Upgrading graylog 2.2 to 2.3 adds in another step due to so changes to the way graylog connects to the elasticsearch cluster.
Update – This works the same for 2.4, just replace 2.3 for 2.4 in the repo. If you are already at 2.3 and want to go to 2.4 no other changes are needed in your graylog yml
This is all documented here.
sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-2.3-repository_latest.rpm
sudo yum clean all
sudo yum update
The gist of it is all of your elasticsearch settings in your existing graylogserver.conf file are now not used. If you just do a flat upgrade and you use an external elasticsearch cluster your graylog cluster will not function as the new default is to look at localhost.
You will get a 500 every time you go to the search page or try to do any type of query that requires access to the index if you use an external elastic-search cluster.
This is a welcome change as I was never a fan of having gray-log connect to the non-master non-data node on localhost on each gray-log node which then connects to the actual elastic-search cluster.
Fortunatly you only need to add one line to your graylogserver.conf and you can take the existing entries in elasticsearch_discovery_zen_ping_unicast_hosts and just add http and change the port to 9200.
#Elasticsearch nodes in graylog cluster
restart gray-log and everything should start working
systemctl restart graylog-server
To watch it happen tail -75 /etc/graylog/server/graylogserver.log
Next post will be upgrading elasticsearch now that graylog supports 5.x
I finally got around to upgrading elasticsearch to 5, in graylog 2.4 it supports it and actually adds some cool features. Upgrade Elasticsearch from 2.4.6 to 5.6.8 for Graylog 2.4.3