I was finally looking into upgrading my (t)rusty Graylog server which has been running fine since I installed it. This meant that I didn’t touch it since first installing it.
The version that I initially installed was 2.3.0+81f822 and the elasticsearch version that was popular then elasticsearch-2.4.5-1
The reason I didn’t update until now was that I didn’t want to update elasticsearch to the 5.x version because it’s a bit of a pain to update it.
Also I have quite a bit of storage, as a I have to keep 90 days worth of logs, which brings me to an index of 3.3 TB (!)
Each index is rotated daily.
I read before updating elasticsearch to 5.x it is mandatory that you have to re-index it using the API.
Does this mean I have to re-index each of those 90 indices through the API? Otherwise I won’t be able to search through this data?
What is the recommended procedure here? I’d really love to use the benefits of elasticsearch 5.x and the latest Graylog server version.
Unfortunately the problem is that I only have 1 master and 1 datanode (that carries all of the 3.3TB by itself). Which doesn’t help the situation altogether.
I’d appreciate any best-practice & recommendations, even if it’s “don’t touch it…or you’re better off re-installing it from scratch”. Although I’d hate to lose all the data (due to Audit/Compliance reasons).
many thanks in advance,