In order to prepare to upgrade Graylog from 2.4 to 3.0 I made a virtualized version of my Graylog server (hostname Graylog, IP 192.168.1.1), including its 4TB worth of elasticsearch indexes.
I’d now like to get this VM clone working independently (hostname Graylog2, IP 192.168.1.2) so I can mess around with it and practice upgrading. So, to do this, I have gone through every config file I can think of, and changed the IP from 192.168.1.1 to 192.168.1.2
Once complete I fireup Graylog-server, and visit my new IP 192.168.1.2 … Graylog loads up fine, and I see my old log entries in there, great.
But to my surprise this new Graylog2 appears to be receiving 500 log entries per second, about the same as my old Graylog. Somehow both servers appear to be receiving logs - which isn’t possible. It becomes clear my new server is still using my old server’s elastic search - or something like that.
Looking deeper under “System - Nodes” I see that my new clone is still somehow connected to the old Graylog node “a002c9da”. If I click the node, it gives me more info, and under REST API it says http://192.168.1.1:12900 (the old IP).
I’ve searched through config files again and I cannot find where this node is defined - nowhere in my config files does it use the old .1 IP address.
Can anyone point me in the right direction? How do I make this cloned system completely separate from the old system?