search
Website Toolbase

Upgrading Wazuh Central Components

Ensure you have added the Wazuh repository to every Wazuh indexer, server, and dashboard node before proceeding to perform the upgrade actions.

Adding the necessary dependencies : 

apt-get install gnupg apt-transport-https

Adding the updated GPG keys for the next stable version & adding repositories : 

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update

we have installed all the dependencies and repos now we will start updating the central components one at a time.

Stopping Filebeat & the Dashboard service to ensure smooth updates : 

systemctl stop filebeat
systemctl stop wazuh-dashboard

hashtag
Upgrading Wazuh Indexer

The Wazuh indexer cluster remains operational throughout the upgrade. The rolling upgrade process allows nodes to be updated one at a time, ensuring continuous service availability and minimizing disruptions. The steps detailed in the following sections apply to both single-node and multi-node Wazuh indexer clusters.

hashtag
Preparing the Wazuh indexer cluster for Upgrade

Perform the following steps on any of the Wazuh indexer nodes replacing <WAZUH_INDEXER_IP_ADDRESS>, <USERNAME>, and <PASSWORD>.

  1. Disable shard replication to prevent shard replicas from being created while Wazuh indexer nodes are being taken offline for the upgrade.

The output should look like :

  1. Perform a flush operation on the cluster to commit transaction log entries to the index.

The output should look like :

Run the following command on the Wazuh manager node(s) if running a single-node Wazuh indexer cluster.

hashtag
Upgrading the Wazuh indexer nodes

hashtag
Post-upgrade actions

Perform the following steps on any of the Wazuh indexer nodes replacing <WAZUH_INDEXER_IP_ADDRESS>, <USERNAME>, and <PASSWORD>.

Check that the newly upgraded Wazuh indexer nodes are in the cluster.

Re-enable shard allocation.

Output

Starting the wazuh manager again

hashtag
Upgrading Wazuh Server

hashtag
Configuring Filebeat :

Download the alerts template:

Restarting Services :

Upload the new Wazuh template and pipelines for Filebeat:

hashtag
Upgrading Wazuh Dashboard

Backup the /etc/wazuh-dashboard/opensearch_dashboards.yml file to save your settings. For example, create a copy of the file using the following command:

Upgrade the Wazuh dashboard.

Manually reapply any configuration changes to the /etc/wazuh-dashboard/opensearch_dashboards.yml file. Ensure that the values of server.ssl.key and server.ssl.certificate match the files located in /etc/wazuh-dashboard/certs/.

Ensure the value of uiSettings.overrides.defaultRoute in the /etc/wazuh-dashboard/opensearch_dashboards.yml file is set to /app/wz-home

Restart the Wazuh dashboard:

You can now access the Wazuh dashboard via: https://<DASHBOARD_IP_ADDRESS>/app/wz-home.

hashtag
Updating Plugins :

Note that the upgrade process doesn't update plugins installed manually. Outdated plugins might cause the upgrade to fail.

  1. Run the following command on the Wazuh dashboard server to list installed plugins and identify those that require an update:

    In the output, plugins that require an update will be labeled as "outdated".

  2. Remove the outdated plugins and reinstall the latest version replacing <PLUGIN_NAME> with the name of the plugin:

hashtag
Checking Updated versions

PreviousSet up Cross-Cluster SearchNextUninstalling Wazuh

Last updated