upgrade wazuh envionment from ubuntu 20.04 to 22.04
138 views
Skip to first unread message
Gary Woodard
Sep 7, 2023, 10:49:54 AM9/7/23
to Wazuh | Mailing List
I upgraded the OS where wazuh manager resides and it appears communication between the manager and the indexer/dashboard fails. I can see logs populating on the manager side but they are not populated on the dashboard. I had to revert to latest snapshot to restore service; however, I would like to know how we are able to upgrade to the latest ubuntu version without impacting SIEM availability.
Victor Carlos Erenu
Sep 8, 2023, 1:13:18 PM9/8/23
to Wazuh | Mailing List
Hello Gary
If the records were generated in Wazuh manager but did not reach Wazuh indexer, it is most likely a problem with Filebeat. We should check if the Filebeat configuration was correct or if it needed something else.
In case you want to upgrade Wazuh, we do have documentation about it https://documentation.wazuh.com/current/upgrade-guide/index.html, but in the case of an operating system upgrade we should verify the logs of each one of the components.
As I told you before, it is possible that your problem was due to a lack of Filebeat configuration, so I recommend that you make a backup of the /etc/filebeat directory, which contains the configuration files for the connection with Wazuh indexer.
If the records were generated in Wazuh manager but did not reach Wazuh indexer, it is most likely a problem with Filebeat. We should check if the Filebeat configuration was correct or if it needed something else.
In case you want to upgrade Wazuh, we do have documentation about it https://documentation.wazuh.com/current/upgrade-guide/index.html, but in the case of an operating system upgrade we should verify the logs of each one of the components.
As I told you before, it is possible that your problem was due to a lack of Filebeat configuration, so I recommend that you make a backup of the /etc/filebeat directory, which contains the configuration files for the connection with Wazuh indexer.
Gary Woodard
Sep 11, 2023, 3:47:02 PM9/11/23
to Wazuh | Mailing List
The results of "filebeat test output" showed successful connected to Wazuh-Indexer
Victor Carlos Erenu
Sep 14, 2023, 4:15:14 PM9/14/23
to Wazuh | Mailing List
You should first check the connectivity of the agents, checking within the application in the agent section.
The generation of alerts within the file /var/ossec/logs/alerts/alerts.json can also be reviewed to see if they are being generated correctly.
You can also verify the Wazuh manager logs within /var/ossec/logs/ossec.log, to know if the services start correctly. If you find an error, you can expand the debug level of the log with the tag within the file /var/ossec/etc/ossec.conf`
If you continue to have problems, let us know and we can check.
The generation of alerts within the file /var/ossec/logs/alerts/alerts.json can also be reviewed to see if they are being generated correctly.
You can also verify the Wazuh manager logs within /var/ossec/logs/ossec.log, to know if the services start correctly. If you find an error, you can expand the debug level of the log with the tag within the file /var/ossec/etc/ossec.conf`
If you continue to have problems, let us know and we can check.
Reply all
Reply to author
Forward
0 new messages