Updating Elasticsearch 5.x to 6.8

Hi All,

I’m new in graylog and working on an old graylog update and got stuck in Elasticsearch as my version is not compatible with the next graylog version. I’ve read the documentation but I’m kind of lost in the process.
The documentation says to reindex before update, so I’ve ran the following to check names and noticed multiple indexes, but not sure if they are monthly indexes as mentioned in the ES documentation

curl -s localhost:9200/_aliases?pretty=true | awk -F\" '!/aliases/ && $2 != "" {print $2}

Result:

graylog_1242
cluster
graylog_1257
graylog_1239
graylog_1261
graylog_deflector
graylog_1216
graylog_1241
graylog_1250
graylog_1253
graylog_1228
graylog_1201
graylog_1198
graylog_1220
graylog_1229
graylog_1255
graylog_1208
graylog_1217
graylog_1245
graylog_1203
graylog_1235
graylog_1206
graylog_1196
graylog_1224
graylog_1213
graylog_1215
graylog_1246
graylog_1202
gl-system-events_0
gl-system-events_deflector
graylog_1231
graylog_1258
graylog_1218
graylog_1260
graylog_1238
graylog_1259
graylog_1254
graylog_1237
graylog_1200
graylog_1205
graylog_1199
graylog_1226
graylog_1227
graylog_1232
graylog_1252
graylog_1197
graylog_1214
graylog_1210
graylog_1211
graylog_1251
graylog_1221
graylog_1247
graylog_1209
graylog_1244
graylog_1223
graylog_1212
graylog_1207
graylog_1234
graylog_1236
graylog_1243
gl-events_0
gl-events_deflector
graylog_1204
graylog_1240
graylog_1225
graylog_1256
graylog_1219
graylog_1222
graylog_1248
graylog_1249
graylog_1233
graylog_1230

Am I following the right direction?

Usually graylog _* is associated with the default index set. under system/indices you should find the “Default Index Set” and be able to edit/look at how it is rotated. For reindexing, you can look here for more details on how/why. Make sure you are looking at the right doc version!

Hard to tell if you are following the right direction, it’s not clear what directions you are following or where in the directions you are. Eventually you want to get to OpenSearch as Graylog isn’t supporting Elasticsearch anymore…but don’t go down that road until you are at the right spot in version 4 or 5 of Graylog…

You only need to re-index if the indices were created with a version prior to 5.x. If they were created in a 5.X instance, you can upgrade directly to 6.8 without needing to re-index them.

5.X was able to work with the 2.X indices, 6.X was not. That’s why they were requiring re-indexing of old 2.X indices. If you don’t have any of those, you don’t need to re-index anything.

Hi @joe.gross,

Good to hear it, I just checked the bash history in this server, ES 5.x was the first version installed, so I might can update to 6.8 without issues.

I’ll give a try and update the post

Thank you

Good deal. Make sure you snapshot the VM, if you’re lucky enough to be using a VM. If it goes sideways, you can put it right in a few minutes.

Yes, Im doing it.
I’m updating all the environment, it was running Graylog 2.5, so I’m trying to move gradually Graylog, ES and Mongo. As everything is new for me, I’m getting some headaches on the way.

Thank you for your help with it.

You’re very welcome. If you are starting that far back, you might consider starting fresh, rather than trying to upgrade everything. If you don’t have a lot of custom work you need to preserve, it will be easier than the steps through the version chain.

If you have a lot of custom content in Mongo, you can upgrade that in place, after snapshotting of course. Then export the db with mongodump and import it into the new system.

After you’re done, you simply switch over to the new system and keep on trucking. You keep the old system in place for historical searches, until the logs age out and then decommission it for good.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.