Upgrading Wazuh Components

In this post, I'll be covering process of upgrading Wazuh tailored to some customizations in my environment.
Upgrading Wazuh Components
In: Wazuh, SIEM, Defend, Home Lab

Why I'm Writing this Post

In some previous posts, I've gone over a few topics that necessitate this post, including:

For anyone who may have followed any of my previous write-ups, I want to have a brief overview that will ensure your upgrades go as smoothly as possible.





Official Upgrade Documentation

⚠️
Wazuh Agents should be less than or equal to the Wazuh Manager version. Once you have upgraded the Wazuh infrastructure, you can upgrade your agents to match.

My previous write-ups covering installation and integration are written using the Wazuh central components; that is — Wazuh Indexer, Wazuh Manager, and Wazuh Dashboard.

Wazuh central components - Upgrade guide · Wazuh documentation
User manual, installation and configuration guides. Learn how to get the most out of the Wazuh platform.





Upgrading with Customizations

I am going to refer you to the official documentation for all of the commands and procedures for upgrading the Wazuh server infrastructure. I will merely be adding context for certain parts in the sections below.

ℹ️
In my installation documentation, I am using Debian servers, so follow the respective apt or yum commands according to the operating systems you're using on your Wazuh infrastructure.

In general, the processes is detailed in four core steps:

  1. Preparing to upgrade
  2. Upgrading Wazuh Indexer
  3. Upgrading Wazuh Manager Server
  4. Upgrading Wazuh Dashboard
💡
When running apt install <package-name> or yum install <package-name>, you will be prompted for Y/N input asking if you want to overwrite the existing configuration file. In most cases, choosing the default selection — N — is the best choice.



Preparing to Upgrade

If you've followed my installation procedure, this step is run on the Wazuh Manager server, as this is where filebeat is installed.

systemctl stop filebeat

If you've followed my installation procedure, this step is run on the Wazuh Dashboard server.

systemctl stop wazuh-dashboard





Wazuh Indexer

Follow the steps in the Wazuh official documentation for upgrading your Wazuh Indexer(s). If you followed my SIEM setup guide, log into your Wazuh Indexer node(s) and run the commands.

If you're running a cluster of Wazuh Indexers, perform the Wazuh Indexer steps on each node one at a time. Do not try to complete them simultaneously. We do this to maintain uptime of the cluster.

References to the username:password options in the curl commands are the credential you use to log into Wazuh Dashboard. I recommend only providing the username in the command and NOT putting the password on the command line.

Once you've upgraded your Wazuh Indexer(s), be sure to place the package back on hold to ensure that you prevent unplanned upgrades to your infrastructure.

sudo apt-mark hold wazuh-indexer





Wazuh Manager

Follow the steps in the Wazuh official documentation for upgrading your Wazuh Manager. If you followed my SIEM setup guide, log into your Wazuh Manager server and run the commands.

ℹ️
Pay attention to specific commands, as some of the commands need only to be run in specific circumstances (eg. you're running a cluster of Wazuh Indexers).

Wazuh Manager Configuration

As noted in the upgrade guide, if /var/ossec/etc/ossec.conf has been modified, the original will not be overwritten. You will have to reconcile any differences between /var/ossec/etc/ossec.conf and /var/ossec/etc/ossec.conf.new.

In my environment — as documented in this guide — I am using the logall_json option and rotate_interval options in ossec.conf, therefore necessitating this step.

💡
You can use the diff command to compare the two files and merge the new settings as necessary. I'd recommend a manual review of the differences and then proceed to copy and paste the additions from ossec.conf.new into ossec.conf.
⚠️
Also, ensure the ownership of the ossec.conf file is set to root:wazuh, as permissions issues on this file will cause the wazuh-manager service to fail to load.

Once you've upgraded your Wazuh Manager, be sure to place the package back on hold to ensure that you prevent unplanned upgrades to your infrastructure.

sudo apt-mark hold wazuh-manager



Filebeat Configuration

Installing a new version of Wazuh Manager requires the latest wazuh module for Filebeat. This will not overwrite /etc/filebeat/filebeat.conf, but it will overwrite the files in /usr/share/filebeat/modules/wazuh.

ℹ️
Because in my environment, I am using the logall_json option and using the OwlH integration I want to ensure that I am not duplicating archived logs and alerts.

I want to continue to receive custom Zeek alerts in the wazuh-archive-* indices based on custom Wazuh rules I've written. I also want raw Zeek logs to be written to their respective indices, owlh-{proto}-1.x-*see here for more information.

Add this filebeat processor to the file /usr/share/filebeat/module/wazuh/archives/config/archives.yml:

processors:
  - drop_event:
      when:
        and:
          - has_fields: ['bro_engine']
          - not:
              regexp:
                data.description: "^Zeek.*Log:.*"

Effectively, we are telling the wazuh module in filebeat to drop any log with the line bro_engine that is not a custom rule alert. This is the job of the owlh module in filebeat to ship those raw logs to their respective indices.

Additionally, if you've followed along with my blog and added RITA to your Zeek stack, you should consider adding another event processor to your Filebeat configuration.

ℹ️
You can add this processor directly under the OwlH processor referenced above.

Again, this is just tell Filebeat that we don't want to duplicate RITA data as raw logs, since we've already written custom rules to alert on.
  - drop_event:
      when:
        and:
          - regexp:
              data.full_log: "^ossec:.*output:.*/usr/local/bin/rita.*"
          - not:
              regexp:
                data.description: "^RITA.*"

Add this RITA processor directly under the OwlH processor referenced above

⚠️
If you've already started the filebeat service and you've made these changes, be sure to run systemctl restart filebeat to ensure your configurations are processed





Wazuh Dashboards

Follow the steps in the Wazuh official documentation for upgrading your Wazuh Dashboard server. If you followed my SIEM setup guide, log into your Wazuh Dashboard node(s) and run the commands.

Once you've upgraded your Wazuh Dashboards server, be sure to place the package back on hold to ensure that you prevent unplanned upgrades to your infrastructure.

sudo apt-mark hold wazuh-dashboard

When logging back into the Wazuh Dashboard server — https://wazuh-dashboard-ip — the wazuh-alerts-* index pattern will be set as the default index pattern.

In my environment:

  • I am using the logall_json option
  • Filebeat is reading from archive.json in Wazuh
  • Filebeat is writing to wazuh-archives-*

I'd like to set wazuh-archives-* as the default index pattern after upgrade.

Go to 'Stack Management'
Click 'Index Patterns'
Click on 'wazuh-archives-*'
Click on the 'star' icon to set this as the default index pattern





Wazuh Agents

⚠️
Always ensure that Wazuh agent(s) version is equal to or lower than that of the Wazuh Manager.

After installing the latest version of the Wazuh Agent package, ensure to take precautions to prevent unplanned upgrades.

Windows

Windows agents are installed via a MSI package and will not be automatically upgraded. Install the target MSI package and restart the service.

Linux

Linux agents — when installed using your distributions package manager (eg. apt, yum) — need to be held back from unintended upgrades. For example, running apt update && apt upgrade -y would upgrade the Wazuh Agent on a Debian-based system if the package was not held.

For Debian-based distributions, you can use the apt-mark command to hold pacakges from being upgraded without specific overrides.

sudo apt-mark hold wazuh-agent

Hold the 'wazuh-agent' package

When ready to upgrade the package:

  • Run the command below
  • If prompted to overwrite any configuration files, typically answer, N
# Install the latest version of the wazuh-agent package
sudo apt install wazuh-agent
# Put the package back on hold
sudo apt-mark hold wazuh-agent

Install the latest version of Wazuh Agent

More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.