Filebeat 7.12.1 unable to send the logs to opensearch 2.19.3

kirankalelkar · August 20, 2025, 11:00am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

filebeat version 7.12.1

opensearch version 2.19.3

os ubnutu 22.04 LTS

Describe the issue:

filebeat service always failed

getting below error while run filebeat manually

2025-08-20T16:19:58.371+0530    INFO    \[index-management\]      idxmgmt/std.go:184      Set output.elasticsearch.index to ‘filebeat-7.12.1’ as ILM is enabled.
2025-08-20T16:19:58.371+0530    WARN    \[cfgwarn\]       tlscommon/config.go:101 DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0
2025-08-20T16:19:58.373+0530    INFO    eslegclient/connection.go:99    elasticsearch url: https://127.0.0.1:16577
2025-08-20T16:19:58.373+0530    WARN    \[tls\]   tlscommon/tls_config.go:98      SSL/TLS verifications disabled.
2025-08-20T16:19:58.373+0530    INFO    \[publisher\]     pipeline/module.go:113  Beat name: test
runtime/cgo: pthread_create failed: Operation not permitted
SIGABRT: abort

Configuration:

filebeat.inputs:

* type: log
  enabled: true
  paths:
  * /var/log/data/\**/\*.*log
  * /var/log/data/\**/\**.json

processors:
  - add_fields:
      target: ''
      fields:
        type: "Fatt"
  - decode_json_fields:
      fields: ["message"]
      target: ""
      overwrite_keys: true

# Global processors

processors:

* add_host_metadata: \~
* add_cloud_metadata: \~

# Output to OpenSearch

output.elasticsearch:
hosts: \[“https://127.0.0.1:16577”\]
username: “admin”
password: “Av4t4r3d-i5n”
index: “filebeat-%{+yyyy.MM.dd}”

ssl.enabled: true
ssl.verification_mode: none  # Change to ‘full’ if using proper CA
ssl.certificate_authorities: \[“/etc/opensearch/root-ca.pem”\]
ssl.certificate: “/etc/opensearch/esnode.pem”
ssl.key: “/etc/opensearch/esnode-key.pem”

# Filebeat internal paths

path.data: /var/lib/filebeat
path.logs: /var/log/filebeat

# Template setup (disabled since you’re using OpenSearch)

setup.template.enabled: false

Relevant Logs or Screenshots:

pablo · August 20, 2025, 12:09pm

@kirankalelkar I’ve got the same behaviour on Ubuntu 24.04. It looks like related to the seccomp.

github.com/elastic/beats

Allow clone3 syscall in seccomp filters

master ← BlackYoup:seccomp-clone3

opened 09:38AM - 24 Sep 21 UTC

BlackYoup

+3 -0

## What does this PR do? This PR allows the `clone3` syscall to be used i…n the seccomp filters. `clone3` is a linux syscall that is now used by glibc starting version 2.34. It is used when `pthread_create()` gets called. Current seccomp filters do not allow this syscall leading to crashes like runtime/cgo: pthread_create failed: Operation not permitted See https://github.com/elastic/apm-server/issues/6238 for more details ## Why is it important? This is important because it can lead to crashes in softwares using libbeat as a dependency, as it does for apm-server. As soon as glibc 2.34 hits the mainstream distributions, this might become a more encountered problem. Usage of this syscall only requires a glibc update, meaning that binaries compiled before the glibc update will also be impacted. ## Checklist - [ ] My code follows the style guidelines of this project - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have made corresponding changes to the documentation - [ ] I have made corresponding change to the default configuration files - [ ] I have added tests that prove my fix is effective or that my feature works - [x] I have added an entry in `CHANGELOG.next.asciidoc` or `CHANGELOG-developer.next.asciidoc`. ## Author's Checklist - [ ] Should the syscall be allowed for ARM? ## How to test this PR locally I'm not too sure how to do that here. Any pointers would be greatly appreciated. Bare minimum is to have glibc 2.34 installed but I don't know how to trigger the bug directly from the beats project. ## Related issues - Relates https://github.com/elastic/apm-server/issues/6238 ## Use cases This PR allows an additional linux syscall, namely `clone3`, to be used to create new threads. ## Screenshots ## Logs

I’ve used this setting and filbeat worked at every run in both 22.04 and 24.04. I had no issues in Ubuntu 20.04

export FILEBEAT_SEC_COMP=false

According to the GitHub issue it should be fixed in 7.15 or 7.16. However, I understand that you’re connecting directly to OpenSearch and all versions above 7.13 will fail to connect due to version check.

The alternative is to use a newer version of the Filebeat with Logstash and Logstash OpenSearch output plugin.

kirankalelkar · August 20, 2025, 1:39pm

@pablo my requirement is send logs from filebeat to direct opensearch output without logstash.

pablo · August 27, 2025, 1:44pm

@kirankalelkar In that case, you need to try disabling seccomp or upgrading Ubuntu.

I’m not aware of any work regarding the OpenSearch output plugin for Beats.

Topic		Replies	Views
Throwing error starting filebeat on Ubuntu22 OpenSearch troubleshoot , install	5	625	February 6, 2024
Filebeat 7.12.0 log parsing issue to opensearch 3.0.0 OpenSearch troubleshoot	4	51	July 31, 2025
Which beats for ingesting logs from Linux server into Opensearch 3.1 OpenSearch configure , install	1	62	July 17, 2025
Filebeat 7.17 not connecting to OpenSearch OpenSearch	4	1107	October 6, 2023
Rare problem pthread_create failed with Filebeat-OSS Open Source Elasticsearch and Kibana	2	1551	November 26, 2023

Filebeat 7.12.1 unable to send the logs to opensearch 2.19.3

Related topics