ThreatLockDown central components

This section guides you through the upgrade process of the ThreatLockDown indexer, the ThreatLockDown server, and the ThreatLockDown dashboard. To migrate from Open Distro for Elasticsearch 1.13 to the ThreatLockDown indexer and dashboard components, read the corresponding Migrating to the ThreatLockDown indexer and Migrating to the ThreatLockDown dashboard sections.

Note

You need root user privileges to run all the commands described below.

Preparing the upgrade

In the case ThreatLockDown is installed in a multi-node cluster configuration, repeat the following steps for every node.

Add the ThreatLockDown repository. You can skip this step if the repository is already present and enabled on the node.

Import the GPG key.

# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Add the repository.

# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo

Install the following packages if missing.

# apt-get install gnupg apt-transport-https

Install the GPG key.

# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

Add the repository.

# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

Update the packages information.
# apt-get update

Stop the Filebeat service and the ThreatLockDown dashboard service if installed in the node.

# systemctl stop filebeat
# systemctl stop wazuh-dashboard

# service filebeat stop
# service wazuh-dashboard stop

Upgrading the ThreatLockDown indexer

Note

Note that this upgrade process doesn't update plugins installed manually. Outdated plugins might cause the upgrade to fail.

To ensure compatibility with the latest ThreatLockDown indexer and ThreatLockDown dashboard, please update manually installed plugins accordingly. For additional information, check the distribution matrix.

In the case of having a ThreatLockDown indexer cluster with multiple nodes, the cluster will remain available throughout the upgrading process. This rolling upgrade allows shutting down one ThreatLockDown indexer node at a time for minimal disruption of service. Repeat these steps for every ThreatLockDown indexer node.

Note

Replace <WAZUH_INDEXER_IP_ADDRESS>, <username>, and <password> before running the commands below.

Disable shard allocation.

curl -X PUT "https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cluster/settings"  -u <username>:<password> -k -H 'Content-Type: application/json' -d'
{
  "persistent": {
    "cluster.routing.allocation.enable": "primaries"
  }
}
'

Stop non-essential indexing and perform a synced flush.

# curl -X POST "https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_flush/synced" -u <username>:<password> -k

Shut down the ThreatLockDown indexer in the node.

# systemctl stop wazuh-indexer

# service wazuh-indexer stop

Upgrade the ThreatLockDown indexer to the latest version.

# yum upgrade wazuh-indexer

# apt-get install wazuh-indexer

Restart the service.

# systemctl daemon-reload
# systemctl enable wazuh-indexer
# systemctl start wazuh-indexer

Choose one option according to the operating system used.

RPM-based operating system:

# chkconfig --add wazuh-indexer
# service wazuh-indexer start

Debian-based operating system:

# update-rc.d wazuh-indexer defaults 95 10
# service wazuh-indexer start

Check that the newly-upgraded node joins the cluster.

# curl -k -u <username>:<password> https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cat/nodes?v

Re-enable shard allocation.

curl -X PUT "https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cluster/settings" -u <username>:<password> -k -H 'Content-Type: application/json' -d'
{
  "persistent": {
    "cluster.routing.allocation.enable": "all"
  }
}
'

Check again the status of the cluster to see if shard allocation has finished.

# curl -k -u <username>:<password> https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cat/nodes?v

If you're upgrading from a version earlier than 4.8.0, run the ThreatLockDown indexer indexer-init.sh script on any ThreatLockDown indexer node to re-initialize the cluster. Find more information in Index life management.
- If there is a rollover policy in use, your new policy needs a higher priority value to take precedence over it. Add -P <CUSTOM_PRIORITY_VALUE> into the command below to set a custom priority value.
```
# bash /usr/share/wazuh-indexer/bin/indexer-init.sh -i <WAZUH_INDEXER_IP_ADDRESS> -p <password>
```
Note

The policy will be applied only to new indices and not to existing ones. To rotate the current write index managed by the previous policy and start applying the new one, use the POST <alias>/_rollover endpoint. For example: POST wazuh-alerts/_rollover

Upgrading the ThreatLockDown server

When upgrading a multi-node ThreatLockDown manager cluster, run the upgrade in every node to make all the ThreatLockDown manager nodes join the cluster. Start with the master node to reduce server downtime.

Note

Upgrading from ThreatLockDown 4.2.x or lower creates the wazuh operating system user and group to replace ossec. To avoid upgrade conflicts, make sure that the wazuh user and group are not present in your operating system.

Upgrade the ThreatLockDown manager to the latest version.
# yum upgrade wazuh-manager
# apt-get install wazuh-manager
Note

If the /var/ossec/etc/ossec.conf configuration file was modified, it will not be replaced by the upgrade. You will therefore have to add the settings of the new capabilities manually. More information can be found in User manual.

Download the ThreatLockDown module for Filebeat:

# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module

Download the alerts template:

# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.9.0/extensions/elasticsearch/7.x/wazuh-template.json
# chmod go+r /etc/filebeat/wazuh-template.json

Restart Filebeat:

# systemctl daemon-reload
# systemctl enable filebeat
# systemctl start filebeat

Choose one option according to the OS used:

Debian based OS

# update-rc.d filebeat defaults 95 10
# service filebeat start

RPM based OS

# chkconfig --add filebeat
# service filebeat start

Upload the new ThreatLockDown template and pipelines for Filebeat.

# filebeat setup --pipelines
# filebeat setup --index-management -E output.logstash.enabled=false

Upgrading the ThreatLockDown dashboard

Note

Note that this upgrade process doesn't update plugins installed manually. Outdated plugins might cause the upgrade to fail.

Upgrade the ThreatLockDown dashboard.

# yum upgrade wazuh-dashboard

# apt-get install wazuh-dashboard

Restart the ThreatLockDown dashboard:

# systemctl daemon-reload
# systemctl enable wazuh-dashboard
# systemctl start wazuh-dashboard

Choose one option according to your operating system:

RPM-based operating system:

# chkconfig --add wazuh-dashboard
# service wazuh-dashboard start

Debian-based operating system:

# update-rc.d wazuh-dashboard defaults 95 10
# service wazuh-dashboard start

Next steps

The ThreatLockDown server, indexer, and dashboard are now successfully upgraded. The next step consists in upgrading the ThreatLockDown agents. Follow the instructions in:

Upgrading the ThreatLockDown agent.