Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!
1. Describe your incident:
We are currently evaluating the upgrade of our Wazuh Indexer from version 4.9.2 (OpenSearch 2.13) to 4.12 (OpenSearch 2.19.1). Graylog officially supports OpenSearch up to version 2.15, meaning that 2.19.1 is officially unsupported.
In our test environment, after upgrading Wazuh Indexer to 4.12 / OpenSearch 2.19.1, searches and alerting in Graylog appear to function correctly. However, this test environment is very small compared to our production deployment, and we want to ensure that no known issues could affect our alerts, searches, or aggregations before upgrading in production.
We are aware about the known OpenSearch range/date_range aggregation bugs (ignoring filters, causing potential false positives in alerts), normally it will not impact our environment but we still want to know if there are any other specific risks or recommended practices when running Graylog with OpenSearch versions > 2.15.
2. Describe your environment:
- Graylog version: 6.3.1
- Wazuh Indexer: upgrading from 4.9.2 (OpenSearch 2.13) to 4.12 (OpenSearch 2.19.1)
3. What steps have you already taken to try and solve the problem?
- Upgrade Wazuh Indexer from 4.9.2 → 4.12 in small test environment
- Observe searches, dashboards, and alerting behavior
4. How can the community help?
-
Are the known OpenSearch bugs in 2.16+ related to
range/date_rangeaggregations documented for Graylog? -
Could these bugs potentially affect alerting or searches in production, especially in complex dashboards?
-
Any recommended precautions or configurations to safely run Graylog with OpenSearch 2.19.1 in a Wazuh Indexer deployment?
-
Guidance on when official support for OpenSearch > 2.15 is expected in Graylog