Hi mates,
Now I am running old Security Onion 16 (ElasticStack v6.7) and want to upgrade to S.O2.3 but I see the incident response process is much more complicated so I decide to build a new ES + Kibana v7.10, then the new Kibana will connect to both S.O16 Elasticseach v6.7 and Elasticsearch v7.10 for visualizing.
But I have some concerns:
Is it possible to connect with 2 Elastisearch which have different version?
Can I export and import dashboards from old Kibana6.7 to Kibanav7.10 and use normally? If they can import but not like normal, have we to configure anything else?
Is it possible to connect with 2 Elastisearch which have different version?
You can't directly connect Kibana with a different version to Elasticsearch (major and minor version have to match, see here: Support Matrix | Elastic ). However you should be able to use cross-cluster search as it supports 7.x -> 6.x searches. In your case, you could run Kibana with the 7.10 Elasticsearch cluster connected and query the 6.7 cluster via cross cluster search.
I'm not sure whether Security Onion uses any Kibana side plugins - those probably wouldn't be compatible in such a configuration.
Can I export and import dashboards from old Kibana6.7 to Kibanav7.10 and use normally? If they can import but not like normal, have we to configure anything else?
Yes, this is possible - they will get migrated on the fly during the import. However if the index pattern changes (as it would for using cross cluster search), you have to modify the index pattern slightly to accommodate for that before importing.
Sorry for asking again
After reading the document, I understand that I need 1 more middle elasticsearch version 7.0 to remote query on my S.O elasticsearch 6.7, then on my ElasticStack 7.10, my elasticsearch will query to the middle elasticsearch 7.0? Am I right? Do we have any easier solutions?
**version** : Remote nodes must be compatible with the cluster they are registered to, similar to the rules for [ *Rolling upgrades* ](https://www.elastic.co/guide/en/elasticsearch/reference/current/rolling-upgrades.html):
* Any node can communicate with another node on the same major version. For example, 7.0 can talk to any 7.x node.
* Only nodes on the last minor version of a certain major version can communicate with nodes on the following major version. In the 6.x series, 6.8 can communicate with any 7.x node, while 6.7 can only communicate with 7.0.
* Version compatibility is symmetric, meaning that if 6.7 can communicate with 7.0, 7.0 can also communicate with 6.7. The following table depicts version compatibility between local and remote nodes.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.