we have updated our graylog system to latest graylog 2.5 and elastic from 2.5 to 5.
all looked fine, but then we saw that the elasticsearch was storing the data in “/var/lib/elasticsearch” instead of “/media/data/elasticsearch” short before 0 KB free space on “/”.
in all configs was the path explizit OK so we did a shutdown of the system (it’s a single-node) and reinstalled elasticsearch and graylog again with blank/new config-files.
then configured elasticsearch / graylog again and it works now with the data-path, but we have lost everything from before… it’s a complete, empty system now.
on the partition are all files shown, ACLs are fine (elasticsearch is owner)
in the documentation is shown, that all config settings are stored in the MongoDB Database, which we haven’t touched, so we thought it will pick it up and use it automatically.
is there a way, how we can “restore” the old config like LDAP, Inputs, Streams, Dashboards etc?
Most important question is: how did you upgrade? If you used a package manager, like RPM or APT, it should have retained your original configuration files.
Now I’m going to feel silly for asking this, but: do you have backups?