How to upgrade from an older Elasticsearch 1.X ELK stack to a recent one 6.X

We have an on premise ELK stack. We are using ES 1.5, Logstash 5.3 to pull data from kafka and Kibana 3 for dashboards. We use the elk stack to store and search all our application logs. Nothing more.

We want to move to the managed Elasticsearch service on AWS with a 6.X version.

We do not care about migrating our existing indices, we use a daily index to store all of our logs and we only support a week of retention. Our plan was to support the 2 instances in parallel ( aws + on prem) until we reach the 7 days on aws then drop the on prem one.

We've done some preliminary testing spawning a logstash 5 instance (the exact same image as we use on prem) that sends logs to a test AWS instance running ES 6. We don't have errors in the logstash logs and we see the data we are expecting in ES.

When we run the migration plugin it pretty much only complains about Dots in field names lead to ambiguous field resolution, in fields.

When we import our mapping from ES 1.5 to ES 6.4, after doing the conversion to the new limited data types it works out of the box.

That was the back story, now the actual questions:

• How can we import our Kibana Dashboard (we have 100+) from our Kibana 3 to Kibana 6 ?
• Since we are in exploratory we have only tested the things listed above, what other things should we try that could lead to bad surprises ?

Any help or feedback on how to achieve this jump will be greatly appreciated.

Cheers

You can't. You need to rebuild all visualizations and dashboards.

Can I connect a Kibana 3 instance to an elasticsearch 6 installation ?

No, Kibana 3 is only compatible with Elasticsearch 1.x.

knowing what you guys know, what should I do in order to move our ELK stack to the managed aws service with the less work possible ?

Move to AWS ES 1.5 ? something else ?

You should be able to upgrade to Elasticsearch 1.7 if I recall correctly. I have no idea if this version is offered as hosted as it is very old and reached end-of-life a long time ago.

They offer:

• 1.5
• 2.3
• multiple 5 versions
• multiple 6 versions

So just to make sure and to give all the others that will have to walk this trail, if I don't want to redo all my kibana dashboards, my only solution is to stick to 1.X ?

Yes.

understood. So if we leave out the dashboards out of the equation. Is there other surprises I should expect along the way if I want to go to ES 6.X ?

Can I expect my logstash 5 config to work out of the box?

Any other things that jump to your mind?

Do you mean that you were using a Logstash version 5 with elasticsearch 1.x?
Anyway, you are starting from a so old version that I'd not expect anything but I'd rather test all. Like if you were providing mapping in your logstash configuration, that's probably won't work out of the box.

Then what were you using logstash for? May be you can just switch to beats and elasticsearch node ingest feature?

BTW did you look at Elastic Cloud: Hosted Elasticsearch, Hosted Search | Elastic and AWS Marketplace: Elastic Cloud (Elasticsearch Service) ?

Cloud by elastic is one way to have access to all features, all managed by us. Think about what is there yet like Security, Monitoring, Reporting, SQL, Canvas, Logs UI, Infra UI, APM and what is coming next ...

Yes, that is what we do.

Then what were you using logstash for? May be you can just switch to beats and elasticsearch node ingest feature?

Using the kafka input FROM logstash:5.3.2 to send logs to ES 1.5.

input {
  kafka {
    bootstrap_servers => ["__KAFKA_INSTANCE__"]
    codec => "json"
    topics => ["tag1"]
    group_id => "__KAFKA_GROUP_ID__"
  }
  kafka {
    bootstrap_servers => ["__KAFKA_INSTANCE__"]
    codec => "json"
    topics => ["logs"]
    tags => ["tag2"]
    group_id => "__KAFKA_GROUP_ID__"
  }
}

the output to kafka is well defined in our stack, since I want to do the less changes possible I don't think moving away from it would be a good call.

Would using elastic cloud change anything to the pain we will have to go through if we want to use a 6.X version of ES ?

Not really but at least you won't have to manage lot of pieces like Elasticsearch installation, backups and your next rolling upgrades, Kibana instances, APM if you want to use that, ML if you want to use that... And many other things that Elasticsearch Service is adding.

All right, so we'll look into our options and figure out which path we'll take.

seems like it won't be a simple journey

No. It might not be super easy to move from a super old version (April 2015) to a recent one (January 2019). So many things happened in the mean time.

But it depends on your data, mapping, queries, etc... It might not be that hard.

Thanks to @dadoonet and @Christian_Dahlqvist for their response. Really nice to have question answered in such a timely fashion. Even if it's not the the answers I was hoping for it's greatly appreciated

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.