forked from spujadas/elk-docker
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathUPGRADE_TO_8.txt
38 lines (33 loc) · 2.02 KB
/
UPGRADE_TO_8.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Read these
Check upgrade assistant
Changes on develop branch are for 8
https://www.elastic.co/guide/en/elastic-stack/current/index.html
https://www.elastic.co/guide/en/elastic-stack/current/upgrading-elastic-stack.html#prepare-to-upgrade
https://www.elastic.co/guide/en/elasticsearch/reference/8.2/migrating-8.0.html
https://www.elastic.co/guide/en/elasticsearch/reference/8.2/rest-api-compatibility.html
Practicing on ELK2
- Stack Management -> Upgrade Assistant -> Migrate system indices
- Elasticsearch critical errors:
--Update or remove the following index templates before upgrading to 8.0:
.marvel-es-1 DELETE _template/.marvel-es-1
.marvel-es-data-1
.watch-history-6
.watch-history-7
.watch-history-no-ilm-10
.watch-history-no-ilm-11
-- Remove the [xpack.monitoring.collection.enabled] setting [REMOVE from elasticsearch.yml]
-- Set [cluster.routing.allocation.disk.watermark.enable_for_single_data_node] to [true] to adopt the future behavior before upgrading.
-- Remove the [xpack.monitoring.collection.interval] setting.
- Keebler Errors
-- Remove "xpack.security.enabled" from kibana.yml.
-- Set "xpack.security.enabled" to true or false in elasticsearch.yml to enable or disable security.
-- Replace "xpack.monitoring.min_interval_seconds" with "monitoring.ui.min_interval_seconds" in the Kibana config file
-- Setting "xpack.monitoring" has been replaced by "monitoring".
-- Set "xpack.reporting.roles.enabled" to "false" in kibana.yml.
-- There's a "Quick Resolve" for the last one
Logs are not indexing. And they are going to ecs-logstash-*.
https://opster.com/guides/elasticsearch/data-architecture/index-composable-templates/
https://www.elastic.co/guide/en/elasticsearch/reference/current//index-templates.html
https://www.elastic.co/guide/en/ecs/8.3/ecs-field-reference.html
user is breaking, it's now an object. maybe transform to user.id? or userid?
All of this is fixed by setting "ecs_compatibility => disabled" in the logstash plugins: lumberjack and output.