Upgrading Wazuh to Version 4.8.0: A Step-by-Step Guide

SOCFortress
2 min readJun 22, 2024

--

In this tutorial, we’ll walk you through upgrading your Wazuh setup to the latest 4.8.0 release. This upgrade includes significant changes to the vulnerability detection system and the user interface (UI), which we’ll explore in detail. By the end of this guide, you’ll have your Wazuh manager, indexer, and dashboards updated and running smoothly.

What’s New in Wazuh 4.8.0?

The 4.8.0 release of Wazuh brings several important updates:

Refactored Vulnerability Detection: The vulnerability detection system has been completely overhauled.

UI Changes: Several user interface improvements have been made for better usability.

Configuration Updates: Some configuration changes are required, particularly for vulnerability detection.

Full Release Notes: https://documentation.wazuh.com/current/release-notes/release-4-8-0.html

Preparation

Before we begin, ensure you have:

— A backup of your current Wazuh configuration.

— Administrative access to your Wazuh servers.

Step 1: Stopping Services

First, stop all Wazuh services to prepare for the upgrade:

sudo systemctl stop wazuh-manager 
sudo systemctl stop wazuh-indexer
sudo systemctl stop wazuh-dashboard

Step 2: Upgrading the Indexer

sudo apt-get install --only-upgrade wazuh-indexer

Start the indexer service and check its status:

sudo systemctl start wazuh-indexer
sudo systemctl status wazuh-indexer

Step 3: Upgrading the Dashboard

sudo apt-get install --only-upgrade wazuh-dashboard
sudo systemctl start wazuh-dashboard
sudo systemctl status wazuh-dashboard

Step 4: Upgrading the Manager

sudo apt-get install --only-upgrade wazuh-manager
sudo systemctl start wazuh-manager
sudo systemctl status wazuh-manager

Step 5: Updating Configuration

Edit your ossec.conf file to update the vulnerability detection configuration. Replace the existing <vulnerability-detector> block with the new configuration:

<vulnerability-detection>
<enabled>yes</enabled>
<index-status>yes</index-status>
<feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>

<indexer>
<enabled>yes</enabled>
<hosts>
<host>https://0.0.0.0:9200</host>
</hosts>
<ssl>
<certificate_authorities>
<ca>/etc/filebeat/certs/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/filebeat/certs/filebeat.pem</certificate>
<key>/etc/filebeat/certs/filebeat-key.pem</key>
</ssl>
</indexer>

❗ SEE VIDEO LINKED AT START OF POST FOR WALKTHROUGH❗

You must save the Wazuh indexer username and password into the Wazuh manager keystore using the Wazuh-keystore tool.

/var/ossec/bin/wazuh-keystore -f indexer -k username -v <INDEXER_USERNAME>
/var/ossec/bin/wazuh-keystore -f indexer -k password -v <INDEXER_PASSWORD>
sudo systemctl restart wazuh-manager

Conclusion

Upgrading to Wazuh 4.8.0 brings enhanced functionality and improved security features. By following this guide, you’ve successfully upgraded your Wazuh environment to take advantage of these new capabilities. For more detailed information, refer to the official Wazuh documentation.

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

--

--

SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).