Upgrading Wazuh Central Components

Ensure you have added the Wazuh repository to every Wazuh indexer, server, and dashboard node before proceeding to perform the upgrade actions.

Adding the necessary dependencies :

apt-get install gnupg apt-transport-https

Adding the updated GPG keys for the next stable version & adding repositories :

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update

we have installed all the dependencies and repos now we will start updating the central components one at a time.

Stopping Filebeat & the Dashboard service to ensure smooth updates :

systemctl stop filebeat
systemctl stop wazuh-dashboard

---

Upgrading Wazuh Indexer

The Wazuh indexer cluster remains operational throughout the upgrade. The rolling upgrade process allows nodes to be updated one at a time, ensuring continuous service availability and minimizing disruptions. The steps detailed in the following sections apply to both single-node and multi-node Wazuh indexer clusters.

Preparing the Wazuh indexer cluster for Upgrade

Perform the following steps on any of the Wazuh indexer nodes replacing <WAZUH_INDEXER_IP_ADDRESS>, <USERNAME>, and <PASSWORD>.

1. Disable shard replication to prevent shard replicas from being created while Wazuh indexer nodes are being taken offline for the upgrade.

curl -X PUT "https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cluster/settings" \
-u <USERNAME>:<PASSWORD> -k -H "Content-Type: application/json" -d '
{
   "persistent": {
      "cluster.routing.allocation.enable": "primaries"
   }
}'

The output should look like :

{
  "acknowledged" : true,
  "persistent" : {
    "cluster" : {
      "routing" : {
        "allocation" : {
          "enable" : "primaries"
        }
      }
    }
  },
  "transient" : {}
}

1. Perform a flush operation on the cluster to commit transaction log entries to the index.

curl -X POST "https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_flush" -u <USERNAME>:<PASSWORD> -k

The output should look like :

{
   "_shards" : {
      "total" : 19,
      "successful" : 19,
      "failed" : 0
   }
}

Run the following command on the Wazuh manager node(s) if running a single-node Wazuh indexer cluster.

systemctl stop wazuh-manager

Upgrading the Wazuh indexer nodes

systemctl stop wazuh-indexer
apt-get install wazuh-indexer
systemctl daemon-reload
systemctl enable wazuh-indexer
systemctl start wazuh-indexer

Post-upgrade actions

Perform the following steps on any of the Wazuh indexer nodes replacing <WAZUH_INDEXER_IP_ADDRESS>, <USERNAME>, and <PASSWORD>.

Check that the newly upgraded Wazuh indexer nodes are in the cluster.

# curl -k -u <USERNAME>:<PASSWORD> https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cat/nodes?v

Re-enable shard allocation.

curl -X PUT "https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cluster/settings" \
-u <USERNAME>:<PASSWORD> -k -H "Content-Type: application/json" -d '
{
   "persistent": {
      "cluster.routing.allocation.enable": "all"
   }
}
'

Output

{
  "acknowledged" : true,
  "persistent" : {
    "cluster" : {
      "routing" : {
        "allocation" : {
          "enable" : "all"
        }
      }
    }
  },
  "transient" : {}
}

Starting the wazuh manager again

systemctl start wazuh-manager

---

Upgrading Wazuh Server

apt-get install wazuh-manager

Configuring Filebeat :

curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module

Download the alerts template:

curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.11.0/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json

Restarting Services :

systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeat

Upload the new Wazuh template and pipelines for Filebeat:

filebeat setup --pipelines
filebeat setup --index-management -E output.logstash.enabled=false

---

Upgrading Wazuh Dashboard

Backup the /etc/wazuh-dashboard/opensearch_dashboards.yml file to save your settings. For example, create a copy of the file using the following command:

cp /etc/wazuh-dashboard/opensearch_dashboards.yml /etc/wazuh-dashboard/opensearch_dashboards.yml.old

Upgrade the Wazuh dashboard.

apt-get install wazuh-dashboard
# Note When prompted, choose to replace the /etc/wazuh-dashboard/opensearch_dashboards.yml file with the updated version.

Manually reapply any configuration changes to the /etc/wazuh-dashboard/opensearch_dashboards.yml file. Ensure that the values of server.ssl.key and server.ssl.certificate match the files located in /etc/wazuh-dashboard/certs/.

Ensure the value of uiSettings.overrides.defaultRoute in the /etc/wazuh-dashboard/opensearch_dashboards.yml file is set to /app/wz-home

Restart the Wazuh dashboard:

systemctl daemon-reload
systemctl enable wazuh-dashboard
systemctl start wazuh-dashboard

You can now access the Wazuh dashboard via: https://<DASHBOARD_IP_ADDRESS>/app/wz-home.

---

Updating Plugins :

Note that the upgrade process doesn't update plugins installed manually. Outdated plugins might cause the upgrade to fail.

1. Run the following command on the Wazuh dashboard server to list installed plugins and identify those that require an update:

   # sudo -u wazuh-dashboard /usr/share/wazuh-dashboard/bin/opensearch-dashboards-plugin list

   In the output, plugins that require an update will be labeled as "outdated".

2. Remove the outdated plugins and reinstall the latest version replacing <PLUGIN_NAME> with the name of the plugin:

   # sudo -u wazuh-dashboard /usr/share/wazuh-dashboard/bin/opensearch-dashboards-plugin remove <PLUGIN_NAME>
   # sudo -u wazuh-dashboard /usr/share/wazuh-dashboard/bin/opensearch-dashboards-plugin install <PLUGIN_NAME>

---

Checking Updated versions

apt list --installed wazuh-indexer
apt list --installed wazuh-manager
apt list --installed wazuh-dashboard