Upgraded Elasticsearch to elasticsearch-7.17.3-1.x86_64
529 views
Skip to first unread message
prachi katakwar
Apr 29, 2022, 7:16:35 AM4/29/22
to Wazuh mailing list
Hi again Wazuh Team,
Just to remove a vulnerability from my nessus server, I ran this command to upgrade the jdk version in elasticsearch and this is in turn upgraded the elasticsearch
yum upgrade /usr/share/elasticsearch/jdk/
Now my elasticsearch version is : Upgraded elasticsearch-7.17.3-1.x86_64
Although my Wazuh GUI is working, but want to take guidance from you on what to do now? All the below components are deployed together on a Single CentOS 8 VM.
Can I roll back to the previous elasticsearch version? What are the steps to do so?
Or should I keep it as it is?
| Components | Version |
| Wazuh | 4.2 |
| Elasticsearch | 7.14.2 -> 7.17.3 |
| Filebeat | 7.14.2 |
| Kibana | 7.14.2 |
BR
//Prachi
Bin Do Tuan Anh
Apr 29, 2022, 9:25:13 AM4/29/22
to Wazuh mailing list
Hi,
You cannot downgrade Elasticsearch version, and the version you have now (7.17.3) is not supported by Wazuh Manager.
Please let me know what is your retention policy. I need to know for how long you keep your logs in the cold and hot storages. By cold storage I mean the data you have in the folder /var/ossec/logs/alerts/ and by hot the indexes you have in the Elasticsearch (basically the data you have online and that are searchable in the Kibana). In the case, you have on the colder storage older data (or with exactly the same date) as you have in the Elasticsearch then you can reinstall the Elasticsearch and reconnect it to the Wazuh Manager, and finally use the restore script to restore all the data you have in the Wazuh Manager. For more details about restoring the data please check here: https://wazuh.com/blog/recover-your-data-using-wazuh-alert-backups/
Best regards,
Bin.
prachi katakwar
May 3, 2022, 8:52:55 AM5/3/22
to Bin Do Tuan Anh, Wazuh mailing list
Hi Bin,
GoodEvening
Sorry for the late reply, just checked my retention policy, and in that the Hot phase has an index priority of 100.
While cold phase is 90 days and the delete phase is 180 days below:
How we should proceed now?
BR
//Prachi
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/70d82ec3-a8d9-4a6e-b428-52754a1d320fn%40googlegroups.com.
Bin Do Tuan Anh
May 3, 2022, 9:12:35 AM5/3/22
to Wazuh mailing list
Hi,
As I have mentioned, by cold storage I meant the data you have in the Wazuh Manager (/var/ossec/logs/alerts/<year>/<month>). As I can see your delete phase started after 180 days, meaning that your Elasticsearch right now has data for the last 180 days. In case you have data for the same period of time (or even later) in the Wazuh Manager you will be able to recover all the data on your Elasticsearch using recovery script (that I have mentioned above): https://wazuh.com/blog/recover-your-data-using-wazuh-alert-backups/
Best regards,
Bin. 
Caio Oliveira
May 4, 2022, 2:57:49 PM5/4/22
to prachi katakwar, Bin Do Tuan Anh, Wazuh mailing list
Install the release candidate is not an option?
I have the same problem here and I'm thinking of trying this option.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAGWgn5_%2B4jgcns0hoFBM4BCHhhJfvex82jymfpBPwY7aXBU8xg%40mail.gmail.com.
prachi katakwar
May 16, 2022, 4:08:01 AM5/16/22
to Bin Do Tuan Anh, Wazuh mailing list
Hi Bin and Wazuh Team,
Any suggestions?
BR
//Prachi
On Thu, May 12, 2022 at 12:58 PM prachi katakwar <prachi.ka...@gmail.com> wrote:
Hi Bin,Hope you are well, Sorry was occupied with some research work so could not reply fast.At the moment, was going through the latest Wazuh 4.3 release and other wazuh related documentation.Since we have a basic license setup of elasticsearch , want to know the difference between wazuh indexer and elasticsearch. Why did Wazuh as a company has launched wazuh-indexer and as customer why we should go with wazuh-indexer.?Also if I decide to go with wazuh indexer , how to upgrade from a basic elasticsearch setup to wazuh-indexer?Also, as of now, we are using Nginx for SSL authentication for Kibana. So how to remove Nginx and what component is used for authentication for the Wazuh dashboard?My Current architecture is
All the below components are deployed together on a Single CentOS 8 VM.
Components Version Wazuh 4.2 Elasticsearch 7.14.2 -> 7.17.3 Filebeat 7.14.2 Kibana 7.14.2
BR//Prachi
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7a63780e-0241-4842-b655-3b8e3d448dc9n%40googlegroups.com.
prachi katakwar
May 16, 2022, 12:01:59 PM5/16/22
to Bin Do Tuan Anh, Wazuh mailing list
Hi Bin,
Hope you are well, Sorry was occupied with some research work so could not reply fast.
At the moment, was going through the latest Wazuh 4.3 release and other wazuh related documentation.
Since we have a basic license setup of elasticsearch , want to know the difference between wazuh indexer and elasticsearch. Why did Wazuh as a company has launched wazuh-indexer and as customer why we should go with wazuh-indexer.?
Also if I decide to go with wazuh indexer , how to upgrade from a basic elasticsearch setup to wazuh-indexer?
Also, as of now, we are using Nginx for SSL authentication for Kibana. So how to remove Nginx and what component is used for authentication for the Wazuh dashboard?
My Current architecture is
All the below components are deployed together on a Single CentOS 8 VM.
| Components | Version |
| Wazuh | 4.2 |
| Elasticsearch | 7.14.2 -> 7.17.3 |
| Filebeat | 7.14.2 |
| Kibana | 7.14.2 |
BR
//Prachi
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7a63780e-0241-4842-b655-3b8e3d448dc9n%40googlegroups.com.
Bin Do Tuan Anh
May 16, 2022, 1:55:08 PM5/16/22
to Wazuh mailing list
Hi,
Both of them are the forks that Wazuh team works with right now to add more features.
The Wazuh indexer is an Opensearch distribution with additional tools that our team has developed to assist with the installation and configuration of the search engine.
The Wazuh dashboard, which is the web user interface for the Wazuh platform, is a customized OpenSearch Dashboards distribution that includes the Wazuh plugin.
Both of them are the forks that Wazuh team works with right now to add more features.
But at the same time we do support Elastic Stack, Open Distro and Splink. Here is the list of supported versions:
- Elastic Stack: The Wazuh Kibana plugin supports Kibana versions 7.16 and 7.17, including all of their patch versions.
- Open Distro: The Wazuh Kibana plugin provides support for the latest version of Open Distro, which at this moment is version 1.13.2.
- Splunk: The Splunk app supports Splunk version 8.1 and 8.2, including all their patch versions.
Here you will be able to find a migration guide: https://documentation.wazuh.com/current/migration-guide/index.html
Regarding authentication with Wazuh dashboard and the Open Distro you can create users with different roles and permissions. At the same time you will have admin user out of the box. For more details you can check it here: https://documentation.wazuh.com/current/cloud-service/your-environment/manage-auth.html#creating-and-setting-a-wazuh-admin-user
For Elastic Stack you can also use X-Pack security that has a free feature. For more details please check this page: https://documentation.wazuh.com/current/learning-wazuh/build-lab/xpack-security-setup.html
Best regards,
Bin.
Reply all
Reply to author
Forward
0 new messages