How to Upgrade Graylog V3 to V4.2


What component steps do we need to look at? So, let’s first look at a few things. The Graylog update path from version 3.3.X in the current release of the 3.3 stream is version 3.3.14. And to then move up, you have to go to version 4.0 First, and then you can go up to either 4.1 or 4.2. You’re not required to make that double hop to 4.2 from 4.0, you can go up to version 4.2.

Before You Upgrade

Next, you should ensure that you have the latest version of Illuminate installed  and version 1.7 for this release. Now we do have a new release coming out and we’ll go through that here in the presentation.

Your Elasticsearch minimum release that you do need running before you upgrade Graylog to version 4.0 should be at least version 6.8. You can go up to version 7.10. However, a note, you cannot go up to 7.11 and higher. You will have breaking changes and have problems in your Graylog cluster or your Graylog instance if you go higher than version 7.10.X.

Also, your MongoDB requirement is version 4.0 and the upgrade path to do that, or if you’re on MongoDB version 4.3.X, you do need to go to 4.0, and you can go up to 4.2, it’s optional, you’re not required to do this for the Graylog instance.

Backup and Preparation

Before upgrading, it is recommended that you do backup your instances. If you do have a backup strategy in your organization, whomever that might be, with snapshots or VMs or utilizing tools in the industry. Also, you do want to back up your MongoDB independently. You do want to have that ability to take that Mongo database and back it up and if you have to go backwards, you can, by restoring it. You’ll also want to follow the Elasticsearch and MongoDB Docs for those independent upgrades of those individual items. Also, software notes here we’ll need to talk, when planning to go to version 4.0 Graylog, you do have to upgrade Elasticsearch and MongoDB first as noted in the prior slides regarding the versioning that we were referencing.

Breaking Changes

You’ll also need to review and understand the Graylog changes in the software that could potentially break things that you’ve got set up in your current environment.

So, for software changes, one of the first things you need to look at is the LDAP, TLS authentication changes and Graylog version of 4.0. So if you’re on a prior release and you go to version 4.0, and when allowing self-signed certs that are being used, and that checkbox is unchecked, they’re validated against the local key stores. So this could break your current authentication after the upgrade. Take note of the config, and I’d suggest making sure that you do have a local admin user that is not utilizing LDAP authentication so that you can make sure that you could administer this properly.

Also, we do have endpoint changes such as user modifications through the APIs that are used to configure users or modify users, and they are listed in the docs. So I’ll bring them up really quickly. There’s a good section here on APIs. And when upgrading, it does go through multiple deprecations and configurations. So if you scroll to the very top here I’ll show you. The upgrading to 4.0 path does cover all the breaking changes and the warnings and changes to Elastic support and all the configuration. There are individual links for the versions of MongoDB and Elasticsearch upgrades here. So I highly recommend that you follow through those upgrade steps.

And next, the SSO Authentication Plugin that was in prior to version 4.0 will have to be removed. The core feature of the old SSO plugin or the trusted HTTP header authentication got integrated into the server. The old SSO plugin must be removed from the plugins folder starting in version 4.0 server. Also, you will have to make sure that when you’ve had version 2.0 and you’ve created dashboards, and then you might have upgraded to version 3.0 along the way, when you plan to upgrade to version 4.0, you will want to export your dashboards through a content pack and ensure that those configurations are kept. And when you upgrade to version 4.0, you will want to load up those content packs directly into version 4.0.

Let’s preview a quick look at LDAP SYNC in differences between version 3.0 and version 4.0. So I’m going to bring that up here really quickly. First, you’ll see this page is a version 3.0 system with LDAP settings in the configuration. There’s pretty typical things here set-up in the configuration. And when you move over to the version 4.0 and higher for LDAP authentication, there is this same similar configuration. However, there is a change. The change is group sync has been moved to the teams feature. This Team’s feature is what’s used to synchronize to your AD groups.

After Your Due Diligence/ Getting Started

So once you’ve configured this in your AD groups, and you have your teams created that will synchronize to them, that’s how your users will move forward. Next, let’s have a quick look at the API changes. The API changes listed in the documentations we went through. Here’s the link. And as well, let’s look at the things we need to look at, maybe quickly, when you’re planning an upgrade in your Graylog instance.

First, you want to look at what’s running, here’s a good command to grab the different versions of the applications required when you’re running Graylog. So you’ve got Graylog, MongoDB and Elastic. Also, this is the directory structure where you’re going to want to get your APT sources list from Graylog and we will go through this, so let’s take a quick look and we’re going to jump into an upgrade. Okay, I’m just going to get the commands here pasted into the window so you can see them. So that we can check what versions of Graylog and see the MongoDB and Elastic and it will show what’s installed here. I’m highlighting really quickly, and you’ll see the list of the three major applications that we have running here, running 4.1 for Graylog, and you’ll see MongoDBM running version 4.0. and above that, you’ll see the Elasticsearch version 7.10.


So what we’re going to do next is we’re going to edit the sources list. And when we go in and look at the Graylog.list file, the Graylog.list file will contain the actual versioning we’re going to use to do the upgrade. So if we just nano this file really quickly, you’ll see. So I log in here, here’s the file, and we’ll notice you want to upgrade to 4.2. So I’m going to go here and just edit and take it one put it at two and save it. And I’m going to exit. And now what we’ll do is we’re going to just do the standard sudo apt to get the actual update. And you’ll see here in just a second when I’m done typing it, where it’s grabbing the InRelease, you’ll see it there. And right in the middle, you’ll see the repo for 4.2. So we changed that and found it and it’s downloading it and while it’s downloading, lets just talk about the upgrade in general. This 4.2 upgrade we’re going to be covering off, some of the features a little bit later in this demonstration just so you can see what’s new in 4.2. And it’s going to continue with this, and yes.

Downloading and New Illuminate 

So this will download, will take a little bit just to grab. What we’ll do is highlight a couple other things here in the new release of 4.2. I’m covering here just a quick install and doing some installing of the software here, but I’m also going to cover off, a little bit later, our new installer for Illuminate. You’ll see the slides up with the new screenshots here in the demo, but the new installer takes away the manual process of copying all of the Illuminate files to the individual server’s nodes directly. And what it will do is allow you to get a new bundle. So if you’re on Illuminate 1.7 in the current release that you’re on, and say 4.0, and you’re going to go up. Then what it will do is allow you to drag and drop a bundled file, a zipped file, which is all the contents of Illuminate. And you’ll be able to drop them in the new UI. And basically, it will bring them in and extract them and send the files to your notes. So here, see, we’re unpacking the version 4.2 and the Graylog server. So back to what we’re talking about with the Illuminate, it allows you to give a one location when your files are being transmitted and sent to all your servers. You don’t have to do it manually, so it saves a lot of time, a lot of effort in managing all the content. And in this section in the server.conf, I want to keep my existing configuration here, I don’t want to eliminate it. So I’m just going to keep the default, which is no. So I’ll do that and let it run on here, and yeah.

Done with the Upgrade 

So next, we’re going to see here once you’ve done the upgrade, you’ll notice in our web window below the terminal window, the web UI is still showing at the very bottom that we’re running Graylog version 4.1.6, and we will run this. I’m just going to speed up the install here really quick…And you’ll see, this will execute. And just a moment here, you’ll see, it’s going to set up the Graylog integrations, enterprise plugins, and the integrations enterprise plugins. And it’s loading that up now. For those of you that have done many upgrades in Graylog, it’s pretty standard. This one here is a single installation or single server installation, so it’s a lot easier, obviously. With clustered configurations, upgrades take a little bit longer as you do have to fill over your servers and configure them. So now we’re here, we’ve upgraded successfully, and I’m just going to execute that command we talked about earlier, and I’m just going to flip back through my history here. Remember looking at the versions with the grab that we used so we can do that. And you’ll see now that we have the early enterprise plugins and the installation is version 4.2.

Back to the Management

So what we’ll do now is we’re going to go back to the management, showing still 4.1.6. And when we refresh this page, you’ll notice that it will come back with 4.1.6. So what we need to do is go back in a terminal and we need to restart the Graylog service for this particular node. So we’re going to do this really quickly. This takes just a minute to do, and you’ll see in the background that this is occurring. And we will get that going and restart. Okay, so we are doing a restart and just going to curl the local host on port 9000 to see if it’s up, you’ll see that it’s down. So it’s still restarting and I’m just going to wait here for a quick second and just do a quick check again with the curl, the local host. And you’ll see in the background that the web is coming up and you’ll see Elastic’s up and we’ll check the 9000 again, which is the Graylog instance and it’s up.

Refresh to Finish 

So we will go and look in behind and notice the release still shows 4.1.6, so we want to do a refresh on the screen here. And once we reload, you’re going to see in the bottom again, that the banner is coming out now that we’re on release 4.2.

New Features

Now that you’ve done that upgrade, there are some new features if you went up to a version 4.2 of Graylog. And first, the new feature I like to tell you about is the new Illuminate Installer. There’s now a UI install for the Illuminate files in a bundle. That saves time and allows you to push the files out to all the nodes requiring the files in the cluster. And there’s no more copying the files manually to all the nodes individually. This allows you to do this right from the GUI in a drag drop. Also in 4.2, you’ve asked for it and we have it now, the:

Google Cloud, Workspace and Gmail Logs

Google cloud workspace and Gmail inputs, you can now get all of your Google Cloud and Google Workspace and Google email logs into Graylog. These are separate inputs allowing to configure these specific types individually.

Message Failures Stream

Next, we have a new enhancement to show your indexing and messaging failures in a dedicated stream. You can also set up configuration of how you want to use these messages processed and view the stream. This also gives you the ability to be alerted when our messages are failing to index into your current information.

New Authentication and Security Options

We’ve also added OIDC or Open ID Connect authentication for new authentication options in the Graylog. We’ve completed and the testing is listed for Auth0, Azure AD, Google, eCLOAK, Ping Identity, and OneLogin.

We now have custom Okta On-Prem authorized server links as well. So if you’re using that, you can now utilize the On-Prem ability and configuration. We also have included a new security feature to create a watchlist actions based on such things as IP addresses, host names or hash values. And allows you to create those in a MongoDB to hunt those questionable zombies in your network. In utilizing the Graylog Schema, a new feature for message summary options enables you to create a template of message categories, to create a view of your messages in a very concise, easy to read structure saving you time watching for information in your logs. This allows you to group your different types of logs by severity or category. And it gives you a very quick way to read your logs.

About Illuminate 2.0

Now that we’ve gone through an install of version 3.0 and upgrade to 4.X or whatever you’ve chosen, whether it’s 4.1 or 4.2, I’d like to show you how Illuminate version 2.0 is installed in a new release of Graylog version 4.2. First, you now have a drag and drop for the installation of the files. So it makes it a lot easier rather than copying all the files up manually to each of the nodes. You must have already upgraded to version 1.7 Illuminate prior to going to this release. So if you’re on an older release of Illuminate, install first the upgrade to 1.7 on your release prior to version 4.2. Your Illuminate version 2.0 is only compatible with version 4.2 and higher. It can’t be brought backwards in older releases. And your Graylog cluster must have an enterprise license. First thing you need to do is reorder or Illuminate processor. So in system configuration, edit your message processor configuration. And as you see on the screen here, you should have Illuminate processor followed by the GeoIP Resolver, then your pipeline processor followed by the message filter chain. Having done this will make carrier new Illuminate installs smooth to install and will allow the Illuminate content to take precedence over the version 1.7 release.

Installing Illuminate 2.0 

Let’s go through a quick install of the Graylog Illuminate. So bring up our instance, the first thing we talked about was under system configuration. You’ll see here, I have already reordered it. So if you wanted to reorder it, you just hit update. And then here, you’ll grab which item you want moved to where. In this case, mine was set already and I actually configured that. So we don’t have to do that.

The next thing we’re going to do is we’re going to go into content packs. And just to make it easier, we’re going to see what content packs we have for Illuminate. And you can see here, we’ve got Core, O365, Okta Palo Alto, Windows spotlights. We have Sysmon spotlight and Events spotlight, Linux Auditbeat spotlight. The Events spotlight is there to allow you to go in and customize some of your events. So before you do upgrade to version 2.0 Illuminate, you do want to make sure that you go in and check your events. If you’re going to upload the newest pack, you want to make sure that you have available to you the actual settings you put in your events for Illuminate in this particular area. So you want to double check those and have a look at them and have them ready, maybe even export them. So if you have a copy of them, but you will want to go through and note the changes that you’ve made in those event notifications.

Okay. So next, what we’ll do, to do the upgrade, you go into Enterprise and you go into Illuminate, which is a brand new menu, and here you’ll see an option for bundled upload. So I have a bundled upload file, and I’m just going to bring that up really quick. It is located here. This is what the name of the file is at the current time that I’ve got this particular document and what you do is you go and you drag it into the upload. Once it’s been completed and uploaded, it will then bring you to a new screen and extract what it actually finds in all of these files that are bundled in here.

So now it sees which content packs you have inside this. So if we roll down through here, it’s going to highlight some of the things that are happening now in the new version of Illuminate with 4.2, we’ve got some GM Enforcement, which is a change to some GL2 fields. Geolocation, Palo Alto version 9.1, Windows security, Sysmon, Linux Auditbeat, O365, Okta. We also have Microsoft Defender. Event Testing, which is something I’m working on just as a separate test event, as well as Symantec. We have Fortinet Fortigate parsing, Carbon Black, Cisco Meraki, and Cisco ASA.

So what I’m going to do is I am going to select all, and on the right hand side, you’ll see that they’re all selected, I’m going to enable selected. It’s going to tell you what it’s doing, whether you want to confirm and move ahead, and yes, I will. So this is now installing and the bundle is now installed. So now if we go to system and we go to content packs, you are going to see still that we have the old content packs that are installed. However, these are not being used now, they have been reordered and we are now using the new release of Illuminate. So now what you can do, which I won’t do at this current time, but you can go through each one of these spotlights, the 1.7, and you can go in highlight each one of these and you can uninstall them from Graylog. So you’re not required to uninstall them prior to loading the new version of Illuminate. The changes that we made earlier in the configuration allow for this Illuminate to be doing this on your behalf. So now you can go back in and remove these older Illuminate packs.

The End

So that covers off the installation and the drag and drop for new version of Illuminate. Hopefully this covers a good wrap-up of what we can do for an upgrade for you if you want to move into an enterprise or the new versions that are available. Thank you for joining us today and thanks for watching. Happy logging with Graylog. Have a great day.