wazuh-template.json
    # chmod go+r /etc/filebeat/wazuh-template.json
    
  4. Restart Filebeat:

    # systemctl daemon-reload
    # systemctl enable filebeat
    # systemctl start filebeat
    

    Choose one option according to the OS used:

    1. Debian based OS

    # update-rc.d filebeat defaults 95 10
    # service filebeat start
    
    1. RPM based OS

    # chkconfig --add filebeat
    # service filebeat start
    
  5. Upload the new Wazuh template. This step can be omitted for Wazuh indexer single-node installations.

    # filebeat setup --index-management -E output.logstash.enabled=false
    

Upgrading the Wazuh dashboard

  1. Upgrade the Wazuh dashboard.

    # yum upgrade wazuh-dashboard
    
    # apt-get install wazuh-dashboard
    
  2. Restart the Wazuh dashboard:

    # systemctl daemon-reload
    # systemctl enable wazuh-dashboard
    # systemctl start wazuh-dashboard
    

    Choose one option according to your operating system:

    1. RPM-based operating system:

    # chkconfig --add wazuh-dashboard
    # service wazuh-dashboard start
    
    1. Debian-based operating system:

    # update-rc.d wazuh-dashboard defaults 95 10
    # service wazuh-dashboard start
    
  3. Clear browsers caches and cookies.

Next steps

The Wazuh server, indexer, and dashboard are now successfully upgraded. The next step consists in upgrading the Wazuh agents. Follow the instructions in: