Wazuh central components
This section guides you through the upgrade process of the Wazuh indexer, the Wazuh server, and the Wazuh dashboard.
Note
You need root user privileges to run all the commands described below.
Preparing the upgrade
In the case Wazuh is installed in a multi-node cluster configuration, repeat the following steps for every node.
Add the Wazuh repository. You can skip this step if the repository is already present and enabled on the node.
Import the GPG key.
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Add the repository.
# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
Install the following packages if missing.
# apt-get install gnupg apt-transport-https
Install the GPG key.
# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
Add the repository.
# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
Update the packages information.
# apt-get update
Stop the Filebeat service and the Wazuh dashboard service if installed in the node.
# systemctl stop filebeat # systemctl stop wazuh-dashboard
# service filebeat stop # service wazuh-dashboard stop
Upgrading the Wazuh indexer
Note
Note that this upgrade process doesn't update plugins installed manually. Outdated plugins might cause the upgrade to fail.
To ensure compatibility with the latest Wazuh indexer and Wazuh dashboard, please update manually installed plugins accordingly. For additional information, check the distribution matrix.
The cluster remains available throughout the upgrading process in a Wazuh indexer cluster with multiple nodes. This rolling upgrade allows for the shutting down of one Wazuh indexer node at a time for minimal disruption of service.
Repeat the following steps for every Wazuh indexer node replacing <WAZUH_INDEXER_IP_ADDRESS>
, <USERNAME>
, and <PASSWORD>
.
Disable shard allocation.
curl -X PUT "https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cluster/settings" -u <USERNAME>:<PASSWORD> -k -H 'Content-Type: application/json' -d' { "persistent": { "cluster.routing.allocation.enable": "primaries" } } '
Stop non-essential indexing and perform a synced flush.
# curl -X POST "https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_flush/synced" -u <USERNAME>:<PASSWORD> -k
Shut down the Wazuh indexer in the node.
# systemctl stop wazuh-indexer
# service wazuh-indexer stop
Upgrade the Wazuh indexer to the latest version.
# yum upgrade wazuh-indexer
# apt-get install wazuh-indexer
Restart the Wazuh indexer service.
# systemctl daemon-reload # systemctl enable wazuh-indexer # systemctl start wazuh-indexer
Choose one option according to the operating system used.
RPM-based operating system:
# chkconfig --add wazuh-indexer # service wazuh-indexer start
Debian-based operating system:
# update-rc.d wazuh-indexer defaults 95 10 # service wazuh-indexer start
Check that the newly upgraded Wazuh indexer node joins the cluster.
# curl -k -u <USERNAME>:<PASSWORD> https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cat/nodes?v
Re-enable shard allocation.
curl -X PUT "https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cluster/settings" -u <USERNAME>:<PASSWORD> -k -H 'Content-Type: application/json' -d' { "persistent": { "cluster.routing.allocation.enable": "all" } } '
Check the status of the Wazuh indexer cluster again to see if the shard allocation has finished.
# curl -k -u <USERNAME>:<PASSWORD> https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cat/nodes?v
Upgrading the Wazuh server
When upgrading a multi-node Wazuh manager cluster, run the upgrade in every node to make all the Wazuh manager nodes join the cluster. Start with the master node to reduce server downtime.
Note
Upgrading from Wazuh 4.2.x or lower creates the
wazuh
operating system user and group to replaceossec
. To avoid upgrade conflicts, make sure that thewazuh
user and group are not present in your operating system.
Upgrading the Wazuh manager
Upgrade the Wazuh manager to the latest version.
# yum upgrade wazuh-manager
# apt-get install wazuh-manager
Note
If the /var/ossec/etc/ossec.conf
configuration file was modified, it will not be replaced by the upgrade. You will therefore have to add the settings of the new capabilities manually. More information can be found in User manual.
Configuring vulnerability detection
If upgrading from version 4.7 and earlier, edit /var/ossec/etc/ossec.conf
to configure the new vulnerability detection module as follows.
Add the new
<vulnerability-detection>
block and remove the old<vulnerability-detector>
if it exists.This configuration enables the vulnerability detection module to index vulnerabilities and alerts. It updates the vulnerability feed every 60 minutes.
<vulnerability-detection> <enabled>yes</enabled> <index-status>yes</index-status> <feed-update-interval>60m</feed-update-interval> </vulnerability-detection>
Configure the indexer block with the details of your Wazuh indexer host.
During the upgrade from 4.7, if an Indexer configuration does not exist in the
/var/ossec/etc/ossec.conf
file, a default Indexer configuration is automatically appended to/var/ossec/etc/ossec.conf
as part of a new<ossec_conf>
block.By default, the indexer settings have one host configured. It's set to
0.0.0.0
as highlighted below.<indexer> <enabled>yes</enabled> <hosts> <host>https://0.0.0.0:9200</host> </hosts> <ssl> <certificate_authorities> <ca>/etc/filebeat/certs/root-ca.pem</ca> </certificate_authorities> <certificate>/etc/filebeat/certs/filebeat.pem</certificate> <key>/etc/filebeat/certs/filebeat-key.pem</key> </ssl> </indexer>
Replace
0.0.0.0
with your Wazuh indexer node IP address or hostname. You can find this value in the Filebeat config file/etc/filebeat/filebeat.yml
.Ensure the Filebeat certificate and key name match the certificate files in
/etc/filebeat/certs
.If you have a Wazuh indexer cluster, add a
<host>
entry for each one of your nodes. For example, in a two-nodes configuration:<hosts> <host>https://10.0.0.1:9200</host> <host>https://10.0.0.2:9200</host> </hosts>
Vulnerability detection prioritizes reporting to the first node in the list. It switches to the next node in case it's not available.
Save the Wazuh indexer username and password into the Wazuh manager keystore using the Wazuh-keystore tool.
# echo '<INDEXER_USERNAME>' | /var/ossec/bin/wazuh-keystore -f indexer -k username # echo '<INDEXER_PASSWORD>' | /var/ossec/bin/wazuh-keystore -f indexer -k password
Note
In case you've forgotten your Wazuh indexer password, follow the password management guide to reset the password.
Configuring Filebeat
Download the Wazuh module for Filebeat:
# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module
Download the alerts template:
# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.9.1/extensions/elasticsearch/7.x/wazuh-template.json # chmod go+r /etc/filebeat/wazuh-template.json
Restart Filebeat:
# systemctl daemon-reload # systemctl enable filebeat # systemctl start filebeat
Choose one option according to the OS used:
Debian based OS
# update-rc.d filebeat defaults 95 10 # service filebeat start
RPM based OS
# chkconfig --add filebeat # service filebeat start
Upload the new Wazuh template and pipelines for Filebeat.
# filebeat setup --pipelines # filebeat setup --index-management -E output.logstash.enabled=false
Upgrading the Wazuh dashboard
Note
Note that this upgrade process doesn't update plugins installed manually. Outdated plugins might cause the upgrade to fail.
To ensure compatibility with the latest Wazuh indexer and Wazuh dashboard, please update manually installed plugins accordingly. For additional information, check the distribution matrix.
Configuration options might differ across versions. Follow these steps to ensure a smooth upgrade.
Backup the
/etc/wazuh-dashboard/opensearch_dashboards.yml
file to save your settings.Upgrade the Wazuh dashboard.
# yum upgrade wazuh-dashboard
# apt-get install wazuh-dashboard
Note
When prompted, choose to replace the
/etc/wazuh-dashboard/opensearch_dashboards.yml
file with the updated version.Manually reapply any settings changes to the
/etc/wazuh-dashboard/opensearch_dashboards.yml
file.Restart the Wazuh dashboard:
# systemctl daemon-reload # systemctl enable wazuh-dashboard # systemctl start wazuh-dashboard
Choose one option according to your operating system:
RPM-based operating system:
# chkconfig --add wazuh-dashboard # service wazuh-dashboard start
Debian-based operating system:
# update-rc.d wazuh-dashboard defaults 95 10 # service wazuh-dashboard start
Next steps
The Wazuh server, indexer, and dashboard are now successfully upgraded. The next step consists in upgrading the Wazuh agents. Follow the instructions in: