Migrate Vm Based Graylog to Dockerized Version

guzelcihad · June 13, 2022, 10:10am

Hi,

We currently maintain a graylog cluster which works on virtual machine. Our setup is like that:

ElasticSearch clusters
Mongodb running on graylog installed machines, not a separate clusters.

So, we want to run graylog inside docker container. What we tried first was to create a graylog installed container and join it to the existent graylog clusters. It fails because of the mongo db versions seem different and they are not be able to communicate with each other.

So, We thought that just create another graylog cluster with the dockerized version, get a mongodb dump from existent cluster and import the data to the newly created mongo. I think it can work but what I am not sure about this migration is ElastichSearch data. Does the ElasticSearch stores information about graylog clusters? If yes then it can be problematic because our new cluster is not gonna be able to work with current ElasticSearch. Can you clarify me?

gsmith · June 14, 2022, 12:25am

Hello @guzelcihad

You almost have it.
It is advisable to insure MongoDb is the same version before performing a Mongdump &mongorestore

Again, Insure the version are the same. What needs to happen is…

Elasticsearch Creating A Snapshot
Example:

Configure elasticsearch.yaml file.

path: "/etc/elasticsearch/my_backup"

Then excute the follow to register the repo.

curl -X PUT "localhost:9200/_snapshot/my_repo?pretty" -H 'Content-Type: application/json' -d'
{
"type": "fs",
"settings": {
"location": "/etc/elasticsearch/my_repo"
}
}
'

Or just one index

curl -X PUT "localhost:9200/_snapshot/my_backup/snapshot_1?wait_for_completion=true&pretty" -H 'Content-Type: application/json' -d '
{
"indices": "graylog_1",
"ignore_unavailable": true,
"include_global_state": false,
"metadata": {
"taken_by": "aaron",
"taken_because": "testing for community issue",
"date": "2021-04-09"
}
}
'

Once completed run the following.

curl -X PUT "localhost:9200/_snapshot/my_repo/snapshot_1?wait_for_completion=true&pretty"

Copy you data to its destination

Restore

 curl -X POST "localhost:9200/_snapshot/my_repo/snapshot_1/_restore?pretty

NOTES:

Restart ES and GL service
If an error occurs check index

ERROR [IndexRotationThread] Couldn’t point deflector to a new index
java.lang.IllegalArgumentException: [alias] is unsupported for [REMOVE_INDEX]

curl -XGET 'http://localhosts:9200/_cat/indices?pretty=true'

If there are old indices make sure to remove them. Example if I restored graylog_1112 if there are indecixe name graylog_0 or graylog_1 you need to remove them like this.

curl -XDELETE localhost:9200/graylog_0

Should be good

That would be MongoDb, It holds all the metadata.

Elasticsearch hold/Indexes the messages/logs. If you have a custom Index template then you need to copy that over to the new instance.

guzelcihad · June 14, 2022, 7:25am

Hi @gsmith ,

First of all thank you.

It is advisable to insure MongoDb is the same version before performing a Mongdump &mongorestore

According to your advice, I can say that MongoDB versions are not same but I got dump and imported successfully into MongoDB even the versions are not match.

You gave an idea about ElasticSearch migration. Actually I wasn’t thinking that to migrate ElasticSearch to a new cluster. I just wanted to make sure that our new graylog cluster can work with the existent ElasticSearch cluster. According to your answer if we don’t have a custom index template then we don’t have problems to work with existent ElasticSearch. But for safety reasons it is best to get a snapshot. Do you think I understood you right?

gsmith · June 14, 2022, 9:17pm

Hello,

I was referring about migrating and keeping custom template intact but since this seams to be a default installation, no worries. If there is no need for old data then just create elasticsearch container. Should be good, You may need to adjust GL configuration file to connect with elasticsearch. On th other hand if you need the old data then you would have to adjust you docker-compose file to the old data directory.

Example:

elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2-amd64
    # image: opensearchproject/opensearch:1.3.2
    network_mode: bridge
    #data folder in share for persistence
    volumes:
      - es_data:/usr/share/elasticsearch/data  <-- Change Me here if needed.
    environment:
      - http.host=0.0.0.0
      - transport.host=localhost
      - network.host=0.0.0.0

I always execute a backup (i.e. snapshot or VM Checkpoint ) before I change/upgrade anything.

system · June 28, 2022, 9:18pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Move elasticsearch to another machine Graylog Central (peer support)	1	355	July 6, 2020
Migrating Graylog to a different server maintaining configuration Graylog Central (peer support)	1	1974	July 3, 2018
Backup Graylog Docker Graylog Central (peer support)	6	779	March 23, 2023
Update Graylog Docker Stack from 5.2 to 6.0.1, incl. change from Elasticsearch to Opensearch and upgrade mongodb Documentation Campfire docker , mongodb	0	1476	May 14, 2024
Graylog in docker with external ES and MONGO Graylog Central (peer support)	14	2877	September 7, 2018

Migrate Vm Based Graylog to Dockerized Version

Related topics