Upgrading Wazuh Central Components
Ensure you have added the Wazuh repository to every Wazuh indexer, server, and dashboard node before proceeding to perform the upgrade actions.
Adding the necessary dependencies :
apt-get install gnupg apt-transport-httpsAdding the updated GPG keys for the next stable version & adding repositories :
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
apt-get updatewe have installed all the dependencies and repos now we will start updating the central components one at a time.
Stopping Filebeat & the Dashboard service to ensure smooth updates :
systemctl stop filebeat
systemctl stop wazuh-dashboardUpgrading Wazuh Indexer
The Wazuh indexer cluster remains operational throughout the upgrade. The rolling upgrade process allows nodes to be updated one at a time, ensuring continuous service availability and minimizing disruptions. The steps detailed in the following sections apply to both single-node and multi-node Wazuh indexer clusters.
Preparing the Wazuh indexer cluster for Upgrade
Perform the following steps on any of the Wazuh indexer nodes replacing <WAZUH_INDEXER_IP_ADDRESS>, <USERNAME>, and <PASSWORD>.
Disable shard replication to prevent shard replicas from being created while Wazuh indexer nodes are being taken offline for the upgrade.
curl -X PUT "https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cluster/settings" \
-u <USERNAME>:<PASSWORD> -k -H "Content-Type: application/json" -d '
{
"persistent": {
"cluster.routing.allocation.enable": "primaries"
}
}'The output should look like :
{
"acknowledged" : true,
"persistent" : {
"cluster" : {
"routing" : {
"allocation" : {
"enable" : "primaries"
}
}
}
},
"transient" : {}
}Perform a flush operation on the cluster to commit transaction log entries to the index.
curl -X POST "https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_flush" -u <USERNAME>:<PASSWORD> -kThe output should look like :
{
"_shards" : {
"total" : 19,
"successful" : 19,
"failed" : 0
}
}Run the following command on the Wazuh manager node(s) if running a single-node Wazuh indexer cluster.
systemctl stop wazuh-managerUpgrading the Wazuh indexer nodes
systemctl stop wazuh-indexer
apt-get install wazuh-indexer
systemctl daemon-reload
systemctl enable wazuh-indexer
systemctl start wazuh-indexerPost-upgrade actions
Perform the following steps on any of the Wazuh indexer nodes replacing <WAZUH_INDEXER_IP_ADDRESS>, <USERNAME>, and <PASSWORD>.
Check that the newly upgraded Wazuh indexer nodes are in the cluster.
# curl -k -u <USERNAME>:<PASSWORD> https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cat/nodes?vRe-enable shard allocation.
curl -X PUT "https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cluster/settings" \
-u <USERNAME>:<PASSWORD> -k -H "Content-Type: application/json" -d '
{
"persistent": {
"cluster.routing.allocation.enable": "all"
}
}
'Output
{
"acknowledged" : true,
"persistent" : {
"cluster" : {
"routing" : {
"allocation" : {
"enable" : "all"
}
}
}
},
"transient" : {}
}Starting the wazuh manager again
systemctl start wazuh-managerUpgrading Wazuh Server
apt-get install wazuh-managerConfiguring Filebeat :
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | sudo tar -xvz -C /usr/share/filebeat/moduleDownload the alerts template:
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.11.0/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.jsonRestarting Services :
systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeatUpload the new Wazuh template and pipelines for Filebeat:
filebeat setup --pipelines
filebeat setup --index-management -E output.logstash.enabled=falseUpgrading Wazuh Dashboard
Backup the /etc/wazuh-dashboard/opensearch_dashboards.yml file to save your settings. For example, create a copy of the file using the following command:
cp /etc/wazuh-dashboard/opensearch_dashboards.yml /etc/wazuh-dashboard/opensearch_dashboards.yml.oldUpgrade the Wazuh dashboard.
apt-get install wazuh-dashboard
# Note When prompted, choose to replace the /etc/wazuh-dashboard/opensearch_dashboards.yml file with the updated version.Manually reapply any configuration changes to the /etc/wazuh-dashboard/opensearch_dashboards.yml file. Ensure that the values of server.ssl.key and server.ssl.certificate match the files located in /etc/wazuh-dashboard/certs/.
Ensure the value of uiSettings.overrides.defaultRoute in the /etc/wazuh-dashboard/opensearch_dashboards.yml file is set to /app/wz-home
Restart the Wazuh dashboard:
systemctl daemon-reload
systemctl enable wazuh-dashboard
systemctl start wazuh-dashboardYou can now access the Wazuh dashboard via: https://<DASHBOARD_IP_ADDRESS>/app/wz-home.
Updating Plugins :
Note that the upgrade process doesn't update plugins installed manually. Outdated plugins might cause the upgrade to fail.
Run the following command on the Wazuh dashboard server to list installed plugins and identify those that require an update:
# sudo -u wazuh-dashboard /usr/share/wazuh-dashboard/bin/opensearch-dashboards-plugin listIn the output, plugins that require an update will be labeled as "outdated".
Remove the outdated plugins and reinstall the latest version replacing
<PLUGIN_NAME>with the name of the plugin:# sudo -u wazuh-dashboard /usr/share/wazuh-dashboard/bin/opensearch-dashboards-plugin remove <PLUGIN_NAME> # sudo -u wazuh-dashboard /usr/share/wazuh-dashboard/bin/opensearch-dashboards-plugin install <PLUGIN_NAME>
Checking Updated versions
apt list --installed wazuh-indexer
apt list --installed wazuh-manager
apt list --installed wazuh-dashboardLast updated