Wazuh Upgrade Notes
I ran into a lot of issues when doing an upgrade of Wazuh manager (All-in-one deployment) to Wazuh version 4.8 so I will share the roadblocks here and how to get it to work properly. It wasn’t particularly “a breeze” in my particular case, but I learned a thing or two about its inner-workings.
Issue #1: ossec.conf didn’t update
NoteIf the
/var/ossec/etc/ossec.confconfiguration file was modified, it will not be replaced by the upgrade. You will therefore have to add the settings of the new capabilities manually. More information can be found in User manual.
Doc Reference:
Wazuh Wazuh central components - Upgrade guide · Wazuh documentation
Issue #2: Vulnerability Detection not working
Vulnerability Detection module was not working when I did the full upgrade.
Error:
$ cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-<manager_name>', retrying until the connection is successfulAnd the wazuh-states-vulnerabilities-wazuh was missing from the indices (Dashboard)
I just updated the certificate names in the ossec.conf file according to the ones that were updated in /etc/filebeat/certs:
- Make sure the certificate filepaths are correctly declared in
ossec.conf
Here’s how it looks after the certificate names were updated and ran sudo systemctl restart wazuh-manager:
Now it works. 🎉
Issue #3: Wazuh API not routing the IP correctly
I noticed the API listening on port 9200 was being mapped to localhost, not the IP address of the manager.
How I detected this issue? I was able to cURL localhost:9200 from inside the wazuh manager, but not by the LAN IP, even when testing also inside the Wazuh Manager.
curl localhost:9200✅curl <manager-ip>:9200❌
I changed ossec.conf ’s XML parameters <indexer> <host> to the IP of the indexer instead of localhost
Also changed /etc/wazuh-indexer/opensearch.yml to match the IP address.
Also needed to remap the IP in /etc/wazuh-dashboard/opensearch_dashboard.yml
