5.6.0 → 6.6.0 (to use the latest version 6 as is done in a different environment)
I have reached out to the ELK stack forum and have had all my ELK stack related questions answered.
I pretty much just have a couple of basic questions that I would like to have answered.
When going through the upgrade phases, should I upgrade SearchGuard to the relevant versions on every step or can I jump straight from 5.4.0 to 6.6.0?
Elasticsearch mandates that plugins (and thus Search Guard as well) must be built for exactly the particular version of Elasticsearch. Thus, it won’t be possible to start ES 5.6.0 with a Search Guard plugin for ES 5.4.0.
Unfortunately, all Search Guard releases for ES 5 have already reached end-of-life and are thus not available any more. The best option for your migration would be then to temporarily remove the Search Guard plugin, upgrade to ES 5.6.0, do the necessary Kibana upgrade, then upgrade to ES 6 with Search Guard installed again.
Of course, you need to keep in mind that the ES cluster will be unprotected while Search Guard is disabled. You would need to protect it using other measures in this phase.
Another note: You wrote that you are going to upgrade to ES 6.6.0. Search Guard for ES 6.6.0 has also reached end-of-life, only Search Guard for ES 6.8.x is still actively supported.
Thank you Cliff for the detailed response and explanation.
I understand that SG for ES 6.6.0 has reached EoL, but we already have some infrastructure running ES 6.6.0 with SG 6.6.0 and have found no issues to date, so it should be fine.
One final question before I mark this as resolved: If I were to run with ES 5.6.0 without the SG plugin installed, would the existing SG indices cause issues in the ELK stack running?
No, the searchguard indices will be just normal indices then. However, be aware that these still contain sensitive data, so it is important to restrict access to the cluster using other means while Search Guard is disabled.