- 25 May 2022
- 2 Minutes to read
Migrating to OpenSearch
- Updated on 25 May 2022
- 2 Minutes to read
Graylog 4.3 introduces the ability for users to choose between Elasticsearch v7.10 and OpenSearch v1.1, 1.2, or 1.3. This guide details how Graylog users may migrate their Elasticsearch instance to the OpenSearch service.
- Graylog 4.3 is required prior to OpenSearch installation. Earlier versions of Graylog are not compatible with OpenSearch.
- Graylog 4.3 is compatible with OpenSearch v1.1, v1.2, and v.1.3.
- Graylog Security users, including those utilizing Anomaly Detection, must use OpenSearch v1.2 or 1.3.
- Ensure a backup or snapshot of the Elasticsearch data and host is created before attempting any migration.
Preparing for Migration
Ensure Journal is Configured for the Outage
While the Elasticsearch and OpenSearch services are down, you will still want to keep data flowing. Ensuring the journal is configured correctly will allow data to be stored until the OpenSearch cluster is online.
- Open the Graylog server configuration file on all nodes.
- Ensure the journal is enabled.
message_journal_enabled = true
- Take note of the journal directory.
message_journal_dir = /graylog/graylog/journal
- Ensure the journal is configured for an appropriate amount of time for the outage and log volume based on customer needs.
message_journal_max_age = 72h message_journal_max_size = 200gb
- Check the free space on the volume.
df /dev/sdb 314419200 7655256 306763944 3% /graylog
Check the nodes within the Graylog UI to ensure there isn’t a backlog of unprocessed messages.
a. Navigate to System > Nodes.
b. Note that there shouldn’t be a large volume of unprocessed messages.
- Shut down ElasticSearch and disable the services on all ElasticSearch nodes.
systemctl disable elasticsearch.service systemctl stop elasticsearch.service
Graylog Security users, including those utilizing Anomaly Detection, must use OpenSearch v1.2 or 1.3.
For recommendations and suggestions regarding installing OpenSearch for your Graylog instance, see the related user guide.
Updating the OpenSearch Configuration
This section assumes that you are reusing the same Elasticsearch nodes for OpenSearch. If new nodes are created, then make sure to copy the Elasticsearch data to the OpenSearch nodes before continuing the migration.
- Edit the OpenSearch configuration file.
- Point OpenSearch to use the ElasticSearch data by updating
path.datato the existing ElasticSearch data.
- Update permissions on the data so OpenSearch can access the files.
sudo chown -R opensearch:opensearch /graylog/elasticsearch/ sudo chmod -R 2750 /graylog/elasticsearch/
- Restart the OpenSearch service.
systemctl restart opensearch.service