Wazuh central components

This section guides you through the upgrade process of the Wazuh indexer, the Wazuh server, and the Wazuh dashboard. To migrate from Open Distro for Elasticsearch 1.13 to the Wazuh indexer and dashboard components, read the corresponding Migrating to the Wazuh indexer and Migrating to the Wazuh dashboard sections.

Note

You need root user privileges to run all the commands described below.

Preparing the upgrade

In the case Wazuh is installed in a multi-node cluster configuration, repeat the following steps for every node.

Add the Wazuh repository. You can skip this step if the repository is already present and enabled on the node.

Import the GPG key.

# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Add the repository.

# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo

Install the following packages if missing.

# apt-get install gnupg apt-transport-https

Install the GPG key.

# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

Add the repository.

# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

Update the packages information.
# apt-get update

Stop the Filebeat service and the Wazuh dashboard service if installed in the node.

# systemctl stop filebeat
# systemctl stop wazuh-dashboard

# service filebeat stop
# service wazuh-dashboard stop

Upgrading the Wazuh indexer

Note

Note that this upgrade process doesn't update plugins installed manually. Outdated plugins might cause the upgrade to fail.

To ensure compatibility with the latest Wazuh indexer and Wazuh dashboard, please update manually installed plugins accordingly. For additional information, check the distribution matrix.

The cluster remains available throughout the upgrading process in a Wazuh indexer cluster with multiple nodes. This rolling upgrade allows for the shutting down of one Wazuh indexer node at a time for minimal disruption of service.

As a first step, remove the ss4o index templates. Replace <WAZUH_INDEXER_IP_ADDRESS>, <USERNAME>, and <PASSWORD> before running any command below.

curl -X DELETE "https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_index_template/ss4o_*_template" -u <USERNAME>:<PASSWORD> -k

Then, repeat the following steps for every Wazuh indexer node.

Disable shard allocation.

curl -X PUT "https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cluster/settings"  -u <USERNAME>:<PASSWORD> -k -H 'Content-Type: application/json' -d'
{
  "persistent": {
    "cluster.routing.allocation.enable": "primaries"
  }
}
'

Stop non-essential indexing and perform a synced flush.

# curl -X POST "https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_flush/synced" -u <USERNAME>:<PASSWORD> -k

Shut down the Wazuh indexer in the node.

# systemctl stop wazuh-indexer

# service wazuh-indexer stop

Upgrade the Wazuh indexer to the latest version.

# yum upgrade wazuh-indexer

# apt-get install wazuh-indexer

Restart the Wazuh indexer service.

# systemctl daemon-reload
# systemctl enable wazuh-indexer
# systemctl start wazuh-indexer

Choose one option according to the operating system used.

RPM-based operating system:

# chkconfig --add wazuh-indexer
# service wazuh-indexer start

Debian-based operating system:

# update-rc.d wazuh-indexer defaults 95 10
# service wazuh-indexer start

Check that the newly upgraded Wazuh indexer node joins the cluster.

# curl -k -u <USERNAME>:<PASSWORD> https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cat/nodes?v

Re-enable shard allocation.

curl -X PUT "https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cluster/settings" -u <USERNAME>:<PASSWORD> -k -H 'Content-Type: application/json' -d'
{
  "persistent": {
    "cluster.routing.allocation.enable": "all"
  }
}
'

Check the status of the Wazuh indexer cluster again to see if the shard allocation has finished.
```
# curl -k -u <USERNAME>:<PASSWORD> https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cat/nodes?v
```

Upgrading the Wazuh server

When upgrading a multi-node Wazuh manager cluster, run the upgrade in every node to make all the Wazuh manager nodes join the cluster. Start with the master node to reduce server downtime.

Note

Upgrading from Wazuh 4.2.x or lower creates the wazuh operating system user and group to replace ossec. To avoid upgrade conflicts, make sure that the wazuh user and group are not present in your operating system.

Upgrading the Wazuh manager

Upgrade the Wazuh manager to the latest version.

# yum upgrade wazuh-manager

# apt-get install wazuh-manager

Note

If the /var/ossec/etc/ossec.conf configuration file was modified, it will not be replaced by the upgrade. You will therefore have to add the settings of the new capabilities manually. More information can be found in User manual.

Configuring vulnerability detection

If upgrading from version 4.7 and earlier, edit /var/ossec/etc/ossec.conf to configure the new vulnerability detection module as follows.

Add the new <vulnerability-detection> block and remove the old <vulnerability-detector> if it exists.

This configuration enables the vulnerability detection module to index vulnerabilities and alerts. It updates the vulnerability feed every 60 minutes.
```
<vulnerability-detection>
  <enabled>yes</enabled>
  <index-status>yes</index-status>
  <feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>
```
Configure the indexer block with the details of your Wazuh indexer host.

During the upgrade from 4.7, if an Indexer configuration does not exist in the /var/ossec/etc/ossec.conf file, a default Indexer configuration is automatically appended to /var/ossec/etc/ossec.conf as part of a new <ossec_conf> block.

By default, the indexer settings have one host configured. It's set to 0.0.0.0 as highlighted below.
```
<indexer>
  <enabled>yes</enabled>
  <hosts>
    <host>https://0.0.0.0:9200</host>
  </hosts>
  <ssl>
    <certificate_authorities>
      <ca>/etc/filebeat/certs/root-ca.pem</ca>
    </certificate_authorities>
    <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
    <key>/etc/filebeat/certs/filebeat-key.pem</key>
  </ssl>
</indexer>
```
Replace 0.0.0.0 with your Wazuh indexer node IP address or hostname. You can find this value in the Filebeat config file /etc/filebeat/filebeat.yml.

Ensure the Filebeat certificate and key name match the certificate files in /etc/filebeat/certs.

If you have a Wazuh indexer cluster, add a <host> entry for each one of your nodes. For example, in a two-nodes configuration:
```
<hosts>
  <host>https://10.0.0.1:9200</host>
  <host>https://10.0.0.2:9200</host>
</hosts>
```
Vulnerability detection prioritizes reporting to the first node in the list. It switches to the next node in case it's not available.
Save the Wazuh indexer username and password into the Wazuh manager keystore using the Wazuh-keystore tool.
```
# /var/ossec/bin/wazuh-keystore -f indexer -k username -v <INDEXER_USERNAME>
# /var/ossec/bin/wazuh-keystore -f indexer -k password -v <INDEXER_PASSWORD>
```
Note

In case you've forgotten your Wazuh indexer password, follow the password management guide to reset the password.

Configuring Filebeat

Download the Wazuh module for Filebeat:

# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module

Download the alerts template:

# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.8.1/extensions/elasticsearch/7.x/wazuh-template.json
# chmod go+r /etc/filebeat/wazuh-template.json

Restart Filebeat:

# systemctl daemon-reload
# systemctl enable filebeat
# systemctl start filebeat

Choose one option according to the OS used:

Debian based OS

# update-rc.d filebeat defaults 95 10
# service filebeat start

RPM based OS

# chkconfig --add filebeat
# service filebeat start

Upload the new Wazuh template and pipelines for Filebeat.

# filebeat setup --pipelines
# filebeat setup --index-management -E output.logstash.enabled=false

Upgrading the Wazuh dashboard

Note

Note that this upgrade process doesn't update plugins installed manually. Outdated plugins might cause the upgrade to fail.

To ensure compatibility with the latest Wazuh indexer and Wazuh dashboard, please update manually installed plugins accordingly. For additional information, check the distribution matrix.

Configuration options might differ across versions. Follow these steps to ensure a smooth upgrade.

Backup the /etc/wazuh-dashboard/opensearch_dashboards.yml file to save your settings.
Upgrade the Wazuh dashboard.
# rm /etc/wazuh-dashboard/opensearch_dashboards.yml # yum upgrade wazuh-dashboard
# apt-get install wazuh-dashboard
Note

When prompted, choose to replace the /etc/wazuh-dashboard/opensearch_dashboards.yml file with the updated version.
Manually reapply any settings changes to the /etc/wazuh-dashboard/opensearch_dashboards.yml file.

Restart the Wazuh dashboard:

# systemctl daemon-reload
# systemctl enable wazuh-dashboard
# systemctl start wazuh-dashboard

Choose one option according to your operating system:

RPM-based operating system:

# chkconfig --add wazuh-dashboard
# service wazuh-dashboard start

Debian-based operating system:

# update-rc.d wazuh-dashboard defaults 95 10
# service wazuh-dashboard start

Next steps

The Wazuh server, indexer, and dashboard are now successfully upgraded. The next step consists in upgrading the Wazuh agents. Follow the instructions in:

Upgrading the Wazuh agent.