So here’s a few fun observations that I ran into when upgrading:
1: If you’re using Beats input, you can no longer use PKCS8 keys, the “deprecated” older beats input won’t recognise them and will merrily start blowing errors all over the place when something connects.
2: Settings we use for ES (768 max conns, 128 per route, output batch of 4096) that worked absolutely fine in 2.5 are now causing bulk indexing timeout exceptions, settings had to be tweaked down to achieve similar performance
3: Graylog now runs as an unprivileged user (graylog) which meant it couldn’t read certificates from our certificate store since that user isn’t in the group allowed read access, so you’ll have to pay attention to that.
Other than that it was relaively smooth sailing Nice work!