Send the unaltered inputs from one graylog to a another graylog (to test before switch a migration)


I am setting up a new Graylog 4.2 cluster to run side to side to our old Graylog 2.5.1 in order to replace it in production.
I need to send the same inputs old Graylog is getting into the new one without any alteration (pipelines, etc), in order to see the new one reacts properly before replacing the old one.

There is any way to do that from Graylog?

There are 3 inputs:

  • aws s3 input
  • gelf tcp
  • gelf http


Not sure I fully understand the question. Do you want to setup inputs in 4.2 that are similar to those you have in 2.5.1 ? Or do you want to import the full configuration you have in 2.5.1 (Extractors, Pipelines, Inputs, etc.) onto 4.2 ?

Hmmm… I don’t think this would work if you are using extractors but you could look at connecting a second stream that captures input data and shunt it directly to an output that points to your new Graylog instance. I am not anywhere near my work environment so that is just a conceptual thought.

Ultimately this might allow you to run the old and new environments in parallel so you can prove out the 4.2 one works like the 2.4.1.

I would also consider port mirroring on your switch… more conceptual thought…

Port mirrors on a switch would only work with UDP-traffic. As soon, as TCP is involved this will not work.

To be honest I’d configure another log-export on the devices producing the logs. It will give you the most reliable results.

Adding on, from @ihe statement,

You also have the element of IP Address which I believe you don’t have the same address on both new & old server. If your concerned about alteration, we were looking into something similar to this.

Our idea was setup a graylog server execute a mongodump and send it to the new server. once it was up and running we would shut both servers down and swap IP address on the OS level ( i.e. and reconfigure our DNS server) of course the configuration files on the New GL server needs to be adjusted.

Only start the new server GL 4.3.
The old GL 2.4 can be accessed this the new Ipddress, once the Rotation period: has gone beyond the configuration settings, we would remove it from the DMZ. This could be very easy if you have Graylog-Sidecar on all these devics you could switch the IP Address in seconds to the new graylog server

EDIT: FYI, Graylog is moving to OpenSearch 1.1, 1.2 & 1.3. You may want to look at Version 4.3. and GL is only supporting Elasticsearch Version up to 7.10

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.