Graylog Upgrade 2.3


I’m planning on upgrading my Graylog environment to Graylog 2.3
I’m running Graylog and Elasticsearch on two separate machines. Is it recommended to also upgrade Elasticsearch to the latest version?
If so, what’s the recommended procedure?

Update Elasticsearch first and then afterwards mongodb and Graylog to 2.3?


Graylog 2.3.x still works with Elasticsearch 2.x, so you don’t need to upgrade Elasticsearch or you can upgrade it at a later time.

Please refer to the documentation for upgrade instructions:

We chose to separate out our Graylog 2.2.3 -> 2.3 upgrade and our Elasticsearch 2.4.5 - 5.x upgrades so as to reduce the complexity of changes/work during any given maintenance window. I upgraded Graylog to 2.3 last week and am allowing things to “settle out” if you will. Leaving my ES cluster as is helps reduce the number of moving parts should there (have been) post-upgrade issues, which there were not. Well not with the upgrade itself, we ran in to an issue with a multiline collector pattern against Tomcat access logs due to stricter GELF field requirements, but that’s another topic.

I do plan on moving my ES cluster to 5.x at some point, and hot-warm architecture as well, but for now it was very nice to not need to.

Very cool, thanks for both of your fast replies.
I’ll start with the graylog upgrade on thursday morning, hopefully everything will go smoothly.

cross your fingers for me :wink:


I’ve upgraded graylog to 2.3
I know there were a few configuration changes within server.conf

most notably the following line
elasticsearch_hosts =

I have added the data node there on port 9200
and the master node (graylog server IP) also on port 9200

however within elastichq on the data node I’m only able to see the data node, but not the master node (graylog-server ip) anymore.
before the update I was able to see both nodes.

also it seems the graylog server is now longer able to forward the messages from the journal to the elasticsearch database…
I seem to write unprocessed messages
-369,908,431 unprocessed messages are currently in the journal, in 1 segments

hmm, any idea?

That’s totally okay.

Graylog used to join the Elasticsearch cluster as a client node (no master, no data). That has changed with Graylog 2.3.0 which only connects to the Elasticsearch cluster via HTTP.

however, should I worry about the unprocessed messages?
in the server.log I only see an Error of an Input…but I will deal with that later…

Ha! Okay I think I’ve fixed it myself…

previously I had the message journal directory on a different location…that got overwritten in the new config.
I’ve now changed the location in the config again… now it seems to work alright again :slight_smile:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.