I need to update our Graylog appliance to mitigate the Log4j vulnerability but i have very little experience with graylog and not sure of the process! Had a look around the site but can’t find the process.
We just have one Graylog server thats running on Ubuntu and currently on v2.5.1+34194da, and i’m guessing an upgrade to 3.3.15 would be the easiest for the mitigation?
Edit just ran dpkg -l | grep -E “.(elasticsearch|graylog|mongo).” and the results:
graylog 2.5.1-1
graylog-4.2-repository 1-4
If anyone could assist with the upgrade procedure or point me towards a guide that would be great,
When upgrading Graylog, we recommend that you upgrade incrementally through all intervening major versions, starting the service after each incremental upgrade.
MongoDB and Elasticsearch should be upgraded before Graylog. They can be left running when Graylog is upgraded.
The installation guide actually has the update commands which are pretty standard. Scroll down a bit from the link. The doc dudes are planning an update to correct this…
You will need to hunt down the older version upgrade you want to download in Graylog packages
So the output of dpkg -l | grep -E ".(elasticsearch|graylog|mongo)." doesn’t mention elasticsearch or mongo, does that mean they aren’t used?
I have tried the commands to install graylog-3.0-repository_latest.deb but get the following errors (i assume the fetch errors aren’t important but included them for reference). This adds the 3.0 repository but graylog is still on 2.5.1 after a reboot:
E: Some index files failed to download. They have been ignored, or old ones used instead.
root@graylog:/tmp# sudo apt-get install graylog-server
Reading package lists… Done
Building dependency tree
Reading state information… Done
Package graylog-server is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
E: Package ‘graylog-server’ has no installation candidate
Mongo is definitely used by Graylog, and all process messages are stored in Elasticsearch - you need both… It’s possible to have Elasticsearch installed on a separate server… did you set up this environment yourself or are you taking over something someone else built?
It is not clear the commands you used based on what you have posted. I am not sure what you downloaded or what commands you used. Please use the forum markup tools to make your code/commands/logs readable. do you have more than one Graylog repository?
Unfortunately a colleague who has left the organisation set this up and this is my first exposure to it. We only have one Graylog server. I have reverted the server back to a snapshot a took earlier today before running any commands and this is the current status:
These are the commands i had tried from installation guide based on first upgrading to v3.0:
In the beginning, you said “Graylog Appliance” before you do any upgrades you need to understand how it is installed and where MongoDB and Elasticsearch are set up. Do you know if it’s an standalone install, or Docker or an OVA installation? Also - your version is quite far behind - the older documentation can be found here: Architecture — Graylog 2.5.0 documentation