FreeBSD package management recently updated their Graylog package from 3.3.0 to 4.0.5 with enterprise plugins! This article is as-of April 2021 and you should upgrade your FreeBSD os or Jail version to 12.2 and upgrade your packages (see below).
[rich@graylog ~]$ uname -a FreeBSD graylog 12.2-RELEASE-p6 FreeBSD 12.2-RELEASE-p6 f2858df162b(HEAD) TRUENAS amd64 [rich@graylog ~]$ sudo pkg update Password: Updating FreeBSD repository catalogue... [graylog] Fetching packagesite.txz: 100% 6 MiB 3.3MB/s 00:02 Processing entries: 100% FreeBSD repository update completed. 30499 packages processed. All repositories are up to date. [rich@graylog ~]$ pkg search graylog graylog-4.0.5_2 Tool for centralized log collection [rich@graylog ~] sudo pkg install graylog
Now Graylog software is written in Java and distributed as JAR (Java ARchive) files so you really don’t need to wait for FreeBSD packaging to upgrade your server. In fact, just a few weeks before I wrote this I had upgraded the server manually by downloading the latest Graylog Jars from graylog.org website and putting them in the appropriate server directory. This works but was very manual and could be prone to error. The FreeBSD package automates everything and makes it simple I will not discuss my manual upgrade process and suggest to you to just use the official package noted above (v4.0.5). I even applied the FreeBSD package over my manual upgrade and it handled everything gracefully (by backing up the jars I placed as .prev versions).
There are numerous enhancements to Graylog and the software pkg upgrade process was relatively straight forward. PLEASE NOTE that I had to upgrade Elasticsearch to either version 6 or 7 (I was on version 5). This is noted in the FreeBSD graylog-4.0.5_2 pkg release notes that you must upgrade Elasticsearch (it doesn’t tell you how).
If you attempt to start the graylog service on your FreeBSD instance without first upgrading Elasticsearch and you are running version 5 or below then the web interface will fail to start and the graylog server will repeatedly log an error connecting to Elasticsearch.
If you have data in your Elasticsearch version 5 instance and you use FreeBSD package manager to install elasticsearch6 then it will upgrade the binaries and remove the elesticsearch5 package. It left the data intact in my experiance and I had to do a bit of editing of the elasticsearch config yaml file to start the new elasticsearch6 instance. The edits were very minor. I essentially had my old version 5 yaml config file up and diffed it against the new version 6 example and updated accordingly. I didn’t take notes of my edits but again they were version small.
You may also need to update your graylog config xml file although your mileage might vary. The connection details to elasticsearch changes slightly from my version 5 to version 6 so I had to edit in graylog config.
I restarted the graylog service again and tailed the /var/log/graylog/server.log to verify that it successfully restarted. I was able to login again to the web interface and verified none of my data was lost and that my graylog server was healthy. I took an immediate archive of the data to compressed gzip tar file just in case. The reader will note I took a backup after the upgrade not before… I should have taken a backup before if I was being truly risk averse as a rollback option. tsk, tsk on me…
New Graylog Features of Note
Dark Interface Mode
Slack & Discord Notification Support (I’ve discussed Discord Notifications in another post)