Beats compatibility as of OpenSearch 2.0?

tlacuache · June 1, 2022, 2:07pm

The Agents and ingestion tools site says:

The override main response setting compatibility.override_main_response_version is deprecated from OpenSearch version 1.x and removed from OpenSearch 2.0.0. This setting is no longer supported for compatibility with legacy clients.

And the compatibility matrix for beats doesn’t have a row for OpenSearch v2.0. In my current testing filebeat OSS 7.10.2 will not work with opensearch 2.0 (attempting to connect to Elasticsearch version 2.0.0).

Is there no longer a way to use the legacy beats with opensearch as of v2.0.0?

Thanks.

tlacuache · June 1, 2022, 2:13pm

To be more specific, where it fails now is:

2022-06-01T14:10:08.825Z        INFO    [esclientleg]   eslegclient/connection.go:314   Attempting to connect to Elasticsearch version 2.0.0
2022-06-01T14:10:08.876Z        INFO    template/load.go:117    Try loading template filebeat-7.10.2 to Elasticsearch
2022-06-01T14:10:10.596Z        ERROR   [publisher_pipeline_output]     pipeline/output.go:154  Failed to connect to backoff(elasticsearch(http://opensearch:9200)): Connection marked as failed because the onConnect callback failed: error loading template: could not load template. Elasticsearch returned: couldn't load template: 400 Bad Request: {"error":{"root_cause":[{"type":"mapper_parsing_exception","reason":"Root mapping definition has unsupported parameters: 
...

Then it dumps out the template. In my case I’m trying to use OSS filebeat 7.10.2 with the nginx module. It worked with OpenSearch v1.3.x with the compatibility.override_main_response_version setting.

tlacuache · June 1, 2022, 2:20pm

Disabling loading templates:

2022-06-01T14:19:03.008Z	ERROR	[publisher_pipeline_output]	pipeline/output.go:154	Failed to connect to backoff(elasticsearch(http://opensearch:9200)): Connection marked as failed because the onConnect callback failed: 1 error: Error loading pipeline for fileset nginx/access: failed to adapt pipeline for ECS compatibility: user_agent processor requires option 'ecs: true', but Elasticsearch {2.0.0 2 0 0 } does not support this option (Elasticsearch 6.7.0 or newer is required)

jdbright · June 2, 2022, 5:54pm

Thank you @tlacuache for reporting the issue. I’ll have the team review on our side.

tlacuache · June 2, 2022, 6:08pm

Thanks! In the meantime I think I’ll look at having the beats output to Logstash OSS and then to opensearch via the Logstash OpenSearch output plugin rather than OS directly as I think that’s another path forward.

jdbright · June 6, 2022, 8:31pm

Quick update.

The team has a compatibility model fix in the works which you can track. Having said that, pointing agents to an aggregator ahead of pushing it to OpenSearch is the right model as it reduces the amount of total connections pointing directly at OpenSearch.

Thank you for raising the concern @tlacuache. Much appreciated.

jdbright · June 17, 2022, 9:46pm

Another update @tlacuache, the fix for Beats compatibility mode was deployed yesterday.

Topic		Replies	Views
Setup issue for Filebeat OSS General Feedback	4	1971	October 15, 2021
Filebeat configuration with open distro for Elasticsearch Open Source Elasticsearch and Kibana	8	1332	August 11, 2023
Do the Elastic Beats work with Opensearch 2.4.1? OpenSearch all-clients	4	458	January 26, 2023
Exiting: Error importing Kibana dashboards: Kibana API is not available in Kibana version 2.4.1 OpenSearch	5	795	January 29, 2023
Error when installing beat to opensearch dashboard Reporting Plugin troubleshoot , configure , install	2	598	December 20, 2022

Beats compatibility as of OpenSearch 2.0?

Related Topics