Offline Update on Wazuh Central Component (Indexer, Server, Dashboard, Filebeat)

[Haziq Mt Roslan]

Hi team,

I'm currently figuring out on how to update wazuh central component for our production network. Our network does not allow any internet connection. Currently we are using wazuh-4.5.4. We want to upgrade it to 4.7.2 version as we also want to add new node. Is there anyway to upgrade our wazuh without losing our data/logs and connection between agent and server?

For wazuh-agent, is there a way to offline update all the agents. Currently we have about 200+ agent connect to our Wazuh. If there is a way to update all and not individually would certainly help. Thank you.

[Rolly Davany Mougoue Kakanou]

Hello Haziq,

In order to do an offline upgrade of your central components, you will need to download the packages for each component then copy it to their corresponding nodes. Assuming you your central components run on a debian system, you could find below links for the specific version 4.7.2 you want to upgrade to. Please note that the latest version is 4.7.3

wazuh-indexer | wazuh-manager | wazuh-dashboard |

Then you can follow the steps described in the upgrade guide documentation except:

• Skipping the steps for configuring the repository as it isn't necessary for offline installation
• For upgrading the wazuh server you will be asked to download some filebeat modules. You can download on a separate system and copy them to you wazuh server node
• Replace the commands apt-get install to install the components with   dpkg -i ./<PACKAGE_NAME>

With this your central components are upgraded.

For upgrading your agents offline, assuming they are all running Windows you need to download the wazuh-agent package (for debian systems the link is here) and copy it to each of your endpoints. If you have a shared file system it might help here.

Then the upgrade could be done by leveraging the centralized configuration capability of Wazuh. to achieve this you will need to create from your Wazuh dashboard an agent group to which you will add all you nodes. The steps to do this are explained in the following blogpost.

The next step will be to configure the endpoints to accept remote commands from the Wazuh server if not yet enabled. Unfortunately this is done only from the agents and you will need to connect to each of them to enable remote command. Once on the agent edit the   C:\Program Files (x86)\ossec-agent\local_internal_options.conf  file to add the line wazuh_command.remote_commands=1 then restart the agent.  

Finally from the wazuh server edit the shared configuration file to add the following:

<wodle name="command">
    <disabled>no</disabled>
    <command>Powershell -c "msiexec.exe /i <PATH/TO/wazuh-agent-4.7.2-1.msi> /q"</command>
    <ignore_output>no</ignore_output>
</woodle>

Make sure to change the command to specify the path to your package. With this after saving the configuration file on the dashboard it will apply to all the agents in that group and normally the agents will be upgraded to 4.7.2.

Hope you find this informative and that it answers your question.

Kind regards,
Rolly Mougoue