Migrating to OpenSearch
  • 25 May 2022
  • 2 Minutes to read
  • Dark

Migrating to OpenSearch

  • Dark


Graylog 4.3 introduces the ability for users to choose between Elasticsearch v7.10 and OpenSearch v1.1, 1.2, or 1.3. This guide details how Graylog users may migrate their Elasticsearch instance to the OpenSearch service.


  • Graylog 4.3 is required prior to OpenSearch installation. Earlier versions of Graylog are not compatible with OpenSearch.
  • Graylog 4.3 is compatible with OpenSearch v1.1, v1.2, and v.1.3.
  • Graylog Security users, including those utilizing Anomaly Detection, must use OpenSearch v1.2 or 1.3.
  • Ensure a backup or snapshot of the Elasticsearch data and host is created before attempting any migration.

Preparing for Migration

Ensure Journal is Configured for the Outage

While the Elasticsearch and OpenSearch services are down, you will still want to keep data flowing. Ensuring the journal is configured correctly will allow data to be stored until the OpenSearch cluster is online.

  1. Open the Graylog server configuration file on all nodes.
nano /etc/graylog/server/server.conf
  1. Ensure the journal is enabled.
message_journal_enabled = true
  1. Take note of the journal directory.
message_journal_dir = /graylog/graylog/journal
  1. Ensure the journal is configured for an appropriate amount of time for the outage and log volume based on customer needs.
message_journal_max_age = 72h
message_journal_max_size = 200gb
  1. Check the free space on the volume.

/dev/sdb       314419200  7655256 306763944   3% /graylog
  1. Check the nodes within the Graylog UI to ensure there isn’t a backlog of unprocessed messages.

    a. Navigate to System > Nodes.
    b. Note that there shouldn’t be a large volume of unprocessed messages.


  1. Shut down ElasticSearch and disable the services on all ElasticSearch nodes.
systemctl disable elasticsearch.service
systemctl stop elasticsearch.service

Install OpenSearch

Now you can install your OpenSearch application. Full documentation regarding the installation of the OpenSearch repository is available via their website for v1.1, v1.2, and v.1.3.


Graylog Security users, including those utilizing Anomaly Detection, must use OpenSearch v1.2 or 1.3.

For recommendations and suggestions regarding installing OpenSearch for your Graylog instance, see the related user guide.

Updating the OpenSearch Configuration


This section assumes that you are reusing the same Elasticsearch nodes for OpenSearch. If new nodes are created, then make sure to copy the Elasticsearch data to the OpenSearch nodes before continuing the migration.

  1. Edit the OpenSearch configuration file.
nano /graylog/opensearch/config/opensearch.yml
  1. Point OpenSearch to use the ElasticSearch data by updating path.data to the existing ElasticSearch data.
path.data: /graylog/elasticsearch/data
  1. Update permissions on the data so OpenSearch can access the files.
sudo chown -R opensearch:opensearch /graylog/elasticsearch/
sudo chmod -R 2750 /graylog/elasticsearch/
  1. Restart the OpenSearch service.
systemctl restart opensearch.service

Was this article helpful?