Upgrade from Search Guard 7 to 8
Upgrading Search Guard from 7.7.x to 8.x.x can be done while you upgrade Elasticsearch from 7.17.x to 8.x.x . You can do this by performing a full cluster restart, or by doing a rolling restart:
Search Guard supports running a mixed cluster of 7.7.x and 8.x.x nodes and is thus compatible with the Elasticsearch upgrade path.
If you have not already done so, make yourself familiar with Elastic’s own upgrade instruction for the Elastic stack:
Review breaking changes
- Breaking Changes in Elasticsearch 8
- No breaking changes in Search Guard FLX for Elasticsearch 8 but please refer to the
Notes and Troubleshootingsection below
In order to to perform a an upgrade from 7.x to 8.x, you need to run at least:
- Elasticsearch 7.17.x (Elasticsearch requirement)
- Search Guard FLX 1.0.0 (Search Guard requirement)
- Upgrading from Search Guard classic (i.e., Search Guard versions 53 and before) is not supported
If you run older versions of Elasticsearch and/or Search Guard, please upgrade first.
Upgrading Search Guard
Upgrading from Search Guard 7 classic (i.e., Search Guard versions 53 and before) is not supported. You need first to migrate Search Guard classic to Search Guard FLX.
No changes in
elasticsearch.yml are required
Kibana should be upgraded after the Elasticsearch / Search Guard upgrade is completed. Just install the correct version of the Search Guard plugin to Kibana.
The following changes in
kibana.yml are required:
xpack.spaces.enabledproperty if present
xpack.ml.enabledproperty if present
xpack.apm.enabledproperty if present
xpack.graph.enabledproperty if present
xpack.monitoring.enabledproperty if present
security.showInsecureClusterWarning: falseif not already present
Important Notes and Troubleshooting
Expected warnings or log messages
- In Kibana you can ignore all warnings and error in the logs which originates from
- In case you get an
org.elasticsearch.ElasticsearchSecurityExceptionwhich complains about
invalid configuration for xpack.security ... is not set, but the following settings have been configured in elasticsearch.yml: ...please remove the
elasticsearch.keystorefile in the
config/folder and restart the node.
Legacy ldap module removed
- The original implementation of the legacy
ldapauthentication and authorization backend was removed in Search Guard FLX for Elasticsearch 8. The implementation was replaced with another implementation which should exactly behave like the original one. In case you use the legacy
ldapauthentication or authorization backend and experience any issues please contact us via the support portal or through the community support forum.
Running in mixed mode: Limitations
Elasticsearch and Search Guard support running your cluster in mixed mode, means with 7.17.x and 8.x nodes. This makes it possible to upgrade via rolling restart.
Running a cluster in mixed mode should only be done while upgrading from 7 to 8. It’s not supposed to be a permanent situation and you should aim to minimize the duration where a mixed cluster exists.
While running in mixed mode, the following limitations apply:
While running in mixed mode, X-Pack monitoring might return incorrect values or throw Exceptions which you can safely ignore.