Upgrade Elastic Security to 8.16.2

edit

Upgrade Elastic Security to 8.16.2

edit

Before you upgrade Elastic Security, take the necessary preparation steps, which will vary depending on what version you are upgrading to:

Rolling upgrades are unsupported in Elastic Security, which runs within the Kibana application. To upgrade, you must shut down all Kibana instances, install the new software, and restart Kibana. Upgrading while older Kibana instances are running can cause data loss or upgrade failures.

When required, Kibana automatically migrates saved objects. In case of an upgrade failure, you can roll back to an earlier version of Kibana. To roll back, you must have a backup snapshot that includes the kibana feature state. By default, snapshots include the kibana feature state.

Upgrading multiple Kibana instances

edit

When upgrading several Kibana instances connected to the same Elasticsearch cluster, ensure that all outdated instances are shut down before starting the upgrade.

Rolling upgrades are unsupported in Kibana. However, when outdated instances are shut down, you can start all upgraded instances in parallel, which allows all instances to participate in the upgrade migration in parallel.

For large deployments with more than 10 Kibana instances and more than 10,000 saved objects, you can reduce the upgrade downtime by bringing up a single Kibana instance and waiting for it to complete the upgrade migration before bringing up the remaining instances.

You can upgrade to pre-release versions for testing, but upgrading from a pre-release to the Generally Available version is unsupported. You should use pre-release versions only for testing in a temporary environment.

Ensure that all Kibana instances are the same

edit

When you perform an upgrade migration of different Kibana versions, the migration can fail. Ensure that all Kibana instances are running the same version, configuration, and plugins.

Support for Elastic prebuilt detection rule automatic updates

edit

Automatic updates of Elastic prebuilt detection rules are supported for the current Elastic Security version and the latest three previous minor releases. For example, if you’re upgrading to Elastic Security 8.10, you’ll be able to use the Rules UI to update your prebuilt rules until Elastic Security 8.14 is released. After that point, you can still manually download and install updated prebuilt rules, but you must upgrade to the latest Elastic Security version to receive automatic updates.

Upgrade from an 8.x to an 8.x version

edit

Follow this guide to upgrade from an earlier 8.x version to a later 8.x version.

Plan for your upgrade

edit

Before upgrading from an earlier 8.x version, consider the following recommendations:

  • Plan for an appropriate amount of time to complete the upgrade. Depending on your configuration and the size of your cluster, the process can take up to a week to complete.
  • Open a support case with Elastic to alert our Elastic Support team of your system change. If you need additional assistance, Elastic Consulting Services provides the technical expertise and step-by-step approach for upgrading your Elastic deployment.
  • Choose a version to upgrade to. We recommend the latest minor and patch version. Be sure to upgrade your development or non-production deployment to the same version as your production deployment.
  • Ensure that you have stack monitoring enabled in Kibana. Take note of your current index and search rate.
  • Review your selected version’s features, Elastic connectors, integrations, and detection rules to determine if you can replace any customized content with out-of-the-box functionality. This can help reduce your workload and the complexity of your upgrade.
  • Review release notes, deprecations, and breaking changes for Elastic Security, Elasticsearch, Kibana, and, if applicable, Fleet and Elastic Agent, Beats, and Logstash. Identify any issues that might affect your deployment. Work with your Elastic team on any questions you may have. Start with breaking changes for your solution and platform components, such as Elasticsearch and Kibana.
  • Schedule a system maintenance window within your organization.

Pre-upgrade steps

edit

To prepare for the upgrade process, follow these steps before you start:

  1. Do a software version inventory across your entire Elastic deployment, including Elasticsearch, Kibana, Elastic Agent, Beats, and Logstash.
  2. If you’re not using snapshot lifecycle management (SLM), you must set up and configure a policy, then run the policy to create at least one snapshot—a backup of indices taken from a running cluster. If you need to roll back during the upgrade process, use a recent snapshot to avoid data loss. Snapshots are incremental—depending on the cluster size and the input/output rate, the initial snapshot may take several hours to complete. If you’re using SLM, check the SLM history to ensure that snapshots are completing successfully.

Perform an 8.x to 8.x upgrade on a deployment

edit

We strongly recommend performing the following steps on a non-production deployment first to address any potential issues before upgrading your production deployments. If you’re using a cross-cluster search environment, upgrade your remote deployments first.

  1. If you haven’t already done so, back up your cluster data to a snapshot.
  2. We recommend you export all your custom detection rules in case there are issues with the detection engine after the upgrade.
  3. Upgrade Elasticsearch.

    • If you’re using Elastic Cloud, we recommend upgrades with no downtime. Refer to these instructions.
    • If you’re using Elastic Cloud Enterprise (ECE), refer to these instructions.
    • If you’re using Elastic Cloud on Kubernetes (ECK), refer to these instructions.
    • If you’re upgrading a self-orchestrated deployment, refer to these instructions and upgrade the data nodes tier by tier in this order:

      1. Frozen tier
      2. Cold tier
      3. Warm tier
      4. Hot tier
      5. Any other nodes not in a tier
      6. All remaining nodes that are neither master-eligible nor data nodes
      7. Master-eligible nodes
  4. Upgrade Kibana. Refer to these instructions.

    If you’re using Elastic Cloud Hosted or Elastic Cloud Enterprise, this is already included in the Elasticsearch upgrade.

  5. Validate that Elasticsearch and Kibana are operating as expected by completing the following checks:

    1. For Elasticsearch:

      1. Check the status of your clusters and ensure that they’re green by running a GET _cat/health API request. For more information, refer to the cat health API documentation.
      2. Ensure that the index and search rate are close to what they were before upgrading. Go to Stack MonitoringElasticsearchOverview.

        You can also check the index document count using the cat index API.

      3. Verify that snapshot lifecycle management (SLM) is taking snapshots by checking the SLM history.
      4. If you use machine learning, ensure that it is up and running.
    2. For Kibana:

      1. Ensure that you and your users can successfully log in to Kibana and access desired pages.
      2. Check Discover and verify that the index patterns you typically use are available.
      3. Verify that your commonly used dashboards are available and working properly.
      4. If you use any Watcher-based Kibana scheduled reporting, ensure that it’s working properly.
  6. Upgrade your ingest components (such as Logstash, Fleet and Elastic Agent, Beats, etc.). For details, refer to the Elastic Stack upgrade docs.
  7. Validate that ingest is operating correctly.

    1. Open Discover, go through data views for each of your expected ingest data streams, and ensure that data is being ingested in the expected format and volume.
  8. Validate that Elastic Security is operating correctly.

    1. On the Rules page, re-enable your desired SIEM detection rules (Rule Management tab), and ensure that enabled rules are running without errors or warnings (Rule Monitoring tab).
    2. Ensure that any SOAR workflows that consume alerts are working.
    3. Verify that any custom dashboards your team has created are working properly, especially if they operate on alert documents.
  9. If you performed these steps on a non-production deployment, repeat these same steps on your production environment. If you’re using a cross-cluster search environment and performed these steps on your remote clusters, repeat these same steps on your other deployments.
  10. Confirm with your appropriate stakeholders that the upgrade process has been successful.

Considerations when upgrading to 8.8 or later

edit

After you upgrade to 8.8 or later, frequency settings for rule actions created in 8.7 or earlier are automatically moved from the rule level to the action level. The action schedules remain the same and will continue to run on their previously specified frequency (On each rule execution, Hourly, Daily, or Weekly).

Upgrade from 7.16 or earlier to an 8.x version

edit

To upgrade from 7.16.0 or earlier to 8.16.2, you must first upgrade your Elastic Stack and Elastic Agents to 7.17 (refer to Upgrade Fleet-managed Elastic Agents). This enables you to use the Upgrade Assistant to prepare for the upgrade. Before you upgrade, you must resolve all critical issues identified by the Upgrade Assistant. Afterwards, you can upgrade to 8.x.

Initially, Elastic Agents will be version 7.17. This is fine because Elastic Security 8.x supports the last minor release in 7.x (7.17) and any subsequent Elastic Endpoint versions in 8.x. After the Elastic Stack upgrade, you can decide whether to upgrade Elastic Agents to 8.x, which is recommended to ensure you get the latest features.

You do not need to shut down your Elastic Agents or endpoints to upgrade the Elastic Stack.