Upgrade Graylog on SUSE

This guide describes the recommended way to upgrade Graylog on SUSE Linux Enterprise Server 12 and 15.

Warning: This guide does not cover security settings! The server administrator must make sure the Graylog server is not publicly exposed and is following security best practices.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

Warning: The following tasks must be completed before upgrading Graylog and/or Data Node. Otherwise, problems may occur. Once the prerequisites are satisfied, you may proceed with the upgrade process.

Software Verification

To verify your current version of Graylog or any of its dependencies before upgrading, use the following commands:

Graylog

Copy
sudo zypper search -i | grep graylog

Data Node

Copy
sudo zypper search -i | grep graylog-datanode

MongoDB

Copy
sudo zypper search -i | grep mongod

Upgrade with Self-Managed OpenSearch

This guide comprehensively describes the upgrade process for Graylog environments using Graylog Data Node as the search backend. If you have deployed Graylog with self-managed OpenSearch, then you will only need to follow the process described in subsequent sections to upgrade the Graylog service. If you wish to upgrade OpenSearch to a Graylog-supported version, you must do so before you upgrade Graylog. See the OpenSearch documentation for more information on upgrading OpenSearch.

To verify your current version of OpenSearch before upgrading, run the following command:

Copy
sudo zypper search -i | grep opensearch

Rolling Upgrade Process

This section describes the process for upgrading Graylog and Data Node as a rolling upgrade. For more information on this upgrade method, see Upgrading Graylog. Note that you must first complete a full upgrade of your Graylog server(s) before upgrading your Data Node server(s) as detailed below.

Warning: This guide assumes you are upgrading between backward-compatible versions of Graylog — i.e. not skipping any major versions. If you are planning to upgrade across multiple major versions, stop now and review the appropriate steps for performing an incremental upgrade.

Upgrade Graylog

To complete a rolling upgrade of your Graylog server(s), follow these steps:

Hint: This guide assumes you are upgrading to the latest version of Graylog, version 6.2.

  1. Begin on your Graylog node and stop the service. (If this is a multi-node cluster, begin on a follower node in your Graylog cluster.)

    Copy
    sudo systemctl stop graylog-server.service
  2. Monitor the status of the Graylog service to verify it has stopped:

    Copy
    ps -aefww | grep graylog
  3. Once the service has stopped, update the local package cache:

    Copy
    sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-6.2-repository_latest.rpm
    sudo zypper update

    Hint: To display all available versions of Graylog:

  4. If you have a lock on the Graylog package, you may then be prompted to remove it before allowing the upgrade to execute:

    Copy
    sudo zypper removelock graylog-server
  5. Upgrade the Graylog package:

  6. To verify that the updated Graylog packages have been installed:

    Copy
    zypper se --installed-only graylog
  7. If the version notes for your target version indicate configuration changes are necessary, then make these changes in the server.conf file. To open the file:

    Copy
    sudo nano /etc/graylog/server/server.conf
  8. Start the Graylog service:

    Copy
    sudo systemctl start graylog-server.service

For multi-node clusters, repeat all the previous steps for the follower nodes, upgrading them one at a time. Once all followers are upgraded and verified healthy, perform the upgrade on the leader node. You may optionally perform a leader election on a follower node before starting on the current leader to minimize risk by modifying the is_leader = false configuration property in the server.conf file and modifying the value to true.

Upgrade Data Node

Graylog Data Node must be on the same version as your Graylog service. For example, if you have upgraded Graylog to 6.2, then you must upgrade Data Node to the 6.2 release, as well.

Rolling upgrades are only applicable to Data Node clusters of three or more nodes. If you have fewer than three Data Nodes, you must perform a non-rolling restart upgrade. See the following section for details.

To complete a rolling upgrade of your Data Node server(s), follow these steps:

Hint: This guide assumes you are upgrading to the latest version of Graylog Data Node, version 6.2.

  1. Begin the upgrade by accessing any Data Node server in your cluster directly and stop the Data Node service.

    Copy
    sudo systemctl stop graylog-datanode
  2. Monitor the status of the Data Node service to verify it has stopped:

    Copy
    ps -aefww | grep graylog-datanode
  3. Once the service has stopped, update the local package cache:

    Copy
    sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-6.2-repository_latest.rpm
    sudo zypper update

    Hint: To display all available versions of Data Node:
    Copy
    sudo zypper search -s graylog-datanode

  4. If you have a lock on the Graylog Data Node package, you may then be prompted to remove it before allowing the upgrade to execute:

    Copy
    sudo zypper removelock graylog-datanode
  5. Upgrade the Graylog package:

    Copy
    sudo zypper install graylog-datanode-6.2
  6. To verify that the updated Data Node packages have been installed:

    Copy
    zypper se --installed-only graylog
  7. If the version notes for your target version indicate configuration changes are necessary for Data Node, then make these changes in the datanode.conf file. To open the file:

    Copy
    sudo nano /etc/graylog/datanode/datanode.conf
  8. Start the Data Node service:

    Copy
    sudo systemctl start graylog-datanode

For multi-node clusters, repeat all the previous steps for the remaining nodes, upgrading them one at a time.

Non-Rolling Restart Upgrade Process

Essentially, a non-rolling restart upgrade follows the same steps as detailed in the previous sections, EXCEPT that you must shut down all the nodes in your cluster and stop all the services you will upgrade, first Graylog and then Data Node. This will result in complete downtime of the Graylog system during the upgrade window, during which time Graylog will not be able to receive or process logs. Be sure to plan accordingly so that you do not lose data during the upgrade process if you choose this upgrade method. See Upgrade Graylog for more information on which upgrade method works best for your environment.