0xBEN
/
Sign up to 0xBEN!
Already have an account? Sign in

Upgrading Wazuh Components

In this post, I'll be covering process of upgrading Wazuh tailored to some customizations in my environment.
0xBEN
5 min read
Upgrading Wazuh Components
In: Wazuh, SIEM, Defend, Home Lab

Why I'm Writing this Post

In some previous posts, I've gone over a few topics that necessitate this post, including:

For anyone who may have followed any of my previous write-ups, I want to have a brief overview that will ensure your upgrades go as smoothly as possible.





Official Upgrade Documentation

⚠️
Wazuh Agents should be less than or equal to the Wazuh Manager version. Once you have upgraded the Wazuh infrastructure, you can upgrade your agents to match.

My previous write-ups covering installation and integration are written using the Wazuh central components; that is — Wazuh Indexer, Wazuh Manager, and Wazuh Dashboard.

Wazuh central components - Upgrade guide · Wazuh documentation
User manual, installation and configuration guides. Learn how to get the most out of the Wazuh platform.
WazuhWazuh





Upgrading with Customizations

I am going to refer you to the official documentation for all of the commands and procedures for upgrading the Wazuh server infrastructure. I will merely be adding context for certain parts in the sections below.

ℹ️
In my installation documentation, I am using Debian servers, so follow the respective apt or yum commands according to the operating systems you're using on your Wazuh infrastructure.

In general, the processes is detailed in four core steps:

  1. Preparing to upgrade
  2. Upgrading Wazuh Indexer
  3. Upgrading Wazuh Manager Server
  4. Upgrading Wazuh Dashboard
💡
When running apt install <package-name> or yum install <package-name>, you will be prompted for Y/N input asking if you want to overwrite the existing configuration file. In most cases, choosing the default selection — N — is the best choice.



Preparing to Upgrade

Log into the Wazuh Manager server and run the following command:

systemctl stop wazuh-manager
systemctl stop filebeat

Then, log into the Wazuh Dashboard server and run this command:

systemctl stop wazuh-dashboard





Wazuh Indexer

ℹ️
Follow the steps in the Wazuh official documentation for upgrading your Wazuh Indexer(s).

Some tips if you followed my Wazuh SIEM setup guide for Proxmox:

  • If you're running a cluster of Wazuh Indexers, perform the Wazuh Indexer steps on each node one at a time.
    • Do not try to complete them simultaneously
    • We do this to maintain uptime of the cluster
  • For the curl commands, username:password is the credential you use to log into Wazuh Dashboard.
    • I recommend only providing the username in the command
    • Do NOT put the password on the command line
🚨
Once you've upgraded your Wazuh Indexer(s), be sure to place the package back on hold to ensure that you prevent unplanned upgrades to your infrastructure.
sudo apt-mark hold wazuh-indexer

Once finished, hold the package to prevent unplanned upgrades





Wazuh Manager

ℹ️
Follow the steps in the Wazuh official documentation for upgrading your Wazuh Manager.

If you followed my SIEM setup guide, log into your Wazuh Manager server and run the commands shown in the documetnation.

⚠️
Pay attention to specific commands, as some of the commands need only to be run in specific circumstances (e.g. you're running a cluster of Wazuh Indexers).

Wazuh Manager Configuration

As noted in the upgrade guide, if /var/ossec/etc/ossec.conf has been modified, the original will not be overwritten. You will have to reconcile any differences between /var/ossec/etc/ossec.conf and /var/ossec/etc/ossec.conf.new.

💡
You can use the diff command to compare the two files and merge the new settings as necessary. I'd recommend a manual review of the differences and then proceed to copy and paste the additions from ossec.conf.new into ossec.conf.

In my environment — as documented in this guide — I am using the logall_json option and rotate_interval options in ossec.conf, therefore necessitating this step.

⚠️
Also, ensure the ownership of the ossec.conf file is set to root:wazuh, as permissions issues on this file will cause the wazuh-manager service to fail to load.
sudo apt-mark hold wazuh-manager

Once finished, hold the package to prevent unplanned upgrades



Filebeat Configuration

Installing a new version of Wazuh Manager requires the latest wazuh module for Filebeat. This will not overwrite /etc/filebeat/filebeat.conf, but it will overwrite the files in /usr/share/filebeat/modules/wazuh.





Wazuh Dashboards

ℹ️
Follow the steps in the Wazuh official documentation for upgrading your Wazuh Dashboard server. 
sudo apt-mark hold wazuh-dashboard

Once finished, hold the package to prevent unplanned upgrades

When logging back into the Wazuh Dashboard server — https://wazuh-dashboard-ip — the wazuh-alerts-* index pattern will be set as the default index pattern.

In my environment:

  • I am using the logall_json option
  • Filebeat is reading from archive.json in Wazuh
  • Filebeat is writing to wazuh-archives-*

I'd like to set wazuh-archives-* as the default index pattern after upgrade.

Go to 'Stack Management'
Click 'Index Patterns'
Click on 'wazuh-archives-*'
Click on the 'star' icon to set this as the default index pattern





Wazuh Agents

🚨
Always ensure that Wazuh agent(s) version is equal to or lower than that of the Wazuh Manager. After installing the latest version of the Wazuh Agent package, ensure to take precautions to prevent unplanned upgrades.

Windows

Windows agents are installed via a MSI package and will not be automatically upgraded. Install the target MSI package and restart the service. If you need to install on a batch of hosts, consider using something like Ansible or a PowerShell script over WinRM.

Linux

Linux agents — when installed using your distributions package manager (eg. apt, yum) — need to be held back from unintended upgrades. For example, running apt update && apt upgrade -y would upgrade the Wazuh Agent on a Debian-based system if the package was not held.

For Debian-based distributions, you can use the apt-mark command to hold pacakges from being upgraded without specific overrides.

sudo apt-mark hold wazuh-agent

Hold the 'wazuh-agent' package

When ready to upgrade the package:

  • Run the command below
  • If prompted to overwrite any configuration files, typically answer, N
# Install the latest version of the wazuh-agent package
sudo apt install wazuh-agent
# Put the package back on hold
sudo apt-mark hold wazuh-agent

Install the latest version of Wazuh Agent

Written by
0xBEN

0xBEN

View all posts
Comments
More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.