Graylog 5.1 still sees Elastisearch conf

Hey Guys
I set up a server with Graylog v5.1.4, Mongodb v6.0.9 and Openseach 2.5 (No elasticsearch).
When starting all services, Graylog will not start because it cant load elastisearch plugin. In the graylog logs I see this message:

2023-08-23T19:28:04.112Z INFO [CmdLineTool] Loaded plugin: Elasticsearch 7 Support 5.1.4+6fa2de3 []

Now the only way to make i work is to configure the opensearch.yml and add the following line true

Why do I see this error eventhough Elastisearch was never installed? And is there a way to remove this entry?

Thank you

Greetings! Graylog still maintains compatibility with Elasticsearch 7.10.2. Graylog has several “backend” plugins (e.g. Elasticsearch, OpenSearch) and will detect the appropriate backend to use automatically.

Hi Drew, thanks for answering. I understand that Graylog still maintains compatibilty with ES 7.10.2. But if it finds the appropriate backend service to use as you mentionned, for instance in my case it would be Opensearch (v2.5), shouldnt it bypass ES and start using Opensearch, instead of crashing because it cant find the ES plugin?

Maybe I am missing a configuration to tell Graylog to use Opensearch from now and not stick to ES when not installed. Dont know if that makes any sense, let me know.

Thank you very much for your help.

Your question makes sense. Graylog will use the configured indexer hosts (even thought the server.conf setting is still called elasticsearch_hosts) to query the indexer and determine the product and version. Unfortunately, there are some scenarios where graylog cannot properly connect to the indexer. The OpenSearch security plugin (when left unconfigured, which is its default state) can cause this issue and unfortunately OpenSearch enables this by default.

This should be covered in the Installing Graylog documentation, for example: Ubuntu installation

But I understand how this can be confusing. We have plans to improve upon this workflow in the future by introducing multiple graylog install types that can have specific roles. For example a graylog install that is graylog (as it is today) and another graylog install that is actually a controller for opensearch (we’re calling it the data node). This will greatly improve the installation and configuration experience and make installing updates much more streamlined.

Hi, again thanks for taking the time to respond.
I indead did follow the instructions from the links you sent me, thanks for that.
Whats more confusing and frustrating is that the server.conf settings (elasticsearch_host) that you mentionned is commented as shown bellow. So it should not even take into account.

cat /etc/graylog/server/server.conf | grep elasticsearch_hosts
#elasticsearch_hosts = http://node1:9200,http://user:password@node2:19200

Well hopefully the next version will fix the issue.

I wish not to open another thread, but may I ask if Mongodb 7.x and Opensearch 2.9 are supported in Graylog 5.1.x?

Thanks again for your time.
Really appreciated.


We have an issue to track removing references to elasticsearch via Rename "elasticsearch" Graylog server properties · Issue #13927 · Graylog2/graylog2-server · GitHub . It will unfortunately be a long and slow process.

Regarding Mongo 7, my understanding is that i was just released and I don’t believe it has been tested or validated. I recommend sticking with mongo 6.

Everything I’ve seen and tested about openserach 2.x is that they have all been compatible. I just tested installing and using opensearch 2.9 with graylog and found no issues.

Thank you very much for your time Drew.
That closes the question.
Have a good day