Upgrading the Wazuh agent
A Wazuh agent can be upgraded remotely using the command line and through the Wazuh server API.
Warning
It is recommended to use the Wazuh server API to upgrade agents if running a Wazuh cluster.
Using the command line
To upgrade agents using the command line, use the /var/ossec/bin/agent_upgrade tool as follows:
List all outdated agents using the
-l
parameter:# /var/ossec/bin/agent_upgrade -l
ID Name Version 002 VM_Debian9 Wazuh v4.7.2 003 VM_Debian8 Wazuh v4.7.2 009 VM_WinServ2016 Wazuh v4.7.2 Total outdated agents: 3
Upgrade the Wazuh agent using the
-a
parameter followed by the agent ID (here, the agent ID is 003):# /var/ossec/bin/agent_upgrade -a 003
Upgrading... Upgraded agents: Agent 003 upgraded: Wazuh v4.7.2 -> Wazuh v4.8.0
Following the upgrade, the Wazuh agent is automatically restarted. Check the agent version to ensure it has been properly upgraded as follows:
# /var/ossec/bin/agent_control -i 003
Agent ID: 003 Agent Name: wazuh-agent2 IP address: any/any Status: Active Operating system: Linux |wazuh-agent2 |5.8.0-7625-generic |#26~1604441477~20.10~d41e407-Ubuntu SMP Wed Jul 4 01:25:00 UTC 2 |x86_64 Client version: Wazuh v4.8.0 Configuration hash: e2f47d482da37c099fa1d6e4c43b523c Shared file hash: aabb92f4a8cba49c7c6045c1aa80fbd3 Last keep alive: 1604927114 Syscheck last started at: Mon Jul 9 13:00:55 2024 Syscheck last ended at: Mon Jul 9 13:00:56 2024 Rootcheck last started at: Mon Jul 9 13:00:57 2024
Using the RESTful API
List all outdated agents using endpoint GET /agents/outdated. Replace
<WAZUH_MANAGER_IP>
with the IP address or FQDN of the Wazuh server:# curl -k -X GET "https://<WAZUH_MANAGER_IP>:55000/agents/outdated?pretty=true" -H "Authorization: Bearer $TOKEN"
{ "data": { "affected_items": [ {"version": "Wazuh v4.7.2", "id": "002", "name": "VM_Debian9"}, {"version": "Wazuh v4.7.2", "id": "003", "name": "VM_Debian8"}, {"version": "Wazuh v4.7.2", "id": "009", "name": "VM_WinServ2016"}, ], "total_affected_items": 3, "total_failed_items": 0, "failed_items": [], }, "message": "All selected agents information was returned", "error": 0, }
Upgrade the Wazuh agent using endpoint PUT /agents/upgrade (here, we upgrade agents with ID 002 and 003). Replace
<WAZUH_MANAGER_IP>
with the IP address or FQDN of the Wazuh server:# curl -k -X PUT "https://<WAZUH_MANAGER_IP>:55000/agents/upgrade?agents_list=002,003&pretty=true" -H "Authorization: Bearer $TOKEN"
{ "data": { "affected_items": [ { "agent": "002", "task_id": 1 }, { "agent": "003", "task_id": 2 } ], "total_affected_items": 2, "total_failed_items": 0, "failed_items": [] }, "message": "All upgrade tasks were created", "error": 0 }
The
agents_list
parameter in the PUT /agents/upgrade and PUT /agents/upgrade_custom endpoints allows the valueall
. When this value is set, an upgrade request will be sent to all Wazuh agents.When upgrading more than 3000 Wazuh agents at the same time, it is highly recommended that the parameter
wait_for_complete
be set to true to avoid a possible API timeout.This recommendation is based on testing with a Wazuh manager on a server with a 2.5 GHz AMD EPYC 7000 series processor and 4 GiB memory. Using an agent list with 3000 agents or fewer on a system with similar or better specifications guarantees a response before the API timeout occurs.
Check the upgrade results using endpoint GET /agents/upgrade_result. Replace
<WAZUH_MANAGER_IP>
with the IP address or FQDN of the Wazuh server:# curl -k -X GET "https://<WAZUH_MANAGER_IP>:55000/agents/upgrade_result?agents_list=002,003&pretty=true" -H "Authorization: Bearer $TOKEN"
{ "data": { "affected_items": [ { "message": "Success", "agent": "002", "task_id": 1, "node": "worker2", "module": "upgrade_module", "command": "upgrade", "status": "Updated", "create_time": "2024-07-09T17:13:45Z", "update_time": "2024-07-09T17:14:07Z" }, { "message": "Success", "agent": "003", "task_id": 2, "node": "worker1", "module": "upgrade_module", "command": "upgrade", "status": "Updated", "create_time": "2024-07-09T17:13:45Z", "update_time": "2024-07-09T17:14:11Z" } ], "total_affected_items": 2, "total_failed_items": 0, "failed_items": [] }, "message": "All upgrade tasks were returned", "error": 0 }
Following the upgrade, the Wazuh agents are automatically restarted. Check the version of the Wazuh agents to ensure they have been properly upgraded using endpoint GET /agents:
# curl -k -X GET "https://<WAZUH_MANAGER_IP>:55000/agents?agents_list=002,003&pretty=true&select=version" -H "Authorization: Bearer $TOKEN"
{ "data": { "affected_items": [ { "id": "002", "version": "Wazuh 4.8.0" }, { "id": "003", "version": "Wazuh 4.8.0" } ], "total_affected_items": 2, "total_failed_items": 0, "failed_items": [] }, "message": "All selected agents information was returned", "error": 0 }