This article contains important information about upgrading to Graylog 7.0. For detailed steps, see our upgrade guides for supported operating systems and services:
Breaking Changes
Java 21
Graylog now requires Java 21 to run. Earlier versions are no longer supported.
Our operating system packages and container images are shipping with the correct Java version.
MongoDB 7.0
Graylog now requires at least MongoDB version 7.0. Earlier versions are no longer supported.
In general, MongoDB upgrades must be done from one minor release to the next, going to the latest bug fix version in that release. Please refer to the MongoDB upgrade documentation for details:
Graylog users who cannot upgrade to MongoDB > 7.0 prior to upgrading Graylog to 7.0.x can disable Graylog's preflight check via its configuration setting (skip_preflight_checks = true) to let Graylog start regardless of the MongoDB version used. This approach is not recommended, as Graylog may use MongoDB 7.0 features over the course of the 7.x series.
Kafka Inputs
The kafka-clients library was updated to 4.x, which removes support for Kafka brokers with version 2.0 and earlier. All Graylog 7.0 Kafka inputs can now only connect to Kafka brokers version 2.1 or newer.
Enterprise Theme Color Customization
The logic for generating color shades based on custom-defined color variants (error, informative, etc.) has been slightly adjusted. The exact color specified in customization settings is now used as the primary color for UI elements such as buttons and badges.
Renaming “Data Warehouse” to “Data Lake”
The feature previously known as “Data Warehouse” is now completely renamed to “Data Lake.” This includes user-visible text as well as internal components such as API endpoints, database content, permissions, and more.
API Endpoints and Permissions
All endpoints related to the data lake have changed their URLs accordingly. Endpoints previously accessible at /api/plugins/org.graylog.plugins.datawarehouse/data_warehouse/... are now moved to /api/plugins/org.graylog.plugins.datalake/data_lake/.... Similarly, permissions are renamed from data_warehouse... to data_lake....
Database Content
The following collections have been renamed:
-
data_warehouse_archive_config→data_lake_archive_config -
data_warehouse_backends→data_lake_backends -
data_warehouse_catalog→data_lake_catalog
Documents in the following collections are also updated to reflect the name change:
-
cluster_config(for data lake-related migrations) -
enterprise_traffic -
scheduler_job_definitions -
scheduler_triggers(if a data lake optimization job is already scheduled)
Audit Logs
Audit logs written before the update remain unchanged. New audit logs written after the update will reference “Data Lake” instead of “Data Warehouse.”
Metrics
Metrics from before the update remain unchanged. Starting with version 7.0, the names of data lake–related metrics reflect the new terminology.
Default Configuration Changes
-
The permission to view the “Cluster Configuration” page was removed from the
Readerrole. This permission is now available in theCluster Configuration Readerrole. A one-time migration automatically adds this role to existing users with the Reader role for backward compatibility. New users must be explicitly assigned this role if needed. -
Only admins can create new API tokens. Existing tokens are unaffected. New tokens now expire after 30 days by default.
General REST API Changes
In Graylog 7.0, an issue was fixed that previously allowed additional unknown JSON properties to be accepted (and ignored) in API requests on the Graylog leader node. Now, API requests only accept explicitly mapped or supported properties.
APIs for entity creation now use a parameter CreateEntityRequest to keep entity fields separate from sharing information. This is a breaking change for all API requests that create entities (streams, dashboards, reports, etc.).
Affected entities include:
-
Search / Dashboard
-
Search Filter
-
Report
-
Event Definition
-
Stream
-
Notifications
-
Sigma Rules
-
Event Procedure
-
Event Step
-
Content Pack Installation
-
Teams
-
Illuminate Pack Installation
Example request payload for creating a stream:
{
"entity": {
"index_set_id": "65b7ba138cdb8c534a953fef",
"description": "An example stream",
"title": "My Stream",
"remove_matches_from_default_stream": false
},
"share_request": {
"selected_grantee_capabilities": {
"grn::::search:684158906442150b2eefb78c": "own"
}
}
}Access to the API browser now requires the api_browser:read permission. This can be granted by assigning the new API Browser Reader role to a user.
REST API Endpoint Changes
The following REST API changes have been made.
|
Endpoint |
Description |
|---|---|
|
|
Renamed from |
|
|
Renamed from |
|
|
Renamed from |
|
|
Renamed from |
|
|
Renamed from |
|
|
Removed all endpoints. Contents of the underlying |
Deprecation of Old Search Backends
Deprecation of Elasticsearch
Graylog introduced support for OpenSearch as its new search backend in 2022. To simplify OpenSearch management, the Graylog Data Node component was later developed. Data Node or self-managed OpenSearch deployments are now the preferred search backend options.
Starting with Graylog 7.0, the use of Elasticsearch as a search backend is deprecated. It will be removed entirely in Graylog 8.0. Users are encouraged to migrate to Data Node or OpenSearch.
Deprecation of OpenSearch 1.x
According to the official OpenSearch Maintenance Policy, OpenSearch 1.x reached its end of maintenance in May 2025. It will no longer receive fixes or features.
Starting with Graylog 7.0, the use of OpenSearch 1.x is deprecated and will be removed in Graylog 8.0. Users should use Graylog Data Node or a supported OpenSearch version.
Further Reading
Explore the following additional resources and recommended readings to expand your knowledge on related topics:
