I wanna upgrade wazuh-manager to 4.7

[Le Sok]

Hello team, 
I wanna upgrade Wazuh-manager to 4.7 without losing wazuh agent, I already https://documentation.wazuh.com/current/upgrade-guide/upgrading-central-components.html it's successfully from 4.5.1 to 4.7 but all my wazuh agent is losing can someone guide me detail how to upgrade wazuh without losing agent please.

Best regards. 

[Stuti Gupta]

Hi team!
Thank you for using wazuh.

Please allow me some time. I'm looking into this query and will update you with an appropriate answer.

Regards

[Le Sok]

Can we upgrade wazuh-manager without internet ? because Wazuh not allow access internet 
Best regards.

[stetnt4]

Hello!Sorry to bother you!Could you send me your /etc/wazuh-dashboard/opensearch_dashboards.yml, I deleted the file, now I can’t connect to my dashboard. I need to find the error myself

понедельник, 18 декабря 2023 г. в 06:29:05 UTC+3, Le Sok:

[Stuti Gupta]

Hi Le sok!

Hope you are doing well and thank you for using wazuh.

Its strange that after upgrading the wazuh-manager the agent are lost. To know the root cause please provide the following informtions.
Can you please share the os details and wazuh environment like how you install wazuh?
Can you please share the ossec.log of wazuh manager and one of the agent that is located at /var/ossec/logs/ossec.log?

I have tested both online and offline methods. To upgarde the wazuh offline to can follow these steps:
Upgrading Indexer offline
Step 1: install any deb package online using command:-
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-indexer/wazuh-indexer_4.7.0-1_amd64.deb
(Find the version and package https://documentation.wazuh.com/current/installation-guide/packages-list.html#wazuh-indexerl)

Step 2: go offline run command:
sudo systemctl stop wazuh-indexer
sudo -i service wazuh-indexer stop
(run this commands to stop the already running wazuh-indexer in linux)

Step 3: upgrade the Elasticsearch offline
sudo dpkg -i <package that was install in Step_1>
sudo dpkg -i wazuh-indexer_4.7.0-1_amd64.deb.1

Step 4: restart the elasticsearch and check the status
systemctl daemon-reload
systemctl start elasticsearch
journalctl -u elasticsearch

Step 5: check if Elasticsearch upgraded  
curl -XGET https://localhost:9200 -u admin:admin -k

Output will b
{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "H1cIclf8SUqDevj5_PM6Xw",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "db90a415ff2fd428b4f7b3f800a51dc229287cb4",
    "build_date" : "2023-06-03T06:24:25.112415503Z",
    "build_snapshot" : false,
    "lucene_version" : "9.6.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
 

Upgrading wazuhmanger and filebeat offline

Step 1: install deb package offline  
curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh
chmod 744 wazuh-install.sh
./wazuh-install.sh -dw deb

(from https://documentation.wazuh.com/current/deployment-options/offline-installation.html#prerequisites)

Step 2: go offline run command and upgrade wazuh-manger
sudo systemctl stop wazuh-manager
 # to extract the zip file downloaded in previous step, command is:
tar xf wazuh-offline.tar.gz

# Install or upgrade the wazuh manger using command:
dpkg -i ./wazuh-offline/wazuh-packages/wazuh-manager*.deb

Step 4: start the wazuh- manager
systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager
systemctl status wazuh-manager

Step 5: upgrade filebeat
sudo systemctl stop filebeat
dpkg -i ./wazuh-offline/wazuh-packages/filebeat*.deb

Step 6: restart the filebeat and check the status
systemctl daemon-reload
systemctl start filebeat
filebeat test output
elasticsearch: https://192.168.54.67:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.168.54.67
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2


# check cluster health using following command  
curl -XGET https://localhost:9200/_cluster/health?pretty=true -k -u admin:admin

Output
  "cluster_name" : "wazuh-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "discovered_master" : true,
  "discovered_cluster_manager" : true,
  "active_primary_shards" : 8,
  "active_shards" : 8,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}


Upgrading wazuh-dashboard

Step 1: Upgraded version zip file online using command:-
wget <package>  
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-dashboard/wazuh-dashboard_4.7.0-1_amd64.deb
(Find the version and package https://documentation.wazuh.com/current/installation-guide/packages-list.html#wazuh-dashboard)

Step 2: go offline run command:
sudo systemctl stop wazuh-dashboard
sudo -i service wazuh-dashboard stop
 
Step 3: upgrade the kibana  
dpkg -i <the wazuh-dashboard deb file downloaded in first step>
dpkg -iwazuh-dashboard_4.7.0-1_amd64.deb
# run the above command to upgrade kibana


Step 4: start the wazuh- dashboard
systemctl daemon-reload
systemctl enable wazuh-dashboard
systemctl start wazuh-dashboard
systemctl status  wazuh-dashboard.

Run this comman to check the wazuh-maanger version: /var/ossec/bin/wazuh-control -j info 


And your sagent will not be lost by following these steps as you can see

Hope this helps. Looking forward to your response.
Regards,

[Stuti Gupta]

Hi Stetnt4

Hope you are doing well and thank you for using wazuh.

You can look at https://github.com/wazuh/wazuh-dashboard/blob/120-update-github-actions/config/opensearch_dashboards.yml for opensearch_dashboard.yml. If you have any query related to this please open another thread here so we can track your issue better and assist you further. 

Regards,

[stetnt4]

Thank you!

понедельник, 18 декабря 2023 г. в 12:48:03 UTC+3, Stuti Gupta:

[Le Sok]

When I try to run rpm -i wazuh-indexer-4.7.0-1.x86_64.rpm but the output it's like not install new indexer what;s wrong with my Wazuh sir ?
Im using Wazuh Ova in this link sir but verison 4.5 https://documentation.wazuh.com/current/deployment-options/virtual-machine/virtual-machine.html 

Best regards

[Le Sok]

When I try to test connection with port 9200 it's not working sir but another port is working normaly

Best regards

[Stuti Gupta]

Hi Le Sok,

Please share the OS details and verify if this is an- in-one deployment. Please share the ossec.log wazuh-manager in text format.

Hope to hear from you soon.
Regards,

[Le Sok]

OS Linux amazon 2 and I try to upgrade Wazuh 4.5 to 4.7 and here is logs from wazuh manager 

[Stuti Gupta]

Hi 

We have noticed that you are using the command rpm -i to upgrade a package, this is incorrect. If you want to upgrade you need to use the following:  rpm -U ./wazuh-offline/wazuh-packages/wazuh-indexer*.rpm

Perform the following steps for RMP pacakges:
Download the packages and configuration files
 Run it from a system with Internet connection. This action executes a script that downloads all required files for the offline installation on x86_64 architectures

curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh
chmod 744 wazuh-install.sh

./wazuh-install.sh -dw |rpm

Offline In the working directory where you placed wazuh-offline.tar.gz execute the following command to decompress the installation files: tar xf wazuh-offline.tar.gz

Upgrade wazuh-indexer
1. Stop the Wazuh indexer

sudo systemctl stop wazuh-indexer
sudo -i service wazuh-indexer stop

2. Run the following commands to install the Wazuh indexer.
rpm --import ./wazuh-offline/wazuh-files/GPG-KEY-WAZUH
rpm -U ./wazuh-offline/wazuh-packages/wazuh-indexer*.rpm
3. check if wazuh-indexer upgraded  

curl -XGET https://localhost:9200 -u admin:admin -k

Output will b
{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "H1cIclf8SUqDevj5_PM6Xw",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "db90a415ff2fd428b4f7b3f800a51dc229287cb4",
    "build_date" : "2023-06-03T06:24:25.112415503Z",
    "build_snapshot" : false,
    "lucene_version" : "9.6.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"

Upgrade wazuh-manager
1. stop services: 
sudo systemctl stop wazuh-manager
sudo systemctl stop filebeat
2. Run upgarde command:
rpm -u ./wazuh-offline/wazuh-packages/wazuh-manager*.rpm
rpm -u ./wazuh-offline/wazuh-packages/filebeat*.rpm
3. Restart the services and check status:

systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager

systemctl status wazuh-manager.
systemctl daemon-reload
systemctl enable filebeat

systemctl start filebeat
filebeat test output

4. Run this comman to check the wazuh-maanger version: /var/ossec/bin/wazuh-control -j info 

sudo systemctl stop wazuh-dashboard
sudo -i service wazuh-dashboard stop
 

upgrade the wazuh dashboard:
1. stop wazuh-dashboard services:  

sudo systemctl stop wazuh-dashboard
sudo -i service wazuh-dashboard stop

2. Upgrade command:
 rpm -U ./wazuh-offline/wazuh-packages/wazuh-dashboard*.rpm>
3.  start the wazuh- dashboard

systemctl daemon-reload
systemctl enable wazuh-dashboard
systemctl start wazuh-dashboard
systemctl status  wazuh-dashboard.

Hope this helps

Regards,

[Le Sok]

Why it;s not working sir when im try to install file from wazuh-install.sh