ELK stack 5.4 to 6.6 Upgrade

Elastic Stack Elasticsearch
1

Hello!
I am looking to upgrade a single-node ELK stack cluster running version 5.4.0 to 6.6.0 on RHEL 7.6. I have read through the ELK documentation and have found that a "rolling upgrade" is the way to go.
I do have a few questions that I would like to confirm/clarify prior to moving forward with this procedure:

  1. Does the "rolling upgrade" procedure work for a single-node cluster?
  2. Is there a need to do any re-indexing prior to the upgrade/after the upgrade?
  3. Would it be possible to still have access to log data gathered prior to the upgrade and be able to query for them/use them in visualizations etc?
  4. I imagine that, during the upgrade, the service must go down while the packages are upgraded/restored. Would the data being shipped from other servers running filebeat get lost?
  5. Should I upgrade the filebeat nodes before the ELK stack to prevent data loss or is it the other way around?

I apologize if people have asked this before but I glanced through some of the existing upgrade discussions and haven't really seen something that would answer all my questions.

Any help or clarification on this would be greatly appreciated!
Bader.

2

As you have a single node, you are going to experience downtime. Beats will queue data until they can access Elasticsearch again, but you will also want to upgrade them.

You may want to upgrade to 5.5 or 5.6 first, so you can run the upgrade assistant in Kibana to help get to 6.X.

1 Like
3

Thank you for this valuable information.
Would I still be able to access the old data after the upgrade?
Also, I use search guard for security. Would I need to upgrade it to 5.6 during the initial upgrade then again to 6.6?
[EDIT] Additionally, to upgrade from 5.4 to 5.5/5.6, am I to use this guide or is there something else that I should use?
[EDIT2]: I have double checked the breaking changed for version 6 and have found that I would still be able to access old data when upgrading to 6:

Elasticsearch 6.0 can read indices created in version 5.0 or above. An Elasticsearch 6.0 node will not start in the presence of indices created in a version of Elasticsearch before 5.0.

4

As long as you run the Upgrade Assistant and deal with anything it reports, you will be able to access the data. Make sure you take a backup too.

We can't assist with search guard's impact sorry, you will need to ask them.

5

Not a problem!
Thank you for your feedback, appreciate it!

6

@warkolm sorry to re-open this but I do have a follow-up if that is okay.
I was reading through the Filebeat documentation and it also mentions that in order to upgrade from 5.x to 6.x you must be on 5.6.
My questions are:

  • When upgrading from beats 5.4 to 5.6, would the already-queued data be lost?
  • Can Filebeat 5.4 correctly forward logs to ELK v 5.6 AND 6.x or should I be upgrading Filebeat in the same procedure as the ELK stack (minor for ELK and Beats then major for ELK and Beats)?

Thank you!

7

No, it should handle that gracefully.

Check out Support Matrix | Elastic

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.