Hello, and welcome to Greylog GO. Let’s switch in and jump into our next session.
Good evening or good afternoon, depending on your time zone. Welcome to the Greylog upgrade session. Let’s explore how you can upgrade to version 4.0 and what’s required to do so.
I’m Jeff Darrington, Senior Technical Marketing Manager here at Greylog, or as some might know me, “that guy from the Get a Demo page” on the Greylog.org site. Today, I’ll be discussing the upgrade path to Greylog 4.0, and let’s get started.
Greylog Update Path
For those on version 3.3.x, the latest release is version 3.3.14. To move up, you must first upgrade to version 4.0 before proceeding to version 4.1 or 4.2. There’s no requirement to upgrade directly to 4.2; you can go step by step.
Ensure you have the latest version of Illuminate (version 1.7 for this release) before upgrading. We also have a new release coming out soon, which we’ll discuss later.
The minimum Elasticsearch version required before upgrading to Greylog 4.0 is 6.8, with support up to version 7.10. However, note that going beyond version 7.10 (i.e., 7.11 or higher) will cause breaking changes in your Greylog instance or cluster.
For MongoDB, you need at least version 4.0. You can optionally upgrade to version 4.2, but it’s not required for Greylog.
Backup and Preparation
Before upgrading, it’s highly recommended that you back up your instances. Whether your organization uses snapshots, VMs, or other tools, ensure MongoDB is backed up independently. This will allow you to restore the database if needed.
Be sure to follow the Elasticsearch and MongoDB documentation for their respective upgrades. You must upgrade both Elasticsearch and MongoDB before upgrading Greylog to version 4.0.
Breaking Changes and Considerations
When upgrading, review the changes that might affect your environment. For example, in version 4.0, there are changes to LDAP and TLS authentication. If you’re using self-signed certificates, make sure they’re validated against the local keystore, or your authentication may break. It’s also important to have a local admin user who does not rely on LDAP authentication, so you can manage the system after the upgrade.
API changes may affect user configurations. These changes, along with deprecations and configurations, are documented. Ensure you review these details before upgrading.
Additionally, the SSO authentication plugin from previous versions will need to be removed. The core functionality of this plugin is now integrated into the server. Before upgrading to version 4.0, you must export any dashboards you’ve created and save them in a content pack. After upgrading, you can import these content packs back into Greylog 4.0.
LDAP Sync Changes from Version 3 to 4
In version 4.0, group sync functionality has moved to the “Teams” feature. This is how AD groups will now synchronize.
Quick Command Overview
Before upgrading, use a command to check the versions of Greylog, MongoDB, and Elasticsearch that are running. Additionally, you’ll want to edit the Greylog source list and update the version to 4.2 if that’s your target.
New Features in Greylog 4.2
After upgrading to version 4.2, some of the new features include:
- Illuminate Installer: The new installer allows for a UI-based installation of Illuminate files in a bundle. This saves time, as it eliminates the need to manually copy files across servers. Now, you can drag and drop the Illuminate bundle directly into the UI.
- Google Cloud Workspace and Gmail Inputs: Greylog now supports inputs for Google Cloud, Google Workspace, and Gmail logs. These inputs allow you to configure and manage log data from these platforms individually.
- Indexing and Messaging Failure Stream: A new enhancement provides a dedicated stream for monitoring indexing and message failures. This feature also allows you to set alerts for failure events.
- OIDC Authentication: OpenID Connect (OIDC) authentication has been added, with support for providers like Auth0, Azure AD, Google, Keycloak, Ping Identity, and OneLogin. Custom Okta On-Prem authorization links are also supported.
- Watchlist Actions: You can now create watchlists based on IP addresses, hostnames, or hash values using MongoDB to track potential threats in your network.
Illuminate 2.0 Installation
The installation process for Illuminate 2.0 has been simplified with a drag-and-drop UI. Before upgrading to Illuminate 2.0, ensure you’re running version 1.7. Illuminate 2.0 is only compatible with Greylog version 4.2 and higher.
In the system configuration, you’ll need to reorder the message processors to ensure the new Illuminate installation takes precedence over version 1.7.
In Enterprise > Illuminate, you’ll find the option for bundled uploads. Simply drag and drop the bundle file, and the system will extract the necessary content packs.
Once the new version of Illuminate is installed, you can remove the older content packs that are no longer being used.
