Update of ELK stack

(Sunil Chaudhari) #1

I am using below versions of ELK
Elasticsearch 1.5
Logstash 1.5.3
Kibana 4.0.0
filebeat 1.2.1

I am planning to upgrade ELK and FB versions . Please suggest me which one should I go for now?
What new features I can get in latest one? Though I am going through breaking changes documntation, a quick expert comment will help.



Hi Sunil,

Here's the upgrade path I chose a few months ago from about the same version you are running now. My use case is log shipping and analysis.

I use puppet as a configuration management system and I had the luxury of getting new hardware for the new setup which meant that I did not need to deal with backing up Elasticsearch indices and restoring them to the new setup.

I am also running three clusters (testing, staging and production) which gives me a bit of tolerance when trying new features...

The new versioning makes life much easier so I would just choose the latest stable release (which should be 5.5.2 at the moment) for all of the Elastic products. I pushed 5.5.2 to testing yesterday and will upgrade staging today. With a configuration management system the minor version upgrades are quite easy.

Configuration changes I had to do for the upgrade from pre version 5

  • Logstash GROK filters needed rewriting
  • Elasticsearch will need to bind to an IP other than localhost to cluster
  • I had not noticed that I was running an old JAVA version so had to update that ("We recommend installing Java version 1.8.0_131 or later")

As far as I remember those were the major things in addition to anything that is mentioned in the breaking changes documentation

I made sure to use the same input settings in Logstash so I could point DNS at the new setup when everything was ready. Then I worked through anything that was still coming in to the old setup, one by one, to restart services that had cached the old DNS data.

I was not really looking for any specific new features so can't comment on that :slight_smile:


(Sunil Chaudhari) #3

Thank you for precise reply.
However, please elaborate this?

Does that mean, there are some different syntaxes?
Cant I just copy the same old configuration to new installation?



Can't remember exactly anymore... Something changed with multiline and maybe some other plugins like GeoIP as well. It was just a matter of testing the config agains the new Logstash.

There also seems to be a new Grok debugger https://www.elastic.co/guide/en/kibana/5.5/xpack-grokdebugger.html

I think I used this as well https://www.elastic.co/guide/en/logstash/current/running-logstash-command-line.html
(does not help with Grok patterns though)

-t, --config.test_and_exit
Check configuration for valid syntax and then exit. Note that grok patterns are not checked for correctness with this flag. Logstash can read multiple config files from a directory. If you combine this flag with --log.level=debug, Logstash will log the combined config file, annotating each config block with the source file it came from.


(Sunil Chaudhari) #5

You mentioned about xpack. I think it needs license. its not free right?

(Christian Dahlqvist) #6

Some of the features in X-Pack does require a subscription, but there is also a free Basic license available. The features included in this are shown on the Subscriptions page.

(system) #7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.