Downgrade Elasticsearch to support Graylog version

1. Describe your incident:
we want to downgrade ES from 7.16.1 to 7.10.2

2. Describe your environment:

  • OS Information:
    Debian Bullseye

  • Package Version:
    4.2.7

  • Service logs, configurations, and environment variables:
    N/A

3. What steps have you already taken to try and solve the problem?
We have running Graylog 4.2.7 with Elasticsearch 7.16.1 and Mongodb 4.4, now we want to upgrade graylog to 4.3 but it says that
“We caution you not to install or upgrade Elasticsearch to 7.11 and later! It is not supported. If you do so, it will break your instance!”
link

4. How can the community help?
We are in situation where we want to downgrade ES from 7.16.1 to 7.10.2 7so that we can use graylog 4.3, we are using Graylog 4.2.7 , Mongodb 4.4 & Elasticsearch 7.16.1
Do I need to downgrade the whole stack, or can I downgrade partly?

Please guide,

Regards,
SAM

Hello @samurai29

The bad news is you can always upgrade but not down grade without losing data. You can try but be aware it may not end well. There are other members here that have that version and it seams to be running fine for them.

Yeah that new for Graylog version 4.3.

If this is production, I would suggest staying with 4.2.x unless you really need to upgrade.

Thanks for the clarity @gsmith

Yes its production with Graylog 4.2.X with ES 7.16.1 and Mongo 4.4

There are other members here that have that version and it seams to be running fine for them. ----> you mean they have Graylog 4.2.X with ES 7.16.1 and Mongo 4.4 ? and they have nor seen any issue with it ?
or they have Graylog 4.3.X with ES 7.16.1 and Mongo 4.4

Please help me with this, so that we can think to drop an idea of upgrading graylog to 4.3,

Also when Graylog will support ES with 7.11 & later version ?

Please note though that Elasticsearch 7.10 is now EOL and no longer supported.

these information will help us to decide Graylog upgrade,

once again thank you for your time and support :slight_smile:

Regards,
SAM

Here are the gory details
In short, GL will not support ES beyond 7.10.

That said, there is nothing preventing you from upgrading to 4.3 with existing 7.16. But you do so at your own risk and responsibility.

1 Like

…but how is the plan for the future?
Sounds like a dead end.

Regards
KPS

I think @tmacgbay have a higher version then 7.10. He could fill ya in more about that.

No, 4.2 or less then, 4.3 might not install as you noticed. or check out what @patrickmann posted

You may want to read this document, here

Graylog is supporting OpenSearch now but only with Graylog Version 4.3.

Only suggestion I have for you right now since you went over the compatible version of Elasticsearch would be is create a new Graylog Server with either elasticsearch 7.10 or OpenSearch. Keep your old Graylog server for archiving and point all the devices to the new node.

@KPS
Not sure what the future on Elasticsearch & Graylog but it looks like Graylog is taking OpenSearch path.

I am running on Elasticsearch 7.14. I have seen some comments about shifting data between versions but I didn’t see anything complete on someone who has brought Elasticsearch back down to 7.10.2. My understanding is that Elasticsearch is currently a dead end and if you were to spend your time trying to move data, you should work to OpenSearch… But Graylog has not written that they support version 2.x of OpenSearch… so read carefully before you begin your adventure…

@gsmith’s suggestion to archive the current system for history and building new with OpenSearch underlying is a more solid path if you are in production… unless you can replicate your current system and build out a test environment.

Document the hell out of what you end up doing and post it up… there are plenty of others in your shoes that would appreciate the insight - I may get to something like it myself… when I have more time.

I can share with you that a migration guide Elastic to Open Search is in the works. I don’t have an ETA - but you have been heard.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.