Skip to content

Latest commit

 

History

History
274 lines (148 loc) · 8.94 KB

upgrading-central-components.rst

File metadata and controls

274 lines (148 loc) · 8.94 KB
Raw

Wazuh central components

This section guides you through the upgrade process of the Wazuh indexer, the Wazuh server, and the Wazuh dashboard.

Note

You need root user privileges to run all the commands described below.

Preparing the upgrade

In the case Wazuh is installed in a multi-node cluster configuration, repeat the following steps for every node.

  1. Add the Wazuh repository. You can skip this step if the repository is already present and enabled on the node.

    .. tabs::


  .. group-tab:: Yum


    .. include:: /_templates/installations/common/yum/add-repository.rst



  .. group-tab:: APT


    .. include:: /_templates/installations/common/deb/add-repository.rst

  2. Stop the Filebeat service and the Wazuh dashboard service if installed in the node.

    .. tabs::

   .. tab:: Systemd

      .. code-block:: console

         # systemctl stop filebeat
         # systemctl stop wazuh-dashboard

   .. tab:: SysV init

      .. code-block:: console

         # service filebeat stop
         # service wazuh-dashboard stop

Upgrading the Wazuh indexer

Note

Note that this upgrade process doesn't update plugins installed manually. Outdated plugins might cause the upgrade to fail.

To ensure compatibility with the latest Wazuh indexer and Wazuh dashboard, please update manually installed plugins accordingly. For additional information, check the distribution matrix.

The cluster remains available throughout the upgrading process in a Wazuh indexer cluster with multiple nodes. This rolling upgrade allows for the shutting down of one Wazuh indexer node at a time for minimal disruption of service.

Repeat the following steps for every Wazuh indexer node replacing <WAZUH_INDEXER_IP_ADDRESS>, <USERNAME>, and <PASSWORD>.

  1. Disable shard allocation.

    curl -X PUT "https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cluster/settings"  -u <USERNAME>:<PASSWORD> -k -H 'Content-Type: application/json' -d'
{
  "persistent": {
    "cluster.routing.allocation.enable": "primaries"
  }
}
'

  2. Stop non-essential indexing and perform a synced flush.

    # curl -X POST "https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_flush/synced" -u <USERNAME>:<PASSWORD> -k

  3. Shut down the Wazuh indexer in the node.

    .. tabs::

   .. tab:: Systemd

      .. code-block:: console

         # systemctl stop wazuh-indexer

   .. tab:: SysV init

      .. code-block:: console

         # service wazuh-indexer stop

  4. Upgrade the Wazuh indexer to the latest version.

    .. tabs::

   .. group-tab:: Yum

      .. code-block:: console

         # yum upgrade wazuh-indexer|WAZUH_INDEXER_RPM_PKG_INSTALL|

   .. group-tab:: APT

      .. code-block:: console

         # apt-get install wazuh-indexer|WAZUH_INDEXER_DEB_PKG_INSTALL|

  5. Restart the Wazuh indexer service.

  6. Check that the newly upgraded Wazuh indexer node joins the cluster.

    # curl -k -u <USERNAME>:<PASSWORD> https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cat/nodes?v

  7. Re-enable shard allocation.

    curl -X PUT "https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cluster/settings" -u <USERNAME>:<PASSWORD> -k -H 'Content-Type: application/json' -d'
{
  "persistent": {
    "cluster.routing.allocation.enable": "all"
  }
}
'

  8. Check the status of the Wazuh indexer cluster again to see if the shard allocation has finished.

    # curl -k -u <USERNAME>:<PASSWORD> https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cat/nodes?v

Upgrading the Wazuh server

When upgrading a multi-node Wazuh manager cluster, run the upgrade in every node to make all the Wazuh manager nodes join the cluster. Start with the master node to reduce server downtime.

Note

Upgrading from Wazuh 4.2.x or lower creates the wazuh operating system user and group to replace ossec. To avoid upgrade conflicts, make sure that the wazuh user and group are not present in your operating system.

Upgrading the Wazuh manager

Upgrade the Wazuh manager to the latest version.

.. tabs::

   .. group-tab:: Yum

      .. code-block:: console

         # yum upgrade wazuh-manager|WAZUH_MANAGER_RPM_PKG_INSTALL|

   .. group-tab:: APT

      .. code-block:: console

         # apt-get install wazuh-manager|WAZUH_MANAGER_DEB_PKG_INSTALL|

Note

If the /var/ossec/etc/ossec.conf configuration file was modified, it will not be replaced by the upgrade. You will therefore have to add the settings of the new capabilities manually. More information can be found in :doc:`/user-manual/index`.

Configuring vulnerability detection

If upgrading from version 4.7 and earlier, edit /var/ossec/etc/ossec.conf to configure the new vulnerability detection module as follows.

  1. Add the new <vulnerability-detection> block and remove the old <vulnerability-detector> if it exists.

  2. Configure the :doc:`indexer </user-manual/reference/ossec-conf/indexer>` block with the details of your Wazuh indexer host.

    During the upgrade from 4.7, if an Indexer configuration does not exist in the /var/ossec/etc/ossec.conf file, a default Indexer configuration is automatically appended to /var/ossec/etc/ossec.conf as part of a new <ossec_conf> block.

  3. Save the Wazuh indexer username and password into the Wazuh manager keystore using the :doc:`Wazuh-keystore </user-manual/reference/tools/wazuh-keystore>` tool.

    # echo '<INDEXER_USERNAME>' | /var/ossec/bin/wazuh-keystore -f indexer -k username
# echo '<INDEXER_PASSWORD>' | /var/ossec/bin/wazuh-keystore -f indexer -k password

    Note

    In case you've forgotten your Wazuh indexer password, follow the :doc:`password management </user-manual/user-administration/password-management>` guide to reset the password.

Configuring Filebeat

  1. Download the Wazuh module for Filebeat:

    # curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module

  2. Download the alerts template:

    # curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v|WAZUH_CURRENT|/extensions/elasticsearch/7.x/wazuh-template.json
# chmod go+r /etc/filebeat/wazuh-template.json

  3. Restart Filebeat:

  4. Upload the new Wazuh template and pipelines for Filebeat.

    # filebeat setup --pipelines
# filebeat setup --index-management -E output.logstash.enabled=false

Upgrading the Wazuh dashboard

Note

Note that this upgrade process doesn't update plugins installed manually. Outdated plugins might cause the upgrade to fail.

To ensure compatibility with the latest Wazuh indexer and Wazuh dashboard, please update manually installed plugins accordingly. For additional information, check the distribution matrix.

Configuration options might differ across versions. Follow these steps to ensure a smooth upgrade.

  1. Backup the /etc/wazuh-dashboard/opensearch_dashboards.yml file to save your settings.

  2. Upgrade the Wazuh dashboard.

    .. tabs::

   .. group-tab:: Yum

      .. code-block:: console

         # yum upgrade wazuh-dashboard|WAZUH_DASHBOARD_RPM_PKG_INSTALL|

   .. group-tab:: APT

      .. code-block:: console

         # apt-get install wazuh-dashboard|WAZUH_DASHBOARD_DEB_PKG_INSTALL|

      .. note::

         When prompted, choose to replace the ``/etc/wazuh-dashboard/opensearch_dashboards.yml`` file with the updated version.

  3. Manually reapply any settings changes to the /etc/wazuh-dashboard/opensearch_dashboards.yml file.

  4. Restart the Wazuh dashboard:

Next steps

The Wazuh server, indexer, and dashboard are now successfully upgraded. The next step consists in upgrading the Wazuh agents. Follow the instructions in: