Recently I ended succesfull migration from Graylog 2.5 (virtual appliance) to 3.0 (installed from packages). I had about 6 months of logs in total about only 30 GB. It took a lot of head scratching and googling. My servers are virtual, so a lot of snapshots before every step. It helped a lot, needed some rollbacks.
Installing and initial configuring was almost easy, documentation is good in this part.
Transfering configuration (mongodb) also was easy, it is described here: Back Up, Restore, and Migrate a MongoDB Database.
The hardest part was Elasticsearch data migration. I had no experience in Elasticsearch, so learned a lot. There are some tools on Internet for ES data migration, none worked for me, so I ended with snapshotting and restoring from snapshot. This could help: Make Snapsots of Elasticsearch Data and Restore It, and perhaps this too: Talking to Elasticsearch.
Elasticsearch v.6 command ‘curl -XPUT’ with JSON content should contain ‘content-type: application/JSON’ in header, else command will end with error. Example:
curl -H "content-type: application/JSON" -XPUT 'http://localhost:9200/_snapshot/graylog_backup' -d '
{
"type": "fs",
"settings": {
"compress" : true,
"location": "/backups/elasticsearch-backup"
}
}
There were problem with Active Directory authentication after migration. Login with AD user not worked, settings were not shown in Web interface, but all users are there. Tried to input AD authentication settings, they were not saved. From server log found, there is one configuration already and multiple LDAP backends are not supported. Cleared previous settings in mongodb database, now it was possible to save new configuration. Solution found here: LDAP Settings - Not Saving